Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
New PO.exe

Overview

General Information

Sample name:New PO.exe
Analysis ID:1592400
MD5:26ef64c7dff899344300c0ecedd6fae8
SHA1:352d8daeda7f8a090892b84d11f1efeda700103e
SHA256:9457469e8f677c795dcef72556c810c2e3b333f99f87f60d8ffd501b1069e0b4
Tags:exeuser-threatcat_ch
Infos:

Detection

MassLogger RAT, PureLog Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected MassLogger RAT
Yara detected PureLog Stealer
Yara detected Telegram RAT
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara signature match

Classification

Process Tree

  • System is w10x64
  • New PO.exe (PID: 1720 cmdline: "C:\Users\user\Desktop\New PO.exe" MD5: 26EF64C7DFF899344300C0ECEDD6FAE8)
    • RegSvcs.exe (PID: 6352 cmdline: "C:\Users\user\Desktop\New PO.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • New PO.exe (PID: 6300 cmdline: "C:\Users\user\Desktop\New PO.exe" MD5: 26EF64C7DFF899344300C0ECEDD6FAE8)
      • RegSvcs.exe (PID: 1216 cmdline: "C:\Users\user\Desktop\New PO.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • New PO.exe (PID: 6004 cmdline: "C:\Users\user\Desktop\New PO.exe" MD5: 26EF64C7DFF899344300C0ECEDD6FAE8)
        • RegSvcs.exe (PID: 2316 cmdline: "C:\Users\user\Desktop\New PO.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "Telegram", "Telegram Token": "7929050820:AAHh36CQQ1Xhkbg_Gphq4yoqBiUwAg-LwiA", "Telegram Chatid": "1984300162"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.3302821285.0000000000400000.00000040.80000000.00040000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
  • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
  • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
  • 0x1300:$s3: 83 EC 38 53 B0 64 88 44 24 2B 88 44 24 2F B0 25 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
  • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
  • 0x1fdd0:$s5: delete[]
  • 0x1f288:$s6: constructor or from DllMain.
00000003.00000002.2063352777.0000000003A50000.00000004.00001000.00020000.00000000.sdmpMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
  • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
  • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
  • 0x700:$s3: 83 EC 38 53 B0 64 88 44 24 2B 88 44 24 2F B0 25 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
  • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
  • 0x1e9d0:$s5: delete[]
  • 0x1de88:$s6: constructor or from DllMain.
00000006.00000002.3305606667.0000000004231000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
    00000006.00000002.3305606667.0000000004231000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
      00000006.00000002.3305606667.0000000004231000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_PureLogStealerYara detected PureLog StealerJoe Security
        Click to see the 21 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        6.2.RegSvcs.exe.400000.0.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
        • 0x1e4b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
        • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
        • 0x1300:$s3: 83 EC 38 53 B0 64 88 44 24 2B 88 44 24 2F B0 25 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
        • 0x2018a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
        • 0x1fdd0:$s5: delete[]
        • 0x1f288:$s6: constructor or from DllMain.
        6.2.RegSvcs.exe.400000.0.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
        • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
        • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
        • 0x700:$s3: 83 EC 38 53 B0 64 88 44 24 2B 88 44 24 2F B0 25 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
        • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
        • 0x1e9d0:$s5: delete[]
        • 0x1de88:$s6: constructor or from DllMain.
        5.2.New PO.exe.ed0000.0.raw.unpackMALWARE_Win_RedLineDetects RedLine infostealerditekSHen
        • 0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00
        • 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E
        • 0x700:$s3: 83 EC 38 53 B0 64 88 44 24 2B 88 44 24 2F B0 25 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ...
        • 0x1ed8a:$s4: B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
        • 0x1e9d0:$s5: delete[]
        • 0x1de88:$s6: constructor or from DllMain.
        6.2.RegSvcs.exe.2d41ad6.2.unpackJoeSecurity_MassLoggerYara detected MassLogger RATJoe Security
          6.2.RegSvcs.exe.2d41ad6.2.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
            Click to see the 80 entries

            Sigma Signatures

            No Sigma rule has matched

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2025-01-16T04:24:02.787850+010028032742Potentially Bad Traffic192.168.2.549704158.101.44.24280TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: New PO.exeAvira: detected
            Found malware configuration
            Source: 00000006.00000002.3305606667.0000000004231000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: MassLogger {"EXfil Mode": "Telegram", "Telegram Token": "7929050820:AAHh36CQQ1Xhkbg_Gphq4yoqBiUwAg-LwiA", "Telegram Chatid": "1984300162"}
            Multi AV Scanner detection for submitted file
            Source: New PO.exeReversingLabs: Detection: 36%
            Source: New PO.exeVirustotal: Detection: 36%Perma Link
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: New PO.exeJoe Sandbox ML: detected

            Location Tracking

            barindex
            Tries to detect the country of the analysis system (by using the IP)
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: New PO.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49705 version: TLS 1.0
            Source: Binary string: _.pdb source: RegSvcs.exe, 00000006.00000002.3305606667.0000000004231000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3303760684.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3303855930.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: wntdll.pdbUGP source: New PO.exe, 00000000.00000003.2048621149.0000000003BD0000.00000004.00001000.00020000.00000000.sdmp, New PO.exe, 00000000.00000003.2048267179.0000000003D70000.00000004.00001000.00020000.00000000.sdmp, New PO.exe, 00000003.00000003.2059995237.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, New PO.exe, 00000003.00000003.2060186649.0000000003DA0000.00000004.00001000.00020000.00000000.sdmp, New PO.exe, 00000005.00000003.2072057151.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, New PO.exe, 00000005.00000003.2074067077.0000000004080000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: New PO.exe, 00000000.00000003.2048621149.0000000003BD0000.00000004.00001000.00020000.00000000.sdmp, New PO.exe, 00000000.00000003.2048267179.0000000003D70000.00000004.00001000.00020000.00000000.sdmp, New PO.exe, 00000003.00000003.2059995237.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, New PO.exe, 00000003.00000003.2060186649.0000000003DA0000.00000004.00001000.00020000.00000000.sdmp, New PO.exe, 00000005.00000003.2072057151.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, New PO.exe, 00000005.00000003.2074067077.0000000004080000.00000004.00001000.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F4C2A2 FindFirstFileExW,0_2_00F4C2A2
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F868EE FindFirstFileW,FindClose,0_2_00F868EE
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F8698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00F8698F
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F7D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00F7D076
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F7D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00F7D3A9
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F89642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00F89642
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F8979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00F8979D
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F7DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00F7DBBE
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F89B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00F89B2B
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F85C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00F85C97
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then mov dword ptr [ebp-20h], 00000000h6_2_02C9DD20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 02FE40E1h6_2_02FE3E30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 02FE4837h6_2_02FE4418
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 02FEEB21h6_2_02FEE878
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 02FEFC81h6_2_02FEF9D8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 02FEF3D1h6_2_02FEF128
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 02FE4837h6_2_02FE4764
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 02FEEF79h6_2_02FEECD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 02FE4837h6_2_02FE4408
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then jmp 02FEF829h6_2_02FEF580
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
            Source: Joe Sandbox ViewIP Address: 104.21.32.1 104.21.32.1
            Source: Joe Sandbox ViewIP Address: 158.101.44.242 158.101.44.242
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: unknownDNS query: name: checkip.dyndns.org
            Source: unknownDNS query: name: reallyfreegeoip.org
            Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49704 -> 158.101.44.242:80
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: unknownHTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.5:49705 version: TLS 1.0
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F8CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_00F8CE44
            Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
            Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
            Source: RegSvcs.exe, 00000006.00000002.3304409823.000000000331C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
            Source: RegSvcs.exe, 00000006.00000002.3304409823.000000000331C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3304409823.0000000003310000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
            Source: RegSvcs.exe, 00000006.00000002.3304409823.0000000003299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
            Source: RegSvcs.exe, 00000006.00000002.3305606667.0000000004231000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3303760684.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3303855930.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3304133515.0000000002F80000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
            Source: RegSvcs.exe, 00000006.00000002.3304409823.0000000003338000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
            Source: RegSvcs.exe, 00000006.00000002.3304409823.0000000003299000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: RegSvcs.exe, 00000006.00000002.3305606667.0000000004231000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3303760684.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3303855930.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3304133515.0000000002F80000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
            Source: RegSvcs.exe, 00000006.00000002.3304409823.000000000331C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
            Source: RegSvcs.exe, 00000006.00000002.3305606667.0000000004231000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3304409823.000000000331C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3303760684.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3303855930.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3304133515.0000000002F80000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
            Source: RegSvcs.exe, 00000006.00000002.3304409823.000000000331C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l
            Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F8EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00F8EAFF
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F8ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00F8ED6A
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F8EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00F8EAFF
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F7AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_00F7AA57
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00FA9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00FA9576

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 5.2.New PO.exe.ed0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 6.2.RegSvcs.exe.2d41ad6.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 6.2.RegSvcs.exe.2d41ad6.2.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 6.2.RegSvcs.exe.2ee0000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 6.2.RegSvcs.exe.2ee0000.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 6.2.RegSvcs.exe.4236458.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 6.2.RegSvcs.exe.4236458.8.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 6.2.RegSvcs.exe.2ee0ee8.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 6.2.RegSvcs.exe.2ee0ee8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 6.2.RegSvcs.exe.2f80000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 6.2.RegSvcs.exe.2f80000.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 6.2.RegSvcs.exe.4235570.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 6.2.RegSvcs.exe.4235570.7.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 6.2.RegSvcs.exe.425eb90.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 6.2.RegSvcs.exe.425eb90.6.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 6.2.RegSvcs.exe.2ee0ee8.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 6.2.RegSvcs.exe.2ee0ee8.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 6.2.RegSvcs.exe.2d40bee.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 6.2.RegSvcs.exe.2d40bee.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 6.2.RegSvcs.exe.2f80000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 6.2.RegSvcs.exe.2f80000.5.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 6.2.RegSvcs.exe.4236458.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 6.2.RegSvcs.exe.4236458.8.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 6.2.RegSvcs.exe.2d41ad6.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 6.2.RegSvcs.exe.2d41ad6.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 6.2.RegSvcs.exe.425eb90.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 6.2.RegSvcs.exe.425eb90.6.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 0.2.New PO.exe.ed0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 3.2.New PO.exe.3a50000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 6.2.RegSvcs.exe.2ee0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 6.2.RegSvcs.exe.2ee0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 6.2.RegSvcs.exe.2d40bee.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 6.2.RegSvcs.exe.2d40bee.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 6.2.RegSvcs.exe.4235570.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 6.2.RegSvcs.exe.4235570.7.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 00000006.00000002.3302821285.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 00000003.00000002.2063352777.0000000003A50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 00000006.00000002.3305606667.0000000004231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000006.00000002.3303760684.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000006.00000002.3303855930.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000006.00000002.3303855930.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 00000006.00000002.3304133515.0000000002F80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Source: 00000006.00000002.3304133515.0000000002F80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
            Source: 00000000.00000002.2050403627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: 00000005.00000002.2074604094.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects RedLine infostealer Author: ditekSHen
            Source: Process Memory Space: RegSvcs.exe PID: 2316, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: New PO.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: New PO.exe, 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_44c514ba-e
            Source: New PO.exe, 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_65ec4c6f-b
            Source: New PO.exe, 00000003.00000000.2049545307.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_f4ca0e6e-5
            Source: New PO.exe, 00000003.00000000.2049545307.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_54dfb529-4
            Source: New PO.exe, 00000005.00000002.2074714197.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_bf5a4ef7-0
            Source: New PO.exe, 00000005.00000002.2074714197.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_c954dd3f-d
            Source: New PO.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_af4b199f-a
            Source: New PO.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_53ea5b41-d
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F7D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_00F7D5EB
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F71201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00F71201
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F7E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00F7E8F6
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F180600_2_00F18060
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F820460_2_00F82046
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F782980_2_00F78298
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F4E4FF0_2_00F4E4FF
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F4676B0_2_00F4676B
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00FA48730_2_00FA4873
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F1CAF00_2_00F1CAF0
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F3CAA00_2_00F3CAA0
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F2CC390_2_00F2CC39
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F46DD90_2_00F46DD9
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F191C00_2_00F191C0
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F2B1190_2_00F2B119
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F313940_2_00F31394
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F317060_2_00F31706
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F3781B0_2_00F3781B
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F319B00_2_00F319B0
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F2997D0_2_00F2997D
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F179200_2_00F17920
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F37A4A0_2_00F37A4A
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F37CA70_2_00F37CA7
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F31C770_2_00F31C77
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F49EEE0_2_00F49EEE
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F9BE440_2_00F9BE44
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F31F320_2_00F31F32
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_01130CA00_2_01130CA0
            Source: C:\Users\user\Desktop\New PO.exeCode function: 3_2_014C0B583_2_014C0B58
            Source: C:\Users\user\Desktop\New PO.exeCode function: 5_2_01942EE85_2_01942EE8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00408C606_2_00408C60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0040DC116_2_0040DC11
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00407C3F6_2_00407C3F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00418CCC6_2_00418CCC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00406CA06_2_00406CA0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004028B06_2_004028B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041A4BE6_2_0041A4BE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004182446_2_00418244
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004016506_2_00401650
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00402F206_2_00402F20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004193C46_2_004193C4
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004187886_2_00418788
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00402F896_2_00402F89
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00402B906_2_00402B90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004073A06_2_004073A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02C914486_2_02C91448
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02C914376_2_02C91437
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02C9119B6_2_02C9119B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02C911A86_2_02C911A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02C911406_2_02C91140
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02FE6B106_2_02FE6B10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02FEB0306_2_02FEB030
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02FE3E306_2_02FE3E30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02FEB7006_2_02FEB700
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02FE7BE26_2_02FE7BE2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02FE6B006_2_02FE6B00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02FEE8786_2_02FEE878
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02FEE86A6_2_02FEE86A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02FEB02A6_2_02FEB02A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02FEF9D86_2_02FEF9D8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02FEF9C86_2_02FEF9C8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02FEF1286_2_02FEF128
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02FEF1176_2_02FEF117
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02FEA6886_2_02FEA688
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02FEA6786_2_02FEA678
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02FE1E516_2_02FE1E51
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02FE3E266_2_02FE3E26
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02FEECD06_2_02FEECD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02FEECBF6_2_02FEECBF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02FEF5806_2_02FEF580
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02FEF5706_2_02FEF570
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0040E1D8 appears 44 times
            Source: C:\Users\user\Desktop\New PO.exeCode function: String function: 00F2F9F2 appears 40 times
            Source: C:\Users\user\Desktop\New PO.exeCode function: String function: 00F19CB3 appears 31 times
            Source: C:\Users\user\Desktop\New PO.exeCode function: String function: 00F30A30 appears 46 times
            Source: New PO.exe, 00000000.00000003.2048786009.0000000003E9D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs New PO.exe
            Source: New PO.exe, 00000000.00000003.2048007356.0000000003CF3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs New PO.exe
            Source: New PO.exe, 00000000.00000002.2050403627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs New PO.exe
            Source: New PO.exe, 00000003.00000003.2060186649.0000000003ECD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs New PO.exe
            Source: New PO.exe, 00000003.00000002.2063352777.0000000003A50000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs New PO.exe
            Source: New PO.exe, 00000003.00000003.2060463923.0000000003D23000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs New PO.exe
            Source: New PO.exe, 00000005.00000003.2070557253.00000000041AD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs New PO.exe
            Source: New PO.exe, 00000005.00000003.2070247137.0000000004003000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs New PO.exe
            Source: New PO.exe, 00000005.00000002.2074604094.0000000000ED0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCloudServices.exe< vs New PO.exe
            Source: New PO.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 6.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 6.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 5.2.New PO.exe.ed0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 6.2.RegSvcs.exe.2d41ad6.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 6.2.RegSvcs.exe.2d41ad6.2.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 6.2.RegSvcs.exe.2ee0000.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 6.2.RegSvcs.exe.2ee0000.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 6.2.RegSvcs.exe.4236458.8.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 6.2.RegSvcs.exe.4236458.8.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 6.2.RegSvcs.exe.2ee0ee8.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 6.2.RegSvcs.exe.2ee0ee8.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 6.2.RegSvcs.exe.2f80000.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 6.2.RegSvcs.exe.2f80000.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 6.2.RegSvcs.exe.4235570.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 6.2.RegSvcs.exe.4235570.7.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 6.2.RegSvcs.exe.425eb90.6.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 6.2.RegSvcs.exe.425eb90.6.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 6.2.RegSvcs.exe.2ee0ee8.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 6.2.RegSvcs.exe.2ee0ee8.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 6.2.RegSvcs.exe.2d40bee.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 6.2.RegSvcs.exe.2d40bee.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 6.2.RegSvcs.exe.2f80000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 6.2.RegSvcs.exe.2f80000.5.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 6.2.RegSvcs.exe.4236458.8.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 6.2.RegSvcs.exe.4236458.8.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 6.2.RegSvcs.exe.2d41ad6.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 6.2.RegSvcs.exe.2d41ad6.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 6.2.RegSvcs.exe.425eb90.6.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 6.2.RegSvcs.exe.425eb90.6.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 0.2.New PO.exe.ed0000.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 3.2.New PO.exe.3a50000.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 6.2.RegSvcs.exe.2ee0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 6.2.RegSvcs.exe.2ee0000.4.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 6.2.RegSvcs.exe.2d40bee.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 6.2.RegSvcs.exe.2d40bee.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 6.2.RegSvcs.exe.4235570.7.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 6.2.RegSvcs.exe.4235570.7.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000006.00000002.3302821285.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 00000003.00000002.2063352777.0000000003A50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 00000006.00000002.3305606667.0000000004231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000006.00000002.3303760684.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000006.00000002.3303855930.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000006.00000002.3303855930.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000006.00000002.3304133515.0000000002F80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: 00000006.00000002.3304133515.0000000002F80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
            Source: 00000000.00000002.2050403627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: 00000005.00000002.2074604094.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
            Source: Process Memory Space: RegSvcs.exe PID: 2316, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/1@2/2
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F837B5 GetLastError,FormatMessageW,0_2_00F837B5
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F710BF AdjustTokenPrivileges,CloseHandle,0_2_00F710BF
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F716C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00F716C3
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F851CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00F851CD
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F9A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00F9A67C
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F8648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_00F8648E
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F142A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00F142A2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
            Source: C:\Users\user\Desktop\New PO.exeFile created: C:\Users\user\AppData\Local\Temp\teresJump to behavior
            Source: New PO.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\New PO.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: RegSvcs.exe, 00000006.00000002.3304409823.000000000338B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3305606667.00000000042AE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3304409823.000000000337C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3304409823.00000000033BA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3304409823.000000000339A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3304409823.00000000033AE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: New PO.exeReversingLabs: Detection: 36%
            Source: New PO.exeVirustotal: Detection: 36%
            Source: unknownProcess created: C:\Users\user\Desktop\New PO.exe "C:\Users\user\Desktop\New PO.exe"
            Source: C:\Users\user\Desktop\New PO.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\New PO.exe"
            Source: C:\Users\user\Desktop\New PO.exeProcess created: C:\Users\user\Desktop\New PO.exe "C:\Users\user\Desktop\New PO.exe"
            Source: C:\Users\user\Desktop\New PO.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\New PO.exe"
            Source: C:\Users\user\Desktop\New PO.exeProcess created: C:\Users\user\Desktop\New PO.exe "C:\Users\user\Desktop\New PO.exe"
            Source: C:\Users\user\Desktop\New PO.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\New PO.exe"
            Source: C:\Users\user\Desktop\New PO.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\New PO.exe"Jump to behavior
            Source: C:\Users\user\Desktop\New PO.exeProcess created: C:\Users\user\Desktop\New PO.exe "C:\Users\user\Desktop\New PO.exe"Jump to behavior
            Source: C:\Users\user\Desktop\New PO.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\New PO.exe"Jump to behavior
            Source: C:\Users\user\Desktop\New PO.exeProcess created: C:\Users\user\Desktop\New PO.exe "C:\Users\user\Desktop\New PO.exe"Jump to behavior
            Source: C:\Users\user\Desktop\New PO.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\New PO.exe"Jump to behavior
            Source: C:\Users\user\Desktop\New PO.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\New PO.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\New PO.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\New PO.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\New PO.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\New PO.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\New PO.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\New PO.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\New PO.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\New PO.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\New PO.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\New PO.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\New PO.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\New PO.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\New PO.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\New PO.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\New PO.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\New PO.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\New PO.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\New PO.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\New PO.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\New PO.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\New PO.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\New PO.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\New PO.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\New PO.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\New PO.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\New PO.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\New PO.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\New PO.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\New PO.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\New PO.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\New PO.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: New PO.exeStatic file information: File size 1425408 > 1048576
            Source: New PO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: New PO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: New PO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: New PO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: New PO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: New PO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: New PO.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: _.pdb source: RegSvcs.exe, 00000006.00000002.3305606667.0000000004231000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3303760684.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3303855930.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp
            Source: Binary string: wntdll.pdbUGP source: New PO.exe, 00000000.00000003.2048621149.0000000003BD0000.00000004.00001000.00020000.00000000.sdmp, New PO.exe, 00000000.00000003.2048267179.0000000003D70000.00000004.00001000.00020000.00000000.sdmp, New PO.exe, 00000003.00000003.2059995237.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, New PO.exe, 00000003.00000003.2060186649.0000000003DA0000.00000004.00001000.00020000.00000000.sdmp, New PO.exe, 00000005.00000003.2072057151.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, New PO.exe, 00000005.00000003.2074067077.0000000004080000.00000004.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: New PO.exe, 00000000.00000003.2048621149.0000000003BD0000.00000004.00001000.00020000.00000000.sdmp, New PO.exe, 00000000.00000003.2048267179.0000000003D70000.00000004.00001000.00020000.00000000.sdmp, New PO.exe, 00000003.00000003.2059995237.0000000003C00000.00000004.00001000.00020000.00000000.sdmp, New PO.exe, 00000003.00000003.2060186649.0000000003DA0000.00000004.00001000.00020000.00000000.sdmp, New PO.exe, 00000005.00000003.2072057151.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, New PO.exe, 00000005.00000003.2074067077.0000000004080000.00000004.00001000.00020000.00000000.sdmp
            Source: New PO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: New PO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: New PO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: New PO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: New PO.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00F142DE
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F30A76 push ecx; ret 0_2_00F30A89
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041C40C push cs; iretd 6_2_0041C4E2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00423149 push eax; ret 6_2_00423179
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041C50E push cs; iretd 6_2_0041C4E2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004231C8 push eax; ret 6_2_00423179
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0040E21D push ecx; ret 6_2_0040E230
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041C6BE push ebx; ret 6_2_0041C6BF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0041BFCD pushad ; ret 6_2_0041BFCE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02C9529A push esi; ret 6_2_02C9529B
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F2F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00F2F98E
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00FA1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00FA1C41
            Source: C:\Users\user\Desktop\New PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\New PO.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AntiVM3
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2316, type: MEMORYSTR
            Found API chain indicative of sandbox detection
            Source: C:\Users\user\Desktop\New PO.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-97931
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\New PO.exeAPI/Special instruction interceptor: Address: 11308C4
            Source: C:\Users\user\Desktop\New PO.exeAPI/Special instruction interceptor: Address: 14C077C
            Source: C:\Users\user\Desktop\New PO.exeAPI/Special instruction interceptor: Address: 1942B0C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,6_2_004019F0
            Source: C:\Users\user\Desktop\New PO.exeAPI coverage: 3.4 %
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F4C2A2 FindFirstFileExW,0_2_00F4C2A2
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F868EE FindFirstFileW,FindClose,0_2_00F868EE
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F8698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00F8698F
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F7D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00F7D076
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F7D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00F7D3A9
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F89642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00F89642
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F8979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00F8979D
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F7DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00F7DBBE
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F89B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00F89B2B
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F85C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00F85C97
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00F142DE
            Source: RegSvcs.exe, 00000006.00000002.3303341221.00000000012D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeAPI call chain: ExitProcess graph end node
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_02FEB030 LdrInitializeThunk,6_2_02FEB030
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F8EAA2 BlockInput,0_2_00F8EAA2
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F42622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F42622
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,CloseHandle,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear,6_2_004019F0
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00F142DE
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F34CE8 mov eax, dword ptr fs:[00000030h]0_2_00F34CE8
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_01130B30 mov eax, dword ptr fs:[00000030h]0_2_01130B30
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_01130B90 mov eax, dword ptr fs:[00000030h]0_2_01130B90
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_0112F520 mov eax, dword ptr fs:[00000030h]0_2_0112F520
            Source: C:\Users\user\Desktop\New PO.exeCode function: 3_2_014C0A48 mov eax, dword ptr fs:[00000030h]3_2_014C0A48
            Source: C:\Users\user\Desktop\New PO.exeCode function: 3_2_014BF3D8 mov eax, dword ptr fs:[00000030h]3_2_014BF3D8
            Source: C:\Users\user\Desktop\New PO.exeCode function: 3_2_014C09E8 mov eax, dword ptr fs:[00000030h]3_2_014C09E8
            Source: C:\Users\user\Desktop\New PO.exeCode function: 5_2_01942DD8 mov eax, dword ptr fs:[00000030h]5_2_01942DD8
            Source: C:\Users\user\Desktop\New PO.exeCode function: 5_2_01942D78 mov eax, dword ptr fs:[00000030h]5_2_01942D78
            Source: C:\Users\user\Desktop\New PO.exeCode function: 5_2_01941768 mov eax, dword ptr fs:[00000030h]5_2_01941768
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F70B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00F70B62
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F42622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F42622
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F3083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00F3083F
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F309D5 SetUnhandledExceptionFilter,0_2_00F309D5
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F30C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00F30C21
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_0040CE09
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_0040E61C
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_00416F6A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 6_2_004123F1 SetUnhandledExceptionFilter,6_2_004123F1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\New PO.exeSection loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and writeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\New PO.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: D50008Jump to behavior
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F71201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00F71201
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F52BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00F52BA5
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F7B226 SendInput,keybd_event,0_2_00F7B226
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F922DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_00F922DA
            Source: C:\Users\user\Desktop\New PO.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\New PO.exe"Jump to behavior
            Source: C:\Users\user\Desktop\New PO.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\New PO.exe"Jump to behavior
            Source: C:\Users\user\Desktop\New PO.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\New PO.exe"Jump to behavior
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F70B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00F70B62
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F71663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00F71663
            Source: New PO.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: New PO.exeBinary or memory string: Shell_TrayWnd
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F30698 cpuid 0_2_00F30698
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: GetLocaleInfoA,6_2_00417A20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F88195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_00F88195
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F6D27A GetUserNameW,0_2_00F6D27A
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F4B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_00F4B952
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F142DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00F142DE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected MassLogger RAT
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2d41ad6.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2ee0000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.4236458.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2ee0ee8.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2f80000.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.4235570.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.425eb90.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2ee0ee8.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2d40bee.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2f80000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.4236458.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2d41ad6.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.425eb90.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2ee0000.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2d40bee.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.4235570.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.3305606667.0000000004231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3303760684.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3303855930.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3304133515.0000000002F80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2316, type: MEMORYSTR
            Yara detected PureLog Stealer
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2d41ad6.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2ee0000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.4236458.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2ee0ee8.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2f80000.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.4235570.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.425eb90.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2ee0ee8.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2d40bee.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2f80000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.4236458.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2d41ad6.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.425eb90.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2ee0000.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2d40bee.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.4235570.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.3305606667.0000000004231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3303760684.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3303855930.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3304133515.0000000002F80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Yara detected Telegram RAT
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2d41ad6.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2ee0000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.4236458.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2ee0ee8.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2f80000.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.4235570.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.425eb90.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2ee0ee8.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2d40bee.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2f80000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.4236458.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2d41ad6.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.425eb90.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2ee0000.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2d40bee.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.4235570.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.3305606667.0000000004231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3303760684.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3303855930.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3304133515.0000000002F80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2316, type: MEMORYSTR
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
            Source: New PO.exeBinary or memory string: WIN_81
            Source: New PO.exeBinary or memory string: WIN_XP
            Source: New PO.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
            Source: New PO.exeBinary or memory string: WIN_XPe
            Source: New PO.exeBinary or memory string: WIN_VISTA
            Source: New PO.exeBinary or memory string: WIN_7
            Source: New PO.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected MassLogger RAT
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2d41ad6.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2ee0000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.4236458.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2ee0ee8.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2f80000.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.4235570.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.425eb90.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2ee0ee8.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2d40bee.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2f80000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.4236458.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2d41ad6.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.425eb90.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2ee0000.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2d40bee.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.4235570.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.3305606667.0000000004231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3303760684.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3303855930.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3304133515.0000000002F80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2316, type: MEMORYSTR
            Yara detected PureLog Stealer
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2d41ad6.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2ee0000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.4236458.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2ee0ee8.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2f80000.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.4235570.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.425eb90.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2ee0ee8.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2d40bee.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2f80000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.4236458.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2d41ad6.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.425eb90.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2ee0000.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2d40bee.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.4235570.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.3305606667.0000000004231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3303760684.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3303855930.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3304133515.0000000002F80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Yara detected Telegram RAT
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2d41ad6.2.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2ee0000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.4236458.8.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2ee0ee8.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2f80000.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.4235570.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.425eb90.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2ee0ee8.3.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2d40bee.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2f80000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.4236458.8.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2d41ad6.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.425eb90.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2ee0000.4.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.2d40bee.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.RegSvcs.exe.4235570.7.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.3305606667.0000000004231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3303760684.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3303855930.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3304133515.0000000002F80000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 2316, type: MEMORYSTR
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F91204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00F91204
            Source: C:\Users\user\Desktop\New PO.exeCode function: 0_2_00F91806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00F91806

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		1
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		11
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		2
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
            Valid Accounts            		3
            Obfuscated Files or Information            		Security Account Manager1
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
            Access Token Manipulation            		1
            DLL Side-Loading            		NTDS137
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		13
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
            Process Injection            		2
            Valid Accounts            		LSA Secrets231
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Virtualization/Sandbox Evasion            		Cached Domain Credentials1
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items21
            Access Token Manipulation            		DCSync2
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job212
            Process Injection            		Proc Filesystem1
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
            System Network Configuration Discovery            		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1592400 Sample: New PO.exe Startdate: 16/01/2025 Architecture: WINDOWS Score: 100 26 reallyfreegeoip.org 2->26 28 checkip.dyndns.org 2->28 30 checkip.dyndns.com 2->30 42 Found malware configuration 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 50 10 other signatures 2->50 9 New PO.exe 1 2->9         started        signatures3 48 Tries to detect the country of the analysis system (by using the IP) 26->48 process4 signatures5 56 Binary is likely a compiled AutoIt script file 9->56 12 New PO.exe 9->12         started        15 RegSvcs.exe 9->15         started        process6 signatures7 58 Binary is likely a compiled AutoIt script file 12->58 17 New PO.exe 12->17         started        20 RegSvcs.exe 12->20         started        process8 signatures9 36 Binary is likely a compiled AutoIt script file 17->36 38 Writes to foreign memory regions 17->38 40 Maps a DLL or memory area into another process 17->40 22 RegSvcs.exe 15 2 17->22         started        process10 dnsIp11 32 checkip.dyndns.com 158.101.44.242, 49704, 80 ORACLE-BMC-31898US United States 22->32 34 reallyfreegeoip.org 104.21.32.1, 443, 49705 CLOUDFLARENETUS United States 22->34 52 Tries to steal Mail credentials (via file / registry access) 22->52 54 Tries to harvest and steal browser information (history, passwords, etc) 22->54 signatures12

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            New PO.exe37%ReversingLabsWin32.Trojan.Generic
            New PO.exe36%VirustotalBrowse
            New PO.exe100%AviraDR/AutoIt.Gen8
            New PO.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            reallyfreegeoip.org
            		104.21.32.1
            		truefalse
              		high
              checkip.dyndns.com
              		158.101.44.242
              		truefalse
                		high
                checkip.dyndns.org
                		unknown
                		unknownfalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://checkip.dyndns.org/false
                    		high
                    https://reallyfreegeoip.org/xml/8.46.123.189false
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://reallyfreegeoip.orgRegSvcs.exe, 00000006.00000002.3304409823.000000000331C000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://checkip.dyndns.orgRegSvcs.exe, 00000006.00000002.3304409823.000000000331C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3304409823.0000000003310000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://checkip.dyndns.comRegSvcs.exe, 00000006.00000002.3304409823.000000000331C000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            https://reallyfreegeoip.org/xml/8.46.123.189lRegSvcs.exe, 00000006.00000002.3304409823.000000000331C000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegSvcs.exe, 00000006.00000002.3304409823.0000000003299000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://api.telegram.org/bot-/sendDocument?chat_id=RegSvcs.exe, 00000006.00000002.3305606667.0000000004231000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3303760684.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3303855930.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3304133515.0000000002F80000.00000004.08000000.00040000.00000000.sdmpfalse
                                  		high
                                  http://checkip.dyndns.org/qRegSvcs.exe, 00000006.00000002.3305606667.0000000004231000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3303760684.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3303855930.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3304133515.0000000002F80000.00000004.08000000.00040000.00000000.sdmpfalse
                                    		high
                                    http://reallyfreegeoip.orgRegSvcs.exe, 00000006.00000002.3304409823.0000000003338000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      https://reallyfreegeoip.org/xml/RegSvcs.exe, 00000006.00000002.3305606667.0000000004231000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3304409823.000000000331C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3303760684.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3303855930.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.3304133515.0000000002F80000.00000004.08000000.00040000.00000000.sdmpfalse
                                        		high

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        104.21.32.1
                                        		reallyfreegeoip.orgUnited States
                                        		13335CLOUDFLARENETUSfalse
                                        158.101.44.242
                                        		checkip.dyndns.comUnited States
                                        		31898ORACLE-BMC-31898USfalse

                                        General Information

                                        Joe Sandbox version:42.0.0 Malachite
                                        Analysis ID:1592400
                                        Start date and time:2025-01-16 04:23:06 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 6m 55s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:9
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:New PO.exe
                                        Detection:MAL
                                        Classification:mal100.troj.spyw.evad.winEXE@11/1@2/2
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HCA Information:
                                        • Successful, ratio: 96%
                                        • Number of executed functions: 46
                                        • Number of non-executed functions: 301
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe

                                        Warnings

                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                        • Excluded IPs from analysis (whitelisted): 13.107.246.45, 4.175.87.197
                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                        Simulations

                                        Behavior and APIs

                                        No simulations

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        104.21.32.1New order BPD-003777.exeGet hashmaliciousFormBookBrowse
                                        • www.cikolatasampuan.xyz/sbv2/
                                        DOCU800147001.exeGet hashmaliciousGuLoaderBrowse
                                        • b2csa.icu/PL341/index.php
                                        24010-KAPSON.exeGet hashmaliciousAzorult, GuLoaderBrowse
                                        • b2csa.icu/PL341/index.php
                                        bIcqeSVPW6.exeGet hashmaliciousFormBookBrowse
                                        • www.rafconstrutora.online/sa6l/
                                        BalphRTkPS.exeGet hashmaliciousFormBookBrowse
                                        • www.aziziyeescortg.xyz/2pcx/
                                        25IvlOVEB1.exeGet hashmaliciousFormBookBrowse
                                        • www.masterqq.pro/3vdc/
                                        QUOTATION#050125.exeGet hashmaliciousFormBookBrowse
                                        • www.mzkd6gp5.top/3u0p/
                                        SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                        • redroomaudio.com/administrator/index.php
                                        158.101.44.242Invoice No 1122207 pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • checkip.dyndns.org/
                                        RFQ_AS0101402025.22025_PDF.exeGet hashmaliciousMassLogger RATBrowse
                                        • checkip.dyndns.org/
                                        ABG Draft.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • checkip.dyndns.org/
                                        SOA.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • checkip.dyndns.org/
                                        FA_35_01_2025_STA_Wz#U00f3r_standard_pdf .scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • checkip.dyndns.org/
                                        nfKqna8HuC.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • checkip.dyndns.org/
                                        aS39AS7b0P.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • checkip.dyndns.org/
                                        sS7Jrsk0Z7.exeGet hashmaliciousDarkTortilla, Snake Keylogger, VIP KeyloggerBrowse
                                        • checkip.dyndns.org/
                                        3qr7JBuNuX.exeGet hashmaliciousMassLogger RATBrowse
                                        • checkip.dyndns.org/
                                        lkETeneRL3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • checkip.dyndns.org/

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        reallyfreegeoip.orgWOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeGet hashmaliciousMassLogger RATBrowse
                                        • 104.21.64.1
                                        order6566546663.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 104.21.48.1
                                        Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 104.21.32.1
                                        BNXCXCJSD.jseGet hashmaliciousMassLogger RATBrowse
                                        • 104.21.16.1
                                        NEWORDER.exeGet hashmaliciousMassLogger RATBrowse
                                        • 104.21.96.1
                                        Invoice No 1122207 pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 104.21.112.1
                                        PDF6UU0CVUO2W-YGVUIO.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • 104.21.96.1
                                        PO#_1100015533.scrGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • 104.21.80.1
                                        1nl3hc.ps1Get hashmaliciousMassLogger RATBrowse
                                        • 104.21.112.1
                                        Contrarre.exeGet hashmaliciousMassLogger RATBrowse
                                        • 104.21.96.1
                                        checkip.dyndns.comWOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeGet hashmaliciousMassLogger RATBrowse
                                        • 132.226.8.169
                                        MV Nicos Tomasos Vessel Parts.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 193.122.6.168
                                        order6566546663.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 132.226.247.73
                                        Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 193.122.6.168
                                        BNXCXCJSD.jseGet hashmaliciousMassLogger RATBrowse
                                        • 132.226.247.73
                                        NEWORDER.exeGet hashmaliciousMassLogger RATBrowse
                                        • 132.226.247.73
                                        Invoice No 1122207 pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 158.101.44.242
                                        PDF6UU0CVUO2W-YGVUIO.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • 193.122.130.0
                                        PO#_1100015533.scrGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • 193.122.130.0
                                        1nl3hc.ps1Get hashmaliciousMassLogger RATBrowse
                                        • 193.122.130.0

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        ORACLE-BMC-31898USMV Nicos Tomasos Vessel Parts.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 193.122.6.168
                                        Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 193.122.6.168
                                        Execute.ps1Get hashmaliciousMetasploitBrowse
                                        • 158.101.196.44
                                        Invoice No 1122207 pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 158.101.44.242
                                        PDF6UU0CVUO2W-YGVUIO.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • 193.122.130.0
                                        PO#_1100015533.scrGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • 193.122.130.0
                                        1nl3hc.ps1Get hashmaliciousMassLogger RATBrowse
                                        • 193.122.130.0
                                        Contrarre.exeGet hashmaliciousMassLogger RATBrowse
                                        • 193.122.6.168
                                        Company introduction.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 193.122.6.168
                                        rDEKONT-1_15_2025__75kb__pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 193.122.6.168
                                        CLOUDFLARENETUSPedang @ P#U00ecsau.exeGet hashmaliciousBrontokBrowse
                                        • 104.21.48.1
                                        WOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeGet hashmaliciousMassLogger RATBrowse
                                        • 104.21.64.1
                                        order6566546663.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 104.21.16.1
                                        Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 104.21.32.1
                                        Subscription_Renewal_Invoice_2025_FGHDCS.htmlGet hashmaliciousHTMLPhisherBrowse
                                        • 104.17.25.14
                                        https://yogalisbon.gitcz.pw/sign-inGet hashmaliciousUnknownBrowse
                                        • 104.21.112.1
                                        http://com-evaluate-fanpage30127.pages.dev/help/contact/671203900952887Get hashmaliciousHTMLPhisherBrowse
                                        • 188.114.97.3
                                        http://docs-wltconnect.gitbook.io/us-enGet hashmaliciousHTMLPhisherBrowse
                                        • 172.64.147.209
                                        https://inhospitality.shop/Get hashmaliciousUnknownBrowse
                                        • 104.17.25.14
                                        http://shorten.so/fVj82Get hashmaliciousPorn ScamBrowse
                                        • 104.21.54.29

                                        JA3 Fingerprints

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        54328bd36c14bd82ddaa0c04b25ed9adWOOYANG VENUS_VESSEL_PARTICULARS.doc.scr.exeGet hashmaliciousMassLogger RATBrowse
                                        • 104.21.32.1
                                        order6566546663.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 104.21.32.1
                                        Order Details.exeGet hashmaliciousSnake KeyloggerBrowse
                                        • 104.21.32.1
                                        BNXCXCJSD.jseGet hashmaliciousMassLogger RATBrowse
                                        • 104.21.32.1
                                        NEWORDER.exeGet hashmaliciousMassLogger RATBrowse
                                        • 104.21.32.1
                                        Invoice No 1122207 pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 104.21.32.1
                                        PDF6UU0CVUO2W-YGVUIO.scr.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                        • 104.21.32.1
                                        1nl3hc.ps1Get hashmaliciousMassLogger RATBrowse
                                        • 104.21.32.1
                                        Contrarre.exeGet hashmaliciousMassLogger RATBrowse
                                        • 104.21.32.1
                                        Company introduction.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 104.21.32.1

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Temp\teres

                                        Download File
                                        Process:C:\Users\user\Desktop\New PO.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):209408
                                        Entropy (8bit):7.8513720148319095
                                        Encrypted:false
                                        SSDEEP:3072:Vopc30t0t7Orqz+2mX02ctIr/qepH/6CymaSlEBoVh3/6DWPRekhmNz:fAGcr3Evt61//JlAoVZZq
                                        MD5:8C55DF01BC1657B2F9AAC1866DBD5229
                                        SHA1:659C23D721E63003377D1F110D743F8AA11883D4
                                        SHA-256:E8787799262520C69662703A4F205BFB59B12EDAD489A2C3174091290424913D
                                        SHA-512:83FF6CD9D56EB6AF08C4E5E1C813A8BFAE828C7094900295D78771828663AE68A0F939D57142F4651F03C0A5289E00A073523D865213C21141D5CF29C7BA7E5B
                                        Malicious:false
                                        Reputation:low
                                        Preview:{b.X4KHYF7ZJ..SA.GNY68LXwKHYB7ZJIVSAQGNY68LX7KHYB7ZJIVSAQGNY.8LX9T.WB.S.h.R..f.1_Kl(E$/+#Zz)(8=.%g,<.J96."&y.x.j$97$.JCS.8LX7KHY*'.ge'.?}6.'.I.&.h7'}F.4B..?z6.'.I.&k:.'p.44U'.?cd''.I.&.h3'oF.4.?0)}6.'68LX7KHYB7ZJIVSA.)..68LXg.HY.6^J=.S.QGNY68LX.KkXI6SJI.RAQ.OY68LX..HYB'ZJI.RAQG.Y6(LX7IHYG7ZJIVSATGNY68LX7.KYB3ZJ.mQASGN.68\X7[HYB7JJIFSAQGNY&8LX7KHYB7ZJ.CQA.GNY6XNX.ZIYB7ZJIVSAQGNY68LX7KHYB7ZJ..RAMGNY68LX7KHYB7ZJIVSAQGNY68LX.FJY.7ZJIVSAQGNY6.MX.JHYB7ZJIVSAQGNY68LX7KHYB7ZJg"69%GNY..MX7[HYB.[JIRSAQGNY68LX7KHYb7Z*g$7 %&NY.ULX7.IYBYZJI.RAQGNY68LX7KHY.7Z.g2250GNY..LX7kJYB!ZJI\QAQGNY68LX7KHY.7Z.g$ 32GNY.)MX7+JYB%[JIvQAQGNY68LX7KHY.7Z.IVSAQGNY68LX7KHYB7ZJIVSAQGNY68LX7KHYB7ZJIVSAQGNY68LX7KHYB7ZJIVSAQGNY68LX7KHYB7ZJIVSAQGNY68LX7KHYB7ZJIVSAQGNY68LX7KHYB7ZJIVSAQGNY68LX7KHYB7ZJIVSAQGNY68LX7KHYB7ZJIVSAQGNY68LX7KHYB7ZJIVSAQGNY68LX7KHYB7ZJIVSAQGNY68LX7KHYB7ZJIVSAQGNY68LX7KHYB7ZJIVSAQGNY68LX7KHYB7ZJIVSAQGNY68LX7KHYB7ZJIVSAQGNY68LX7KHYB7ZJIVSAQGNY68LX7KHYB7ZJIVSAQGNY68LX7KHYB7ZJIVSAQGNY68LX7KHYB7ZJIVSAQGNY

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Entropy (8bit):7.295665959972193
                                        TrID:
                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                        • DOS Executable Generic (2002/1) 0.02%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:New PO.exe
                                        File size:1'425'408 bytes
                                        MD5:26ef64c7dff899344300c0ecedd6fae8
                                        SHA1:352d8daeda7f8a090892b84d11f1efeda700103e
                                        SHA256:9457469e8f677c795dcef72556c810c2e3b333f99f87f60d8ffd501b1069e0b4
                                        SHA512:3feacbe55ab2eaa3e9411bf5442efcc77705866c90f666b13aef90483bdb17450e2b7c4fc5e878858bbd107f9573f062ac49237fa404275fe78cec1d5ae5d1f7
                                        SSDEEP:24576:qqDEvCTbMWu7rQYlBQcBiT6rprG8a8CKOsiHkJ6ne6TEZ27TBFAIMG:qTvC/MTQYxsWR7a8POsYy6e2BW9
                                        TLSH:3965D0027391C062FFAB92334B5AF6115BBC7A260123E61F13981D79BE705B1563E7A3
                                        File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                                        File Icon

                                        Icon Hash:aaf3e3e3938382a0

                                        Static PE Info

                                        General

                                        Entrypoint:0x420577
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                        DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                        Time Stamp:0x67884A63 [Wed Jan 15 23:53:07 2025 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:5
                                        OS Version Minor:1
                                        File Version Major:5
                                        File Version Minor:1
                                        Subsystem Version Major:5
                                        Subsystem Version Minor:1
                                        Import Hash:948cc502fe9226992dce9417f952fce3

                                        Entrypoint Preview

                                        Instruction
                                        call 00007F76B525FEE3h
                                        jmp 00007F76B525F7EFh
                                        push ebp
                                        mov ebp, esp
                                        push esi
                                        push dword ptr [ebp+08h]
                                        mov esi, ecx
                                        call 00007F76B525F9CDh
                                        mov dword ptr [esi], 0049FDF0h
                                        mov eax, esi
                                        pop esi
                                        pop ebp
                                        retn 0004h
                                        and dword ptr [ecx+04h], 00000000h
                                        mov eax, ecx
                                        and dword ptr [ecx+08h], 00000000h
                                        mov dword ptr [ecx+04h], 0049FDF8h
                                        mov dword ptr [ecx], 0049FDF0h
                                        ret
                                        push ebp
                                        mov ebp, esp
                                        push esi
                                        push dword ptr [ebp+08h]
                                        mov esi, ecx
                                        call 00007F76B525F99Ah
                                        mov dword ptr [esi], 0049FE0Ch
                                        mov eax, esi
                                        pop esi
                                        pop ebp
                                        retn 0004h
                                        and dword ptr [ecx+04h], 00000000h
                                        mov eax, ecx
                                        and dword ptr [ecx+08h], 00000000h
                                        mov dword ptr [ecx+04h], 0049FE14h
                                        mov dword ptr [ecx], 0049FE0Ch
                                        ret
                                        push ebp
                                        mov ebp, esp
                                        push esi
                                        mov esi, ecx
                                        lea eax, dword ptr [esi+04h]
                                        mov dword ptr [esi], 0049FDD0h
                                        and dword ptr [eax], 00000000h
                                        and dword ptr [eax+04h], 00000000h
                                        push eax
                                        mov eax, dword ptr [ebp+08h]
                                        add eax, 04h
                                        push eax
                                        call 00007F76B526258Dh
                                        pop ecx
                                        pop ecx
                                        mov eax, esi
                                        pop esi
                                        pop ebp
                                        retn 0004h
                                        lea eax, dword ptr [ecx+04h]
                                        mov dword ptr [ecx], 0049FDD0h
                                        push eax
                                        call 00007F76B52625D8h
                                        pop ecx
                                        ret
                                        push ebp
                                        mov ebp, esp
                                        push esi
                                        mov esi, ecx
                                        lea eax, dword ptr [esi+04h]
                                        mov dword ptr [esi], 0049FDD0h
                                        push eax
                                        call 00007F76B52625C1h
                                        test byte ptr [ebp+08h], 00000001h
                                        pop ecx

                                        Rich Headers

                                        Programming Language:
                                        • [ C ] VS2008 SP1 build 30729
                                        • [IMP] VS2008 SP1 build 30729

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x85428.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x15a0000x7594.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .rsrc0xd40000x854280x85600035eed6fbeaa0f9e1375f00c0dff5266False0.9504305295220243data7.940921934320826IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0x15a0000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                        RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                        RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                        RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                        RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                        RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                        RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                        RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                        RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                        RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                        RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                        RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
                                        RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
                                        RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
                                        RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
                                        RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                        RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                        RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
                                        RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                        RT_RCDATA0xdc7b80x7c6f0data1.0003256945534453
                                        RT_GROUP_ICON0x158ea80x76dataEnglishGreat Britain0.6610169491525424
                                        RT_GROUP_ICON0x158f200x14dataEnglishGreat Britain1.25
                                        RT_GROUP_ICON0x158f340x14dataEnglishGreat Britain1.15
                                        RT_GROUP_ICON0x158f480x14dataEnglishGreat Britain1.25
                                        RT_VERSION0x158f5c0xdcdataEnglishGreat Britain0.6181818181818182
                                        RT_MANIFEST0x1590380x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                        Imports

                                        DLLImport
                                        WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                                        VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                        WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                        COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                        MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                                        WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                                        PSAPI.DLLGetProcessMemoryInfo
                                        IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                                        USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                                        UxTheme.dllIsThemeActive
                                        KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                                        USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                                        GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                                        COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                        ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                                        SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                                        ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                        OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                                        Possible Origin

                                        Language of compilation systemCountry where language is spokenMap
                                        EnglishGreat Britain

                                        Network Behavior

                                        Suricata IDS Alerts

                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                        2025-01-16T04:24:02.787850+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549704158.101.44.24280TCP

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jan 16, 2025 04:24:01.961591005 CET4970480192.168.2.5158.101.44.242
                                        Jan 16, 2025 04:24:01.966532946 CET8049704158.101.44.242192.168.2.5
                                        Jan 16, 2025 04:24:01.966613054 CET4970480192.168.2.5158.101.44.242
                                        Jan 16, 2025 04:24:01.966793060 CET4970480192.168.2.5158.101.44.242
                                        Jan 16, 2025 04:24:01.971641064 CET8049704158.101.44.242192.168.2.5
                                        Jan 16, 2025 04:24:02.535448074 CET8049704158.101.44.242192.168.2.5
                                        Jan 16, 2025 04:24:02.545222998 CET4970480192.168.2.5158.101.44.242
                                        Jan 16, 2025 04:24:02.550303936 CET8049704158.101.44.242192.168.2.5
                                        Jan 16, 2025 04:24:02.735843897 CET8049704158.101.44.242192.168.2.5
                                        Jan 16, 2025 04:24:02.787849903 CET4970480192.168.2.5158.101.44.242
                                        Jan 16, 2025 04:24:02.791501045 CET49705443192.168.2.5104.21.32.1
                                        Jan 16, 2025 04:24:02.791600943 CET44349705104.21.32.1192.168.2.5
                                        Jan 16, 2025 04:24:02.791692019 CET49705443192.168.2.5104.21.32.1
                                        Jan 16, 2025 04:24:02.847839117 CET49705443192.168.2.5104.21.32.1
                                        Jan 16, 2025 04:24:02.847907066 CET44349705104.21.32.1192.168.2.5
                                        Jan 16, 2025 04:24:03.308310986 CET44349705104.21.32.1192.168.2.5
                                        Jan 16, 2025 04:24:03.308516026 CET49705443192.168.2.5104.21.32.1
                                        Jan 16, 2025 04:24:03.333935022 CET49705443192.168.2.5104.21.32.1
                                        Jan 16, 2025 04:24:03.333981037 CET44349705104.21.32.1192.168.2.5
                                        Jan 16, 2025 04:24:03.334278107 CET44349705104.21.32.1192.168.2.5
                                        Jan 16, 2025 04:24:03.387113094 CET49705443192.168.2.5104.21.32.1
                                        Jan 16, 2025 04:24:03.483176947 CET49705443192.168.2.5104.21.32.1
                                        Jan 16, 2025 04:24:03.527333021 CET44349705104.21.32.1192.168.2.5
                                        Jan 16, 2025 04:24:03.594234943 CET44349705104.21.32.1192.168.2.5
                                        Jan 16, 2025 04:24:03.594299078 CET44349705104.21.32.1192.168.2.5
                                        Jan 16, 2025 04:24:03.594374895 CET49705443192.168.2.5104.21.32.1
                                        Jan 16, 2025 04:24:03.602788925 CET49705443192.168.2.5104.21.32.1
                                        Jan 16, 2025 04:25:07.745830059 CET8049704158.101.44.242192.168.2.5
                                        Jan 16, 2025 04:25:07.745965004 CET4970480192.168.2.5158.101.44.242
                                        Jan 16, 2025 04:25:42.756943941 CET4970480192.168.2.5158.101.44.242
                                        Jan 16, 2025 04:25:42.762310028 CET8049704158.101.44.242192.168.2.5

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jan 16, 2025 04:24:01.947427034 CET5272153192.168.2.51.1.1.1
                                        Jan 16, 2025 04:24:01.954818010 CET53527211.1.1.1192.168.2.5
                                        Jan 16, 2025 04:24:02.770230055 CET4951953192.168.2.51.1.1.1
                                        Jan 16, 2025 04:24:02.789983988 CET53495191.1.1.1192.168.2.5

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Jan 16, 2025 04:24:01.947427034 CET192.168.2.51.1.1.10xcd34Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                        Jan 16, 2025 04:24:02.770230055 CET192.168.2.51.1.1.10x7bd9Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Jan 16, 2025 04:24:01.954818010 CET1.1.1.1192.168.2.50xcd34No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                        Jan 16, 2025 04:24:01.954818010 CET1.1.1.1192.168.2.50xcd34No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                        Jan 16, 2025 04:24:01.954818010 CET1.1.1.1192.168.2.50xcd34No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                        Jan 16, 2025 04:24:01.954818010 CET1.1.1.1192.168.2.50xcd34No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                        Jan 16, 2025 04:24:01.954818010 CET1.1.1.1192.168.2.50xcd34No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                        Jan 16, 2025 04:24:01.954818010 CET1.1.1.1192.168.2.50xcd34No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                        Jan 16, 2025 04:24:02.789983988 CET1.1.1.1192.168.2.50x7bd9No error (0)reallyfreegeoip.org104.21.32.1A (IP address)IN (0x0001)false
                                        Jan 16, 2025 04:24:02.789983988 CET1.1.1.1192.168.2.50x7bd9No error (0)reallyfreegeoip.org104.21.112.1A (IP address)IN (0x0001)false
                                        Jan 16, 2025 04:24:02.789983988 CET1.1.1.1192.168.2.50x7bd9No error (0)reallyfreegeoip.org104.21.16.1A (IP address)IN (0x0001)false
                                        Jan 16, 2025 04:24:02.789983988 CET1.1.1.1192.168.2.50x7bd9No error (0)reallyfreegeoip.org104.21.96.1A (IP address)IN (0x0001)false
                                        Jan 16, 2025 04:24:02.789983988 CET1.1.1.1192.168.2.50x7bd9No error (0)reallyfreegeoip.org104.21.80.1A (IP address)IN (0x0001)false
                                        Jan 16, 2025 04:24:02.789983988 CET1.1.1.1192.168.2.50x7bd9No error (0)reallyfreegeoip.org104.21.48.1A (IP address)IN (0x0001)false
                                        Jan 16, 2025 04:24:02.789983988 CET1.1.1.1192.168.2.50x7bd9No error (0)reallyfreegeoip.org104.21.64.1A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • reallyfreegeoip.org
                                        • checkip.dyndns.org

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.549704158.101.44.242802316C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                        TimestampBytes transferredDirectionData
                                        Jan 16, 2025 04:24:01.966793060 CET151OUTGET / HTTP/1.1
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                        Host: checkip.dyndns.org
                                        Connection: Keep-Alive
                                        Jan 16, 2025 04:24:02.535448074 CET321INHTTP/1.1 200 OK
                                        Date: Thu, 16 Jan 2025 03:24:02 GMT
                                        Content-Type: text/html
                                        Content-Length: 104
                                        Connection: keep-alive
                                        Cache-Control: no-cache
                                        Pragma: no-cache
                                        X-Request-ID: 397b941c5b1439cec3a16ad0166ee196
                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                        Jan 16, 2025 04:24:02.545222998 CET127OUTGET / HTTP/1.1
                                        User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                        Host: checkip.dyndns.org
                                        Jan 16, 2025 04:24:02.735843897 CET321INHTTP/1.1 200 OK
                                        Date: Thu, 16 Jan 2025 03:24:02 GMT
                                        Content-Type: text/html
                                        Content-Length: 104
                                        Connection: keep-alive
                                        Cache-Control: no-cache
                                        Pragma: no-cache
                                        X-Request-ID: 2b9722355eb9449a0b789ad4aaeb7cbd
                                        Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                        Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                        HTTPS Proxied Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.549705104.21.32.14432316C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                        TimestampBytes transferredDirectionData
                                        2025-01-16 03:24:03 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                        Host: reallyfreegeoip.org
                                        Connection: Keep-Alive
                                        2025-01-16 03:24:03 UTC857INHTTP/1.1 200 OK
                                        Date: Thu, 16 Jan 2025 03:24:03 GMT
                                        Content-Type: text/xml
                                        Content-Length: 362
                                        Connection: close
                                        Age: 2312632
                                        Cache-Control: max-age=31536000
                                        cf-cache-status: HIT
                                        last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=D9uFVtzF0nRCrJ9EnBAWMSFLEXuOAa0yCSDnGrvDQI2CYe7a0WFpwNgBoAB62cTi1bfpMloTSsaz56wq59IRh0D%2F2y5p%2F7JtYtnPDV4n7SBySgRRwz%2B021gHqES5P%2FNL5ETOSgk5"}],"group":"cf-nel","max_age":604800}
                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                        Server: cloudflare
                                        CF-RAY: 902afd8a19141875-EWR
                                        alt-svc: h3=":443"; ma=86400
                                        server-timing: cfL4;desc="?proto=TCP&rtt=1474&min_rtt=1470&rtt_var=560&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1938911&cwnd=153&unsent_bytes=0&cid=d644ce03d86d5130&ts=296&x=0"
                                        2025-01-16 03:24:03 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                        Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:22:23:56
                                        Start date:15/01/2025
                                        Path:C:\Users\user\Desktop\New PO.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\New PO.exe"
                                        Imagebase:0xf10000
                                        File size:1'425'408 bytes
                                        MD5 hash:26EF64C7DFF899344300C0ECEDD6FAE8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000000.00000002.2050403627.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:2
                                        Start time:22:23:57
                                        Start date:15/01/2025
                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Users\user\Desktop\New PO.exe"
                                        Imagebase:0x260000
                                        File size:45'984 bytes
                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:3
                                        Start time:22:23:58
                                        Start date:15/01/2025
                                        Path:C:\Users\user\Desktop\New PO.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\New PO.exe"
                                        Imagebase:0xf10000
                                        File size:1'425'408 bytes
                                        MD5 hash:26EF64C7DFF899344300C0ECEDD6FAE8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000003.00000002.2063352777.0000000003A50000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:4
                                        Start time:22:23:59
                                        Start date:15/01/2025
                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                        Wow64 process (32bit):false
                                        Commandline:"C:\Users\user\Desktop\New PO.exe"
                                        Imagebase:0x220000
                                        File size:45'984 bytes
                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high
                                        Has exited:true

                                        General

                                        Target ID:5
                                        Start time:22:23:59
                                        Start date:15/01/2025
                                        Path:C:\Users\user\Desktop\New PO.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\New PO.exe"
                                        Imagebase:0xf10000
                                        File size:1'425'408 bytes
                                        MD5 hash:26EF64C7DFF899344300C0ECEDD6FAE8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000005.00000002.2074604094.0000000000ED0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                        Reputation:low
                                        Has exited:true

                                        General

                                        Target ID:6
                                        Start time:22:24:00
                                        Start date:15/01/2025
                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\New PO.exe"
                                        Imagebase:0xb30000
                                        File size:45'984 bytes
                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: 00000006.00000002.3302821285.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: ditekSHen
                                        • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000006.00000002.3305606667.0000000004231000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.3305606667.0000000004231000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000002.3305606667.0000000004231000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.3305606667.0000000004231000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                        • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000006.00000002.3303760684.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.3303760684.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000002.3303760684.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.3303760684.0000000002D00000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                        • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000006.00000002.3303855930.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.3303855930.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000002.3303855930.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.3303855930.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                        • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000006.00000002.3303855930.0000000002EE0000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                        • Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000006.00000002.3304133515.0000000002F80000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000006.00000002.3304133515.0000000002F80000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000006.00000002.3304133515.0000000002F80000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000006.00000002.3304133515.0000000002F80000.00000004.08000000.00040000.00000000.sdmp, Author: unknown
                                        • Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000006.00000002.3304133515.0000000002F80000.00000004.08000000.00040000.00000000.sdmp, Author: Florian Roth
                                        Reputation:high
                                        Has exited:false

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:2.6%
                                          Dynamic/Decrypted Code Coverage:1.2%
                                          Signature Coverage:3.4%
                                          Total number of Nodes:1619
                                          Total number of Limit Nodes:31
                                          execution_graph 96064 f11033 96069 f14c91 96064->96069 96068 f11042 96077 f1a961 96069->96077 96074 f14d9c 96075 f11038 96074->96075 96085 f151f7 22 API calls __fread_nolock 96074->96085 96076 f300a3 29 API calls __onexit 96075->96076 96076->96068 96086 f2fe0b 96077->96086 96079 f1a976 96096 f2fddb 96079->96096 96081 f14cff 96082 f13af0 96081->96082 96121 f13b1c 96082->96121 96085->96074 96088 f2fddb 96086->96088 96089 f2fdfa 96088->96089 96092 f2fdfc 96088->96092 96106 f3ea0c 96088->96106 96113 f34ead 7 API calls 2 library calls 96088->96113 96089->96079 96091 f3066d 96115 f332a4 RaiseException 96091->96115 96092->96091 96114 f332a4 RaiseException 96092->96114 96094 f3068a 96094->96079 96098 f2fde0 96096->96098 96097 f3ea0c ___std_exception_copy 21 API calls 96097->96098 96098->96097 96099 f2fdfa 96098->96099 96101 f2fdfc 96098->96101 96118 f34ead 7 API calls 2 library calls 96098->96118 96099->96081 96105 f3066d 96101->96105 96119 f332a4 RaiseException 96101->96119 96103 f3068a 96103->96081 96120 f332a4 RaiseException 96105->96120 96112 f43820 __dosmaperr 96106->96112 96107 f4385e 96117 f3f2d9 20 API calls __dosmaperr 96107->96117 96108 f43849 RtlAllocateHeap 96110 f4385c 96108->96110 96108->96112 96110->96088 96112->96107 96112->96108 96116 f34ead 7 API calls 2 library calls 96112->96116 96113->96088 96114->96091 96115->96094 96116->96112 96117->96110 96118->96098 96119->96105 96120->96103 96122 f13b0f 96121->96122 96123 f13b29 96121->96123 96122->96074 96123->96122 96124 f13b30 RegOpenKeyExW 96123->96124 96124->96122 96125 f13b4a RegQueryValueExW 96124->96125 96126 f13b80 RegCloseKey 96125->96126 96127 f13b6b 96125->96127 96126->96122 96127->96126 96128 f12e37 96129 f1a961 22 API calls 96128->96129 96130 f12e4d 96129->96130 96207 f14ae3 96130->96207 96132 f12e6b 96221 f13a5a 96132->96221 96134 f12e7f 96228 f19cb3 96134->96228 96139 f52cb0 96276 f82cf9 96139->96276 96140 f12ead 96256 f1a8c7 96140->96256 96142 f52cc3 96144 f52ccf 96142->96144 96302 f14f39 96142->96302 96148 f14f39 68 API calls 96144->96148 96145 f12ec3 96260 f16f88 22 API calls 96145->96260 96150 f52ce5 96148->96150 96149 f12ecf 96151 f19cb3 22 API calls 96149->96151 96308 f13084 22 API calls 96150->96308 96152 f12edc 96151->96152 96261 f1a81b 41 API calls 96152->96261 96155 f12eec 96157 f19cb3 22 API calls 96155->96157 96156 f52d02 96309 f13084 22 API calls 96156->96309 96159 f12f12 96157->96159 96262 f1a81b 41 API calls 96159->96262 96161 f52d1e 96162 f13a5a 24 API calls 96161->96162 96164 f52d44 96162->96164 96163 f12f21 96167 f1a961 22 API calls 96163->96167 96310 f13084 22 API calls 96164->96310 96166 f52d50 96168 f1a8c7 22 API calls 96166->96168 96169 f12f3f 96167->96169 96170 f52d5e 96168->96170 96263 f13084 22 API calls 96169->96263 96311 f13084 22 API calls 96170->96311 96173 f12f4b 96264 f34a28 40 API calls 2 library calls 96173->96264 96175 f12f59 96175->96150 96177 f12f63 96175->96177 96176 f52d6d 96178 f1a8c7 22 API calls 96176->96178 96265 f34a28 40 API calls 2 library calls 96177->96265 96180 f52d83 96178->96180 96312 f13084 22 API calls 96180->96312 96181 f12f6e 96181->96156 96183 f12f78 96181->96183 96266 f34a28 40 API calls 2 library calls 96183->96266 96185 f52d90 96186 f12f83 96186->96161 96187 f12f8d 96186->96187 96267 f34a28 40 API calls 2 library calls 96187->96267 96189 f12f98 96190 f12fdc 96189->96190 96268 f13084 22 API calls 96189->96268 96190->96176 96191 f12fe8 96190->96191 96191->96185 96270 f163eb 22 API calls 96191->96270 96194 f12fbf 96196 f1a8c7 22 API calls 96194->96196 96195 f12ff8 96271 f16a50 22 API calls 96195->96271 96198 f12fcd 96196->96198 96269 f13084 22 API calls 96198->96269 96199 f13006 96272 f170b0 23 API calls 96199->96272 96204 f13021 96205 f13065 96204->96205 96273 f16f88 22 API calls 96204->96273 96274 f170b0 23 API calls 96204->96274 96275 f13084 22 API calls 96204->96275 96208 f14af0 __wsopen_s 96207->96208 96210 f14b22 96208->96210 96316 f16b57 96208->96316 96220 f14b58 96210->96220 96313 f14c6d 96210->96313 96212 f19cb3 22 API calls 96214 f14c52 96212->96214 96213 f19cb3 22 API calls 96213->96220 96216 f1515f 22 API calls 96214->96216 96215 f14c6d 22 API calls 96215->96220 96217 f14c5e 96216->96217 96217->96132 96219 f14c29 96219->96212 96219->96217 96220->96213 96220->96215 96220->96219 96328 f1515f 96220->96328 96345 f51f50 96221->96345 96224 f19cb3 22 API calls 96225 f13a8d 96224->96225 96347 f13aa2 96225->96347 96227 f13a97 96227->96134 96229 f19cc2 _wcslen 96228->96229 96230 f2fe0b 22 API calls 96229->96230 96231 f19cea __fread_nolock 96230->96231 96232 f2fddb 22 API calls 96231->96232 96233 f12e8c 96232->96233 96234 f14ecb 96233->96234 96367 f14e90 LoadLibraryA 96234->96367 96239 f14ef6 LoadLibraryExW 96375 f14e59 LoadLibraryA 96239->96375 96240 f53ccf 96241 f14f39 68 API calls 96240->96241 96243 f53cd6 96241->96243 96245 f14e59 3 API calls 96243->96245 96247 f53cde 96245->96247 96397 f150f5 96247->96397 96248 f14f20 96248->96247 96249 f14f2c 96248->96249 96250 f14f39 68 API calls 96249->96250 96252 f12ea5 96250->96252 96252->96139 96252->96140 96255 f53d05 96257 f1a8ea __fread_nolock 96256->96257 96258 f1a8db 96256->96258 96257->96145 96258->96257 96259 f2fe0b 22 API calls 96258->96259 96259->96257 96260->96149 96261->96155 96262->96163 96263->96173 96264->96175 96265->96181 96266->96186 96267->96189 96268->96194 96269->96190 96270->96195 96271->96199 96272->96204 96273->96204 96274->96204 96275->96204 96277 f82d15 96276->96277 96278 f1511f 64 API calls 96277->96278 96279 f82d29 96278->96279 96547 f82e66 96279->96547 96282 f150f5 40 API calls 96283 f82d56 96282->96283 96284 f150f5 40 API calls 96283->96284 96285 f82d66 96284->96285 96286 f150f5 40 API calls 96285->96286 96287 f82d81 96286->96287 96288 f150f5 40 API calls 96287->96288 96289 f82d9c 96288->96289 96290 f1511f 64 API calls 96289->96290 96291 f82db3 96290->96291 96292 f3ea0c ___std_exception_copy 21 API calls 96291->96292 96293 f82dba 96292->96293 96294 f3ea0c ___std_exception_copy 21 API calls 96293->96294 96295 f82dc4 96294->96295 96296 f150f5 40 API calls 96295->96296 96297 f82dd8 96296->96297 96298 f828fe 27 API calls 96297->96298 96299 f82dee 96298->96299 96300 f82d3f 96299->96300 96553 f822ce 79 API calls 96299->96553 96300->96142 96303 f14f43 96302->96303 96304 f14f4a 96302->96304 96554 f3e678 96303->96554 96306 f14f59 96304->96306 96307 f14f6a FreeLibrary 96304->96307 96306->96144 96307->96306 96308->96156 96309->96161 96310->96166 96311->96176 96312->96185 96334 f1aec9 96313->96334 96315 f14c78 96315->96210 96317 f54ba1 96316->96317 96318 f16b67 _wcslen 96316->96318 96341 f193b2 96317->96341 96321 f16ba2 96318->96321 96322 f16b7d 96318->96322 96320 f54baa 96320->96320 96323 f2fddb 22 API calls 96321->96323 96340 f16f34 22 API calls 96322->96340 96325 f16bae 96323->96325 96327 f2fe0b 22 API calls 96325->96327 96326 f16b85 __fread_nolock 96326->96210 96327->96326 96329 f1518f __fread_nolock 96328->96329 96330 f1516e 96328->96330 96331 f2fddb 22 API calls 96329->96331 96333 f2fe0b 22 API calls 96330->96333 96332 f151a2 96331->96332 96332->96220 96333->96329 96335 f1aed9 __fread_nolock 96334->96335 96336 f1aedc 96334->96336 96335->96315 96337 f2fddb 22 API calls 96336->96337 96338 f1aee7 96337->96338 96339 f2fe0b 22 API calls 96338->96339 96339->96335 96340->96326 96342 f193c0 96341->96342 96344 f193c9 __fread_nolock 96341->96344 96343 f1aec9 22 API calls 96342->96343 96342->96344 96343->96344 96344->96320 96346 f13a67 GetModuleFileNameW 96345->96346 96346->96224 96348 f51f50 __wsopen_s 96347->96348 96349 f13aaf GetFullPathNameW 96348->96349 96350 f13ae9 96349->96350 96351 f13ace 96349->96351 96361 f1a6c3 96350->96361 96352 f16b57 22 API calls 96351->96352 96354 f13ada 96352->96354 96357 f137a0 96354->96357 96358 f137ae 96357->96358 96359 f193b2 22 API calls 96358->96359 96360 f137c2 96359->96360 96360->96227 96362 f1a6dd 96361->96362 96366 f1a6d0 96361->96366 96363 f2fddb 22 API calls 96362->96363 96364 f1a6e7 96363->96364 96365 f2fe0b 22 API calls 96364->96365 96365->96366 96366->96354 96368 f14ec6 96367->96368 96369 f14ea8 GetProcAddress 96367->96369 96372 f3e5eb 96368->96372 96370 f14eb8 96369->96370 96370->96368 96371 f14ebf FreeLibrary 96370->96371 96371->96368 96405 f3e52a 96372->96405 96374 f14eea 96374->96239 96374->96240 96376 f14e8d 96375->96376 96377 f14e6e GetProcAddress 96375->96377 96380 f14f80 96376->96380 96378 f14e7e 96377->96378 96378->96376 96379 f14e86 FreeLibrary 96378->96379 96379->96376 96381 f2fe0b 22 API calls 96380->96381 96382 f14f95 96381->96382 96473 f15722 96382->96473 96384 f14fa1 __fread_nolock 96385 f150a5 96384->96385 96386 f53d1d 96384->96386 96396 f14fdc 96384->96396 96476 f142a2 CreateStreamOnHGlobal 96385->96476 96487 f8304d 74 API calls 96386->96487 96389 f53d22 96391 f1511f 64 API calls 96389->96391 96390 f150f5 40 API calls 96390->96396 96392 f53d45 96391->96392 96393 f150f5 40 API calls 96392->96393 96395 f1506e ISource 96393->96395 96395->96248 96396->96389 96396->96390 96396->96395 96482 f1511f 96396->96482 96398 f15107 96397->96398 96401 f53d70 96397->96401 96509 f3e8c4 96398->96509 96402 f828fe 96530 f8274e 96402->96530 96404 f82919 96404->96255 96407 f3e536 ___DestructExceptionObject 96405->96407 96406 f3e544 96430 f3f2d9 20 API calls __dosmaperr 96406->96430 96407->96406 96409 f3e574 96407->96409 96411 f3e586 96409->96411 96412 f3e579 96409->96412 96410 f3e549 96431 f427ec 26 API calls _strftime 96410->96431 96422 f48061 96411->96422 96432 f3f2d9 20 API calls __dosmaperr 96412->96432 96416 f3e58f 96417 f3e5a2 96416->96417 96418 f3e595 96416->96418 96434 f3e5d4 LeaveCriticalSection __fread_nolock 96417->96434 96433 f3f2d9 20 API calls __dosmaperr 96418->96433 96419 f3e554 __wsopen_s 96419->96374 96423 f4806d ___DestructExceptionObject 96422->96423 96435 f42f5e EnterCriticalSection 96423->96435 96425 f4807b 96436 f480fb 96425->96436 96429 f480ac __wsopen_s 96429->96416 96430->96410 96431->96419 96432->96419 96433->96419 96434->96419 96435->96425 96442 f4811e 96436->96442 96437 f48088 96449 f480b7 96437->96449 96438 f48177 96454 f44c7d 96438->96454 96442->96437 96442->96438 96452 f3918d EnterCriticalSection 96442->96452 96453 f391a1 LeaveCriticalSection 96442->96453 96444 f48189 96444->96437 96467 f43405 11 API calls 2 library calls 96444->96467 96446 f481a8 96468 f3918d EnterCriticalSection 96446->96468 96472 f42fa6 LeaveCriticalSection 96449->96472 96451 f480be 96451->96429 96452->96442 96453->96442 96459 f44c8a __dosmaperr 96454->96459 96455 f44cca 96470 f3f2d9 20 API calls __dosmaperr 96455->96470 96456 f44cb5 RtlAllocateHeap 96457 f44cc8 96456->96457 96456->96459 96461 f429c8 96457->96461 96459->96455 96459->96456 96469 f34ead 7 API calls 2 library calls 96459->96469 96462 f429fc __dosmaperr 96461->96462 96463 f429d3 RtlFreeHeap 96461->96463 96462->96444 96463->96462 96464 f429e8 96463->96464 96471 f3f2d9 20 API calls __dosmaperr 96464->96471 96466 f429ee GetLastError 96466->96462 96467->96446 96468->96437 96469->96459 96470->96457 96471->96466 96472->96451 96474 f2fddb 22 API calls 96473->96474 96475 f15734 96474->96475 96475->96384 96477 f142bc FindResourceExW 96476->96477 96478 f142d9 96476->96478 96477->96478 96479 f535ba LoadResource 96477->96479 96478->96396 96479->96478 96480 f535cf SizeofResource 96479->96480 96480->96478 96481 f535e3 LockResource 96480->96481 96481->96478 96483 f53d90 96482->96483 96484 f1512e 96482->96484 96488 f3ece3 96484->96488 96487->96389 96491 f3eaaa 96488->96491 96490 f1513c 96490->96396 96494 f3eab6 ___DestructExceptionObject 96491->96494 96492 f3eac2 96504 f3f2d9 20 API calls __dosmaperr 96492->96504 96493 f3eae8 96506 f3918d EnterCriticalSection 96493->96506 96494->96492 96494->96493 96497 f3eac7 96505 f427ec 26 API calls _strftime 96497->96505 96499 f3eaf4 96507 f3ec0a 62 API calls 2 library calls 96499->96507 96501 f3eb08 96508 f3eb27 LeaveCriticalSection __fread_nolock 96501->96508 96503 f3ead2 __wsopen_s 96503->96490 96504->96497 96505->96503 96506->96499 96507->96501 96508->96503 96512 f3e8e1 96509->96512 96511 f15118 96511->96402 96513 f3e8ed ___DestructExceptionObject 96512->96513 96514 f3e900 ___scrt_fastfail 96513->96514 96515 f3e92d 96513->96515 96524 f3e925 __wsopen_s 96513->96524 96525 f3f2d9 20 API calls __dosmaperr 96514->96525 96527 f3918d EnterCriticalSection 96515->96527 96517 f3e937 96528 f3e6f8 38 API calls 4 library calls 96517->96528 96520 f3e91a 96526 f427ec 26 API calls _strftime 96520->96526 96521 f3e94e 96529 f3e96c LeaveCriticalSection __fread_nolock 96521->96529 96524->96511 96525->96520 96526->96524 96527->96517 96528->96521 96529->96524 96533 f3e4e8 96530->96533 96532 f8275d 96532->96404 96536 f3e469 96533->96536 96535 f3e505 96535->96532 96537 f3e478 96536->96537 96538 f3e48c 96536->96538 96544 f3f2d9 20 API calls __dosmaperr 96537->96544 96543 f3e488 __alldvrm 96538->96543 96546 f4333f 11 API calls 2 library calls 96538->96546 96540 f3e47d 96545 f427ec 26 API calls _strftime 96540->96545 96543->96535 96544->96540 96545->96543 96546->96543 96548 f82e7a 96547->96548 96549 f150f5 40 API calls 96548->96549 96550 f82d3b 96548->96550 96551 f828fe 27 API calls 96548->96551 96552 f1511f 64 API calls 96548->96552 96549->96548 96550->96282 96550->96300 96551->96548 96552->96548 96553->96300 96555 f3e684 ___DestructExceptionObject 96554->96555 96556 f3e695 96555->96556 96557 f3e6aa 96555->96557 96584 f3f2d9 20 API calls __dosmaperr 96556->96584 96566 f3e6a5 __wsopen_s 96557->96566 96567 f3918d EnterCriticalSection 96557->96567 96559 f3e69a 96585 f427ec 26 API calls _strftime 96559->96585 96562 f3e6c6 96568 f3e602 96562->96568 96564 f3e6d1 96586 f3e6ee LeaveCriticalSection __fread_nolock 96564->96586 96566->96304 96567->96562 96569 f3e624 96568->96569 96570 f3e60f 96568->96570 96576 f3e61f 96569->96576 96587 f3dc0b 96569->96587 96619 f3f2d9 20 API calls __dosmaperr 96570->96619 96572 f3e614 96620 f427ec 26 API calls _strftime 96572->96620 96576->96564 96580 f3e646 96604 f4862f 96580->96604 96583 f429c8 _free 20 API calls 96583->96576 96584->96559 96585->96566 96586->96566 96588 f3dc23 96587->96588 96589 f3dc1f 96587->96589 96588->96589 96590 f3d955 __fread_nolock 26 API calls 96588->96590 96593 f44d7a 96589->96593 96591 f3dc43 96590->96591 96621 f459be 62 API calls 4 library calls 96591->96621 96594 f3e640 96593->96594 96595 f44d90 96593->96595 96597 f3d955 96594->96597 96595->96594 96596 f429c8 _free 20 API calls 96595->96596 96596->96594 96598 f3d961 96597->96598 96599 f3d976 96597->96599 96622 f3f2d9 20 API calls __dosmaperr 96598->96622 96599->96580 96601 f3d966 96623 f427ec 26 API calls _strftime 96601->96623 96603 f3d971 96603->96580 96605 f48653 96604->96605 96606 f4863e 96604->96606 96608 f4868e 96605->96608 96613 f4867a 96605->96613 96627 f3f2c6 20 API calls __dosmaperr 96606->96627 96629 f3f2c6 20 API calls __dosmaperr 96608->96629 96610 f48643 96628 f3f2d9 20 API calls __dosmaperr 96610->96628 96611 f48693 96630 f3f2d9 20 API calls __dosmaperr 96611->96630 96624 f48607 96613->96624 96616 f4869b 96631 f427ec 26 API calls _strftime 96616->96631 96617 f3e64c 96617->96576 96617->96583 96619->96572 96620->96576 96621->96589 96622->96601 96623->96603 96632 f48585 96624->96632 96626 f4862b 96626->96617 96627->96610 96628->96617 96629->96611 96630->96616 96631->96617 96633 f48591 ___DestructExceptionObject 96632->96633 96643 f45147 EnterCriticalSection 96633->96643 96635 f4859f 96636 f485c6 96635->96636 96637 f485d1 96635->96637 96644 f486ae 96636->96644 96659 f3f2d9 20 API calls __dosmaperr 96637->96659 96640 f485cc 96660 f485fb LeaveCriticalSection __wsopen_s 96640->96660 96642 f485ee __wsopen_s 96642->96626 96643->96635 96661 f453c4 96644->96661 96646 f486c4 96674 f45333 21 API calls 2 library calls 96646->96674 96648 f486be 96648->96646 96649 f453c4 __wsopen_s 26 API calls 96648->96649 96658 f486f6 96648->96658 96652 f486ed 96649->96652 96650 f453c4 __wsopen_s 26 API calls 96653 f48702 CloseHandle 96650->96653 96651 f4871c 96654 f4873e 96651->96654 96675 f3f2a3 20 API calls __dosmaperr 96651->96675 96655 f453c4 __wsopen_s 26 API calls 96652->96655 96653->96646 96656 f4870e GetLastError 96653->96656 96654->96640 96655->96658 96656->96646 96658->96646 96658->96650 96659->96640 96660->96642 96662 f453d1 96661->96662 96665 f453e6 96661->96665 96676 f3f2c6 20 API calls __dosmaperr 96662->96676 96664 f453d6 96677 f3f2d9 20 API calls __dosmaperr 96664->96677 96668 f4540b 96665->96668 96678 f3f2c6 20 API calls __dosmaperr 96665->96678 96668->96648 96669 f45416 96679 f3f2d9 20 API calls __dosmaperr 96669->96679 96670 f453de 96670->96648 96672 f4541e 96680 f427ec 26 API calls _strftime 96672->96680 96674->96651 96675->96654 96676->96664 96677->96670 96678->96669 96679->96672 96680->96670 96681 f13156 96684 f13170 96681->96684 96685 f13187 96684->96685 96686 f131eb 96685->96686 96687 f1318c 96685->96687 96724 f131e9 96685->96724 96689 f131f1 96686->96689 96690 f52dfb 96686->96690 96691 f13265 PostQuitMessage 96687->96691 96692 f13199 96687->96692 96688 f131d0 DefWindowProcW 96726 f1316a 96688->96726 96693 f131f8 96689->96693 96694 f1321d SetTimer RegisterWindowMessageW 96689->96694 96733 f118e2 10 API calls 96690->96733 96691->96726 96696 f131a4 96692->96696 96697 f52e7c 96692->96697 96698 f13201 KillTimer 96693->96698 96699 f52d9c 96693->96699 96701 f13246 CreatePopupMenu 96694->96701 96694->96726 96702 f52e68 96696->96702 96703 f131ae 96696->96703 96748 f7bf30 34 API calls ___scrt_fastfail 96697->96748 96729 f130f2 Shell_NotifyIconW ___scrt_fastfail 96698->96729 96705 f52dd7 MoveWindow 96699->96705 96706 f52da1 96699->96706 96700 f52e1c 96734 f2e499 42 API calls 96700->96734 96701->96726 96747 f7c161 27 API calls ___scrt_fastfail 96702->96747 96710 f52e4d 96703->96710 96711 f131b9 96703->96711 96705->96726 96713 f52da7 96706->96713 96714 f52dc6 SetFocus 96706->96714 96710->96688 96746 f70ad7 22 API calls 96710->96746 96717 f131c4 96711->96717 96718 f13253 96711->96718 96712 f52e8e 96712->96688 96712->96726 96713->96717 96719 f52db0 96713->96719 96714->96726 96715 f13214 96730 f13c50 DeleteObject DestroyWindow 96715->96730 96716 f13263 96716->96726 96717->96688 96735 f130f2 Shell_NotifyIconW ___scrt_fastfail 96717->96735 96731 f1326f 44 API calls ___scrt_fastfail 96718->96731 96732 f118e2 10 API calls 96719->96732 96724->96688 96727 f52e41 96736 f13837 96727->96736 96729->96715 96730->96726 96731->96716 96732->96726 96733->96700 96734->96717 96735->96727 96737 f13862 ___scrt_fastfail 96736->96737 96749 f14212 96737->96749 96740 f138e8 96742 f53386 Shell_NotifyIconW 96740->96742 96743 f13906 Shell_NotifyIconW 96740->96743 96753 f13923 96743->96753 96745 f1391c 96745->96724 96746->96724 96747->96716 96748->96712 96750 f535a4 96749->96750 96751 f138b7 96749->96751 96750->96751 96752 f535ad DestroyIcon 96750->96752 96751->96740 96775 f7c874 42 API calls _strftime 96751->96775 96752->96751 96754 f1393f 96753->96754 96773 f13a13 96753->96773 96776 f16270 96754->96776 96757 f53393 LoadStringW 96760 f533ad 96757->96760 96758 f1395a 96759 f16b57 22 API calls 96758->96759 96761 f1396f 96759->96761 96764 f1a8c7 22 API calls 96760->96764 96768 f13994 ___scrt_fastfail 96760->96768 96762 f533c9 96761->96762 96763 f1397c 96761->96763 96766 f16350 22 API calls 96762->96766 96763->96760 96765 f13986 96763->96765 96764->96768 96781 f16350 96765->96781 96769 f533d7 96766->96769 96771 f139f9 Shell_NotifyIconW 96768->96771 96769->96768 96790 f133c6 96769->96790 96771->96773 96772 f533f9 96774 f133c6 22 API calls 96772->96774 96773->96745 96774->96768 96775->96740 96777 f2fe0b 22 API calls 96776->96777 96778 f16295 96777->96778 96779 f2fddb 22 API calls 96778->96779 96780 f1394d 96779->96780 96780->96757 96780->96758 96782 f16362 96781->96782 96783 f54a51 96781->96783 96799 f16373 96782->96799 96809 f14a88 22 API calls __fread_nolock 96783->96809 96786 f1636e 96786->96768 96787 f54a67 96788 f54a5b 96788->96787 96789 f1a8c7 22 API calls 96788->96789 96789->96787 96791 f133dd 96790->96791 96792 f530bb 96790->96792 96815 f133ee 96791->96815 96794 f2fddb 22 API calls 96792->96794 96796 f530c5 _wcslen 96794->96796 96795 f133e8 96795->96772 96797 f2fe0b 22 API calls 96796->96797 96798 f530fe __fread_nolock 96797->96798 96800 f16382 96799->96800 96806 f163b6 __fread_nolock 96799->96806 96801 f54a82 96800->96801 96802 f163a9 96800->96802 96800->96806 96803 f2fddb 22 API calls 96801->96803 96810 f1a587 96802->96810 96805 f54a91 96803->96805 96807 f2fe0b 22 API calls 96805->96807 96806->96786 96808 f54ac5 __fread_nolock 96807->96808 96809->96788 96811 f1a59d 96810->96811 96814 f1a598 __fread_nolock 96810->96814 96812 f5f80f 96811->96812 96813 f2fe0b 22 API calls 96811->96813 96813->96814 96814->96806 96816 f133fe _wcslen 96815->96816 96817 f13411 96816->96817 96818 f5311d 96816->96818 96820 f1a587 22 API calls 96817->96820 96819 f2fddb 22 API calls 96818->96819 96821 f53127 96819->96821 96822 f1341e __fread_nolock 96820->96822 96823 f2fe0b 22 API calls 96821->96823 96822->96795 96824 f53157 __fread_nolock 96823->96824 96825 f303fb 96826 f30407 ___DestructExceptionObject 96825->96826 96854 f2feb1 96826->96854 96828 f3040e 96829 f30561 96828->96829 96832 f30438 96828->96832 96881 f3083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 96829->96881 96831 f30568 96882 f34e52 28 API calls _abort 96831->96882 96843 f30477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 96832->96843 96865 f4247d 96832->96865 96834 f3056e 96883 f34e04 28 API calls _abort 96834->96883 96837 f30576 96839 f30457 96841 f304d8 96873 f30959 96841->96873 96843->96841 96877 f34e1a 38 API calls 3 library calls 96843->96877 96845 f304de 96846 f304f3 96845->96846 96878 f30992 GetModuleHandleW 96846->96878 96848 f304fa 96848->96831 96849 f304fe 96848->96849 96850 f30507 96849->96850 96879 f34df5 28 API calls _abort 96849->96879 96880 f30040 13 API calls 2 library calls 96850->96880 96853 f3050f 96853->96839 96855 f2feba 96854->96855 96884 f30698 IsProcessorFeaturePresent 96855->96884 96857 f2fec6 96885 f32c94 10 API calls 3 library calls 96857->96885 96859 f2fecb 96864 f2fecf 96859->96864 96886 f42317 96859->96886 96862 f2fee6 96862->96828 96864->96828 96866 f42494 96865->96866 96867 f30a8c CatchGuardHandler 5 API calls 96866->96867 96868 f30451 96867->96868 96868->96839 96869 f42421 96868->96869 96871 f42450 96869->96871 96870 f30a8c CatchGuardHandler 5 API calls 96872 f42479 96870->96872 96871->96870 96872->96843 96945 f32340 96873->96945 96876 f3097f 96876->96845 96877->96841 96878->96848 96879->96850 96880->96853 96881->96831 96882->96834 96883->96837 96884->96857 96885->96859 96890 f4d1f6 96886->96890 96889 f32cbd 8 API calls 3 library calls 96889->96864 96893 f4d213 96890->96893 96894 f4d20f 96890->96894 96892 f2fed8 96892->96862 96892->96889 96893->96894 96896 f44bfb 96893->96896 96908 f30a8c 96894->96908 96897 f44c07 ___DestructExceptionObject 96896->96897 96915 f42f5e EnterCriticalSection 96897->96915 96899 f44c0e 96916 f450af 96899->96916 96901 f44c1d 96907 f44c2c 96901->96907 96929 f44a8f 29 API calls 96901->96929 96904 f44c27 96930 f44b45 GetStdHandle GetFileType 96904->96930 96905 f44c3d __wsopen_s 96905->96893 96931 f44c48 LeaveCriticalSection _abort 96907->96931 96909 f30a97 IsProcessorFeaturePresent 96908->96909 96910 f30a95 96908->96910 96912 f30c5d 96909->96912 96910->96892 96944 f30c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 96912->96944 96914 f30d40 96914->96892 96915->96899 96917 f450bb ___DestructExceptionObject 96916->96917 96918 f450df 96917->96918 96919 f450c8 96917->96919 96932 f42f5e EnterCriticalSection 96918->96932 96940 f3f2d9 20 API calls __dosmaperr 96919->96940 96922 f450eb 96928 f45117 96922->96928 96933 f45000 96922->96933 96923 f450cd 96941 f427ec 26 API calls _strftime 96923->96941 96926 f450d7 __wsopen_s 96926->96901 96942 f4513e LeaveCriticalSection _abort 96928->96942 96929->96904 96930->96907 96931->96905 96932->96922 96934 f44c7d __dosmaperr 20 API calls 96933->96934 96937 f45012 96934->96937 96935 f4501f 96936 f429c8 _free 20 API calls 96935->96936 96938 f45071 96936->96938 96937->96935 96943 f43405 11 API calls 2 library calls 96937->96943 96938->96922 96940->96923 96941->96926 96942->96926 96943->96937 96944->96914 96946 f3096c GetStartupInfoW 96945->96946 96946->96876 96947 f11098 96952 f142de 96947->96952 96951 f110a7 96953 f1a961 22 API calls 96952->96953 96954 f142f5 GetVersionExW 96953->96954 96955 f16b57 22 API calls 96954->96955 96956 f14342 96955->96956 96957 f193b2 22 API calls 96956->96957 96959 f14378 96956->96959 96958 f1436c 96957->96958 96961 f137a0 22 API calls 96958->96961 96960 f1441b GetCurrentProcess IsWow64Process 96959->96960 96963 f537df 96959->96963 96962 f14437 96960->96962 96961->96959 96964 f53824 GetSystemInfo 96962->96964 96965 f1444f LoadLibraryA 96962->96965 96966 f14460 GetProcAddress 96965->96966 96967 f1449c GetSystemInfo 96965->96967 96966->96967 96968 f14470 GetNativeSystemInfo 96966->96968 96969 f14476 96967->96969 96968->96969 96970 f1109d 96969->96970 96971 f1447a FreeLibrary 96969->96971 96972 f300a3 29 API calls __onexit 96970->96972 96971->96970 96972->96951 96973 f1105b 96978 f1344d 96973->96978 96975 f1106a 97009 f300a3 29 API calls __onexit 96975->97009 96977 f11074 96979 f1345d __wsopen_s 96978->96979 96980 f1a961 22 API calls 96979->96980 96981 f13513 96980->96981 96982 f13a5a 24 API calls 96981->96982 96983 f1351c 96982->96983 97010 f13357 96983->97010 96986 f133c6 22 API calls 96987 f13535 96986->96987 96988 f1515f 22 API calls 96987->96988 96989 f13544 96988->96989 96990 f1a961 22 API calls 96989->96990 96991 f1354d 96990->96991 96992 f1a6c3 22 API calls 96991->96992 96993 f13556 RegOpenKeyExW 96992->96993 96994 f53176 RegQueryValueExW 96993->96994 96998 f13578 96993->96998 96995 f53193 96994->96995 96996 f5320c RegCloseKey 96994->96996 96997 f2fe0b 22 API calls 96995->96997 96996->96998 97006 f5321e _wcslen 96996->97006 96999 f531ac 96997->96999 96998->96975 97000 f15722 22 API calls 96999->97000 97001 f531b7 RegQueryValueExW 97000->97001 97002 f531d4 97001->97002 97005 f531ee ISource 97001->97005 97003 f16b57 22 API calls 97002->97003 97003->97005 97004 f14c6d 22 API calls 97004->97006 97005->96996 97006->96998 97006->97004 97007 f19cb3 22 API calls 97006->97007 97008 f1515f 22 API calls 97006->97008 97007->97006 97008->97006 97009->96977 97011 f51f50 __wsopen_s 97010->97011 97012 f13364 GetFullPathNameW 97011->97012 97013 f13386 97012->97013 97014 f16b57 22 API calls 97013->97014 97015 f133a4 97014->97015 97015->96986 97016 f1f7bf 97017 f1f7d3 97016->97017 97018 f1fcb6 97016->97018 97020 f1fcc2 97017->97020 97021 f2fddb 22 API calls 97017->97021 97109 f1aceb 23 API calls ISource 97018->97109 97110 f1aceb 23 API calls ISource 97020->97110 97023 f1f7e5 97021->97023 97023->97020 97024 f1f83e 97023->97024 97025 f1fd3d 97023->97025 97043 f1ed9d ISource 97024->97043 97051 f21310 97024->97051 97111 f81155 22 API calls 97025->97111 97028 f2fddb 22 API calls 97049 f1ec76 ISource 97028->97049 97029 f1fef7 97036 f1a8c7 22 API calls 97029->97036 97029->97043 97032 f64b0b 97113 f8359c 82 API calls __wsopen_s 97032->97113 97033 f1a8c7 22 API calls 97033->97049 97034 f64600 97039 f1a8c7 22 API calls 97034->97039 97034->97043 97036->97043 97039->97043 97040 f30242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 97040->97049 97041 f1fbe3 97041->97043 97044 f64bdc 97041->97044 97050 f1f3ae ISource 97041->97050 97042 f1a961 22 API calls 97042->97049 97114 f8359c 82 API calls __wsopen_s 97044->97114 97046 f64beb 97115 f8359c 82 API calls __wsopen_s 97046->97115 97047 f301f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 97047->97049 97048 f300a3 29 API calls pre_c_initialization 97048->97049 97049->97028 97049->97029 97049->97032 97049->97033 97049->97034 97049->97040 97049->97041 97049->97042 97049->97043 97049->97046 97049->97047 97049->97048 97049->97050 97107 f201e0 207 API calls 2 library calls 97049->97107 97108 f206a0 41 API calls ISource 97049->97108 97050->97043 97112 f8359c 82 API calls __wsopen_s 97050->97112 97052 f217b0 97051->97052 97053 f21376 97051->97053 97307 f30242 5 API calls __Init_thread_wait 97052->97307 97054 f21390 97053->97054 97055 f66331 97053->97055 97057 f21940 9 API calls 97054->97057 97058 f6633d 97055->97058 97242 f9709c 97055->97242 97061 f213a0 97057->97061 97058->97049 97060 f217ba 97062 f217fb 97060->97062 97064 f19cb3 22 API calls 97060->97064 97063 f21940 9 API calls 97061->97063 97066 f66346 97062->97066 97068 f2182c 97062->97068 97065 f213b6 97063->97065 97071 f217d4 97064->97071 97065->97062 97067 f213ec 97065->97067 97312 f8359c 82 API calls __wsopen_s 97066->97312 97067->97066 97091 f21408 __fread_nolock 97067->97091 97309 f1aceb 23 API calls ISource 97068->97309 97308 f301f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97071->97308 97072 f21839 97310 f2d217 207 API calls 97072->97310 97075 f6636e 97313 f8359c 82 API calls __wsopen_s 97075->97313 97076 f2152f 97078 f663d1 97076->97078 97079 f2153c 97076->97079 97315 f95745 54 API calls _wcslen 97078->97315 97081 f21940 9 API calls 97079->97081 97082 f21549 97081->97082 97087 f21940 9 API calls 97082->97087 97097 f215c7 ISource 97082->97097 97083 f2fddb 22 API calls 97083->97091 97084 f21872 97311 f2faeb 23 API calls 97084->97311 97085 f2fe0b 22 API calls 97085->97091 97093 f21563 97087->97093 97088 f2171d 97088->97049 97091->97072 97091->97075 97091->97076 97091->97083 97091->97085 97095 f663b2 97091->97095 97091->97097 97282 f1ec40 97091->97282 97093->97097 97099 f1a8c7 22 API calls 97093->97099 97314 f8359c 82 API calls __wsopen_s 97095->97314 97096 f2167b ISource 97096->97088 97306 f2ce17 22 API calls ISource 97096->97306 97097->97084 97097->97096 97116 f21940 97097->97116 97126 f8744a 97097->97126 97182 f8f0ec 97097->97182 97191 f883da 97097->97191 97194 f16246 97097->97194 97198 f9958b 97097->97198 97201 f16216 97097->97201 97206 f9e204 97097->97206 97316 f8359c 82 API calls __wsopen_s 97097->97316 97099->97097 97107->97049 97108->97049 97109->97020 97110->97025 97111->97043 97112->97043 97113->97043 97114->97046 97115->97043 97117 f21981 97116->97117 97118 f2195d 97116->97118 97317 f30242 5 API calls __Init_thread_wait 97117->97317 97125 f2196e 97118->97125 97319 f30242 5 API calls __Init_thread_wait 97118->97319 97121 f2198b 97121->97118 97318 f301f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97121->97318 97123 f28727 97123->97125 97320 f301f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97123->97320 97125->97097 97127 f87469 97126->97127 97128 f87474 97126->97128 97352 f1b567 39 API calls 97127->97352 97129 f87554 97128->97129 97132 f1a961 22 API calls 97128->97132 97131 f2fddb 22 API calls 97129->97131 97172 f876a4 97129->97172 97133 f87587 97131->97133 97134 f87495 97132->97134 97135 f2fe0b 22 API calls 97133->97135 97136 f1a961 22 API calls 97134->97136 97137 f87598 97135->97137 97138 f8749e 97136->97138 97139 f16246 CloseHandle 97137->97139 97140 f17510 53 API calls 97138->97140 97141 f875a3 97139->97141 97142 f874aa 97140->97142 97143 f1a961 22 API calls 97141->97143 97353 f1525f 22 API calls 97142->97353 97145 f875ab 97143->97145 97147 f16246 CloseHandle 97145->97147 97146 f874bf 97148 f16350 22 API calls 97146->97148 97149 f875b2 97147->97149 97151 f874f2 97148->97151 97321 f17510 97149->97321 97153 f8754a 97151->97153 97354 f7d4ce lstrlenW GetFileAttributesW FindFirstFileW FindClose 97151->97354 97356 f1b567 39 API calls 97153->97356 97154 f16246 CloseHandle 97156 f875c8 97154->97156 97344 f15745 97156->97344 97158 f87502 97158->97153 97159 f87506 97158->97159 97160 f19cb3 22 API calls 97159->97160 97162 f87513 97160->97162 97355 f7d2c1 26 API calls 97162->97355 97165 f875ea 97357 f153de 27 API calls ISource 97165->97357 97166 f876de GetLastError 97167 f876f7 97166->97167 97169 f16216 CloseHandle 97167->97169 97169->97172 97170 f8751c 97170->97153 97171 f875f8 97358 f153c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 97171->97358 97172->97097 97174 f87645 97176 f2fddb 22 API calls 97174->97176 97175 f875ff 97175->97174 97359 f7ccff 97175->97359 97177 f87679 97176->97177 97178 f1a961 22 API calls 97177->97178 97180 f87686 97178->97180 97180->97172 97363 f7417d 22 API calls __fread_nolock 97180->97363 97183 f17510 53 API calls 97182->97183 97184 f8f126 97183->97184 97370 f19e90 97184->97370 97186 f8f136 97187 f1ec40 207 API calls 97186->97187 97188 f8f15b 97186->97188 97187->97188 97190 f8f15f 97188->97190 97398 f19c6e 22 API calls 97188->97398 97190->97097 97414 f898e3 97191->97414 97193 f883ea 97193->97097 97195 f16250 97194->97195 97196 f1625f 97194->97196 97195->97097 97196->97195 97197 f16264 CloseHandle 97196->97197 97197->97195 97475 f97f59 97198->97475 97200 f9959b 97200->97097 97202 f16246 CloseHandle 97201->97202 97203 f1621e 97202->97203 97204 f16246 CloseHandle 97203->97204 97205 f1622d ISource 97204->97205 97205->97097 97207 f1a961 22 API calls 97206->97207 97208 f9e21b 97207->97208 97209 f17510 53 API calls 97208->97209 97210 f9e22a 97209->97210 97211 f16270 22 API calls 97210->97211 97212 f9e23d 97211->97212 97213 f17510 53 API calls 97212->97213 97214 f9e24a 97213->97214 97215 f9e262 97214->97215 97216 f9e2c7 97214->97216 97587 f1b567 39 API calls 97215->97587 97218 f17510 53 API calls 97216->97218 97219 f9e2cc 97218->97219 97221 f9e2d9 97219->97221 97222 f9e314 97219->97222 97220 f9e267 97220->97221 97224 f9e280 97220->97224 97590 f19c6e 22 API calls 97221->97590 97225 f9e32c 97222->97225 97591 f1b567 39 API calls 97222->97591 97588 f16d25 22 API calls __fread_nolock 97224->97588 97229 f9e345 97225->97229 97592 f1b567 39 API calls 97225->97592 97226 f9e2e6 97226->97097 97230 f1a8c7 22 API calls 97229->97230 97233 f9e35f 97230->97233 97231 f9e28d 97234 f16350 22 API calls 97231->97234 97568 f792c8 97233->97568 97236 f9e29b 97234->97236 97589 f16d25 22 API calls __fread_nolock 97236->97589 97238 f9e2c2 97593 f162b5 22 API calls 97238->97593 97239 f9e2b4 97240 f16350 22 API calls 97239->97240 97240->97238 97243 f970db 97242->97243 97244 f970f5 97242->97244 97608 f8359c 82 API calls __wsopen_s 97243->97608 97597 f95689 97244->97597 97248 f1ec40 206 API calls 97249 f97164 97248->97249 97250 f971ff 97249->97250 97254 f971a6 97249->97254 97275 f970ed 97249->97275 97251 f97253 97250->97251 97252 f97205 97250->97252 97253 f17510 53 API calls 97251->97253 97251->97275 97609 f81119 22 API calls 97252->97609 97255 f97265 97253->97255 97257 f80acc 22 API calls 97254->97257 97258 f1aec9 22 API calls 97255->97258 97260 f971de 97257->97260 97261 f97289 CharUpperBuffW 97258->97261 97259 f97228 97610 f1a673 22 API calls 97259->97610 97263 f21310 206 API calls 97260->97263 97265 f972a3 97261->97265 97263->97275 97264 f97230 97611 f1bf40 207 API calls 2 library calls 97264->97611 97266 f972aa 97265->97266 97267 f972f6 97265->97267 97604 f80acc 97266->97604 97269 f17510 53 API calls 97267->97269 97270 f972fe 97269->97270 97612 f2e300 23 API calls 97270->97612 97274 f21310 206 API calls 97274->97275 97275->97058 97276 f97308 97276->97275 97277 f17510 53 API calls 97276->97277 97278 f97323 97277->97278 97613 f1a673 22 API calls 97278->97613 97280 f97333 97614 f1bf40 207 API calls 2 library calls 97280->97614 97302 f1ec76 ISource 97282->97302 97283 f300a3 29 API calls pre_c_initialization 97283->97302 97284 f1fef7 97292 f1a8c7 22 API calls 97284->97292 97299 f1ed9d ISource 97284->97299 97287 f2fddb 22 API calls 97287->97302 97288 f64b0b 97619 f8359c 82 API calls __wsopen_s 97288->97619 97289 f1a8c7 22 API calls 97289->97302 97290 f64600 97296 f1a8c7 22 API calls 97290->97296 97290->97299 97292->97299 97295 f30242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 97295->97302 97296->97299 97297 f1fbe3 97297->97299 97300 f64bdc 97297->97300 97305 f1f3ae ISource 97297->97305 97298 f1a961 22 API calls 97298->97302 97299->97091 97620 f8359c 82 API calls __wsopen_s 97300->97620 97302->97283 97302->97284 97302->97287 97302->97288 97302->97289 97302->97290 97302->97295 97302->97297 97302->97298 97302->97299 97303 f301f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 97302->97303 97304 f64beb 97302->97304 97302->97305 97616 f201e0 207 API calls 2 library calls 97302->97616 97617 f206a0 41 API calls ISource 97302->97617 97303->97302 97621 f8359c 82 API calls __wsopen_s 97304->97621 97305->97299 97618 f8359c 82 API calls __wsopen_s 97305->97618 97306->97096 97307->97060 97308->97062 97309->97072 97310->97084 97311->97084 97312->97097 97313->97097 97314->97097 97315->97093 97316->97097 97317->97121 97318->97118 97319->97123 97320->97125 97322 f17525 97321->97322 97338 f17522 97321->97338 97323 f1755b 97322->97323 97324 f1752d 97322->97324 97326 f550f6 97323->97326 97329 f1756d 97323->97329 97334 f5500f 97323->97334 97364 f351c6 26 API calls 97324->97364 97367 f35183 26 API calls 97326->97367 97327 f1753d 97333 f2fddb 22 API calls 97327->97333 97365 f2fb21 51 API calls 97329->97365 97330 f5510e 97330->97330 97335 f17547 97333->97335 97337 f2fe0b 22 API calls 97334->97337 97343 f55088 97334->97343 97336 f19cb3 22 API calls 97335->97336 97336->97338 97339 f55058 97337->97339 97338->97154 97340 f2fddb 22 API calls 97339->97340 97341 f5507f 97340->97341 97342 f19cb3 22 API calls 97341->97342 97342->97343 97366 f2fb21 51 API calls 97343->97366 97345 f54035 97344->97345 97346 f1575c CreateFileW 97344->97346 97347 f1577b 97345->97347 97348 f5403b CreateFileW 97345->97348 97346->97347 97347->97165 97347->97166 97348->97347 97349 f54063 97348->97349 97368 f154c6 SetFilePointerEx SetFilePointerEx SetFilePointerEx 97349->97368 97351 f5406e 97351->97347 97352->97128 97353->97146 97354->97158 97355->97170 97356->97129 97357->97171 97358->97175 97360 f7cd0e 97359->97360 97361 f7cd19 WriteFile 97359->97361 97369 f7cc37 SetFilePointerEx SetFilePointerEx SetFilePointerEx 97360->97369 97361->97174 97363->97172 97364->97327 97365->97327 97366->97326 97367->97330 97368->97351 97369->97361 97371 f16270 22 API calls 97370->97371 97396 f19eb5 97371->97396 97372 f19fd2 97400 f1a4a1 97372->97400 97374 f19fec 97374->97186 97377 f5f7c4 97412 f796e2 84 API calls __wsopen_s 97377->97412 97378 f5f699 97384 f2fddb 22 API calls 97378->97384 97379 f1a405 97379->97374 97413 f796e2 84 API calls __wsopen_s 97379->97413 97383 f1a6c3 22 API calls 97383->97396 97386 f5f754 97384->97386 97385 f5f7d2 97387 f1a4a1 22 API calls 97385->97387 97389 f2fe0b 22 API calls 97386->97389 97388 f5f7e8 97387->97388 97388->97374 97390 f1a12c __fread_nolock 97389->97390 97390->97377 97390->97379 97392 f1a587 22 API calls 97392->97396 97393 f1aec9 22 API calls 97394 f1a0db CharUpperBuffW 97393->97394 97408 f1a673 22 API calls 97394->97408 97396->97372 97396->97377 97396->97378 97396->97379 97396->97383 97396->97390 97396->97392 97396->97393 97397 f1a4a1 22 API calls 97396->97397 97399 f14573 41 API calls _wcslen 97396->97399 97409 f148c8 23 API calls 97396->97409 97410 f149bd 22 API calls __fread_nolock 97396->97410 97411 f1a673 22 API calls 97396->97411 97397->97396 97398->97190 97399->97396 97401 f1a52b 97400->97401 97406 f1a4b1 __fread_nolock 97400->97406 97403 f2fe0b 22 API calls 97401->97403 97402 f2fddb 22 API calls 97404 f1a4b8 97402->97404 97403->97406 97405 f2fddb 22 API calls 97404->97405 97407 f1a4d6 97404->97407 97405->97407 97406->97402 97407->97374 97408->97396 97409->97396 97410->97396 97411->97396 97412->97385 97413->97374 97415 f899e8 97414->97415 97416 f89902 97414->97416 97471 f89caa 39 API calls 97415->97471 97417 f2fddb 22 API calls 97416->97417 97419 f89909 97417->97419 97420 f2fe0b 22 API calls 97419->97420 97421 f8991a 97420->97421 97422 f16246 CloseHandle 97421->97422 97424 f89925 97422->97424 97423 f89ac5 97465 f81e96 97423->97465 97428 f1a961 22 API calls 97424->97428 97425 f899ca 97425->97193 97427 f899a2 97427->97423 97427->97425 97430 f89a33 97427->97430 97431 f8992d 97428->97431 97429 f89acc 97434 f7ccff 4 API calls 97429->97434 97432 f17510 53 API calls 97430->97432 97433 f16246 CloseHandle 97431->97433 97441 f89a3a 97432->97441 97435 f89934 97433->97435 97442 f89aa8 97434->97442 97437 f17510 53 API calls 97435->97437 97436 f89abb 97473 f7cd57 30 API calls 97436->97473 97440 f89940 97437->97440 97438 f89a6e 97443 f16270 22 API calls 97438->97443 97444 f16246 CloseHandle 97440->97444 97441->97436 97441->97438 97442->97425 97445 f16246 CloseHandle 97442->97445 97446 f89a7e 97443->97446 97447 f8994a 97444->97447 97450 f89b1e 97445->97450 97448 f89a8e 97446->97448 97451 f1a8c7 22 API calls 97446->97451 97449 f15745 5 API calls 97447->97449 97453 f133c6 22 API calls 97448->97453 97452 f89959 97449->97452 97454 f16216 CloseHandle 97450->97454 97451->97448 97455 f8995d 97452->97455 97456 f899c2 97452->97456 97457 f89a9c 97453->97457 97454->97425 97469 f153de 27 API calls ISource 97455->97469 97458 f16216 CloseHandle 97456->97458 97472 f7cd57 30 API calls 97457->97472 97458->97425 97461 f8996b 97470 f153c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 97461->97470 97463 f89972 97463->97427 97464 f7ccff 4 API calls 97463->97464 97464->97427 97466 f81e9f 97465->97466 97467 f81ea4 97465->97467 97474 f80f67 24 API calls __fread_nolock 97466->97474 97467->97429 97469->97461 97470->97463 97471->97427 97472->97442 97473->97442 97474->97467 97476 f17510 53 API calls 97475->97476 97477 f97f90 97476->97477 97497 f97fd5 ISource 97477->97497 97513 f98cd3 97477->97513 97479 f98281 97480 f9844f 97479->97480 97485 f9828f 97479->97485 97554 f98ee4 60 API calls 97480->97554 97483 f9845e 97484 f9846a 97483->97484 97483->97485 97484->97497 97526 f97e86 97485->97526 97486 f17510 53 API calls 97496 f98049 97486->97496 97491 f982c8 97541 f2fc70 97491->97541 97494 f982e8 97547 f8359c 82 API calls __wsopen_s 97494->97547 97495 f98302 97548 f163eb 22 API calls 97495->97548 97496->97479 97496->97486 97496->97497 97545 f7417d 22 API calls __fread_nolock 97496->97545 97546 f9851d 42 API calls _strftime 97496->97546 97497->97200 97500 f982f3 GetCurrentProcess TerminateProcess 97500->97495 97501 f98311 97549 f16a50 22 API calls 97501->97549 97503 f9832a 97512 f98352 97503->97512 97550 f204f0 22 API calls 97503->97550 97505 f984c5 97505->97497 97507 f984d9 FreeLibrary 97505->97507 97506 f98341 97551 f98b7b 75 API calls 97506->97551 97507->97497 97512->97505 97552 f204f0 22 API calls 97512->97552 97553 f1aceb 23 API calls ISource 97512->97553 97555 f98b7b 75 API calls 97512->97555 97514 f1aec9 22 API calls 97513->97514 97515 f98cee CharLowerBuffW 97514->97515 97556 f78e54 97515->97556 97519 f1a961 22 API calls 97520 f98d2a 97519->97520 97563 f16d25 22 API calls __fread_nolock 97520->97563 97522 f98d3e 97523 f193b2 22 API calls 97522->97523 97525 f98d48 _wcslen 97523->97525 97524 f98e5e _wcslen 97524->97496 97525->97524 97564 f9851d 42 API calls _strftime 97525->97564 97527 f97eec 97526->97527 97528 f97ea1 97526->97528 97532 f99096 97527->97532 97529 f2fe0b 22 API calls 97528->97529 97530 f97ec3 97529->97530 97530->97527 97531 f2fddb 22 API calls 97530->97531 97531->97530 97533 f992ab ISource 97532->97533 97540 f990ba _strcat _wcslen 97532->97540 97533->97491 97534 f1b567 39 API calls 97534->97540 97535 f1b38f 39 API calls 97535->97540 97536 f1b6b5 39 API calls 97536->97540 97537 f17510 53 API calls 97537->97540 97538 f3ea0c 21 API calls ___std_exception_copy 97538->97540 97540->97533 97540->97534 97540->97535 97540->97536 97540->97537 97540->97538 97567 f7efae 24 API calls _wcslen 97540->97567 97543 f2fc85 97541->97543 97542 f2fd1d VirtualProtect 97544 f2fceb 97542->97544 97543->97542 97543->97544 97544->97494 97544->97495 97545->97496 97546->97496 97547->97500 97548->97501 97549->97503 97550->97506 97551->97512 97552->97512 97553->97512 97554->97483 97555->97512 97557 f78e74 _wcslen 97556->97557 97558 f78f63 97557->97558 97561 f78ea9 97557->97561 97562 f78f68 97557->97562 97558->97519 97558->97525 97561->97558 97565 f2ce60 41 API calls 97561->97565 97562->97558 97566 f2ce60 41 API calls 97562->97566 97563->97522 97564->97524 97565->97561 97566->97562 97567->97540 97569 f1a961 22 API calls 97568->97569 97570 f792de 97569->97570 97571 f16270 22 API calls 97570->97571 97572 f792f2 97571->97572 97573 f78e54 41 API calls 97572->97573 97578 f79314 97572->97578 97574 f7930e 97573->97574 97574->97578 97594 f16d25 22 API calls __fread_nolock 97574->97594 97575 f78e54 41 API calls 97575->97578 97578->97575 97579 f793b3 97578->97579 97580 f16350 22 API calls 97578->97580 97583 f79397 97578->97583 97595 f16d25 22 API calls __fread_nolock 97578->97595 97581 f1a8c7 22 API calls 97579->97581 97582 f793c2 97579->97582 97580->97578 97581->97582 97582->97238 97596 f16d25 22 API calls __fread_nolock 97583->97596 97585 f793a7 97586 f16350 22 API calls 97585->97586 97586->97579 97587->97220 97588->97231 97589->97239 97590->97226 97591->97225 97592->97229 97593->97226 97594->97578 97595->97578 97596->97585 97598 f956a4 97597->97598 97603 f956f2 97597->97603 97599 f2fe0b 22 API calls 97598->97599 97601 f956c6 97599->97601 97600 f2fddb 22 API calls 97600->97601 97601->97600 97601->97603 97615 f80a59 22 API calls 97601->97615 97603->97248 97605 f80ada 97604->97605 97607 f80b13 97604->97607 97606 f2fddb 22 API calls 97605->97606 97605->97607 97606->97607 97607->97274 97608->97275 97609->97259 97610->97264 97611->97275 97612->97276 97613->97280 97614->97275 97615->97601 97616->97302 97617->97302 97618->97299 97619->97299 97620->97304 97621->97299 97622 f52ba5 97623 f12b25 97622->97623 97624 f52baf 97622->97624 97650 f12b83 7 API calls 97623->97650 97626 f13a5a 24 API calls 97624->97626 97627 f52bb8 97626->97627 97629 f19cb3 22 API calls 97627->97629 97632 f52bc6 97629->97632 97631 f12b2f 97635 f13837 49 API calls 97631->97635 97636 f12b44 97631->97636 97633 f52bf5 97632->97633 97634 f52bce 97632->97634 97638 f133c6 22 API calls 97633->97638 97637 f133c6 22 API calls 97634->97637 97635->97636 97641 f12b5f 97636->97641 97654 f130f2 Shell_NotifyIconW ___scrt_fastfail 97636->97654 97639 f52bd9 97637->97639 97640 f52bf1 GetForegroundWindow ShellExecuteW 97638->97640 97642 f16350 22 API calls 97639->97642 97646 f52c26 97640->97646 97648 f12b66 SetCurrentDirectoryW 97641->97648 97645 f52be7 97642->97645 97647 f133c6 22 API calls 97645->97647 97646->97641 97647->97640 97649 f12b7a 97648->97649 97655 f12cd4 7 API calls 97650->97655 97652 f12b2a 97653 f12c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 97652->97653 97653->97631 97654->97641 97655->97652 97656 f12de3 97657 f12df0 __wsopen_s 97656->97657 97658 f12e09 97657->97658 97659 f52c2b ___scrt_fastfail 97657->97659 97660 f13aa2 23 API calls 97658->97660 97662 f52c47 GetOpenFileNameW 97659->97662 97661 f12e12 97660->97661 97672 f12da5 97661->97672 97664 f52c96 97662->97664 97666 f16b57 22 API calls 97664->97666 97667 f52cab 97666->97667 97667->97667 97669 f12e27 97690 f144a8 97669->97690 97673 f51f50 __wsopen_s 97672->97673 97674 f12db2 GetLongPathNameW 97673->97674 97675 f16b57 22 API calls 97674->97675 97676 f12dda 97675->97676 97677 f13598 97676->97677 97678 f1a961 22 API calls 97677->97678 97679 f135aa 97678->97679 97680 f13aa2 23 API calls 97679->97680 97681 f135b5 97680->97681 97682 f135c0 97681->97682 97683 f532eb 97681->97683 97684 f1515f 22 API calls 97682->97684 97688 f5330d 97683->97688 97726 f2ce60 41 API calls 97683->97726 97686 f135cc 97684->97686 97720 f135f3 97686->97720 97689 f135df 97689->97669 97691 f14ecb 94 API calls 97690->97691 97692 f144cd 97691->97692 97693 f53833 97692->97693 97695 f14ecb 94 API calls 97692->97695 97694 f82cf9 80 API calls 97693->97694 97696 f53848 97694->97696 97697 f144e1 97695->97697 97698 f5384c 97696->97698 97699 f53869 97696->97699 97697->97693 97700 f144e9 97697->97700 97701 f14f39 68 API calls 97698->97701 97702 f2fe0b 22 API calls 97699->97702 97703 f53854 97700->97703 97704 f144f5 97700->97704 97701->97703 97711 f538ae 97702->97711 97743 f7da5a 82 API calls 97703->97743 97742 f1940c 136 API calls 2 library calls 97704->97742 97707 f12e31 97708 f53862 97708->97699 97709 f53a5f 97713 f53a67 97709->97713 97710 f14f39 68 API calls 97710->97713 97711->97709 97712 f1a4a1 22 API calls 97711->97712 97711->97713 97717 f19cb3 22 API calls 97711->97717 97727 f7967e 97711->97727 97730 f80b5a 97711->97730 97736 f13ff7 97711->97736 97744 f795ad 42 API calls _wcslen 97711->97744 97712->97711 97713->97710 97745 f7989b 82 API calls __wsopen_s 97713->97745 97717->97711 97721 f13605 97720->97721 97725 f13624 __fread_nolock 97720->97725 97724 f2fe0b 22 API calls 97721->97724 97722 f2fddb 22 API calls 97723 f1363b 97722->97723 97723->97689 97724->97725 97725->97722 97726->97683 97728 f2fe0b 22 API calls 97727->97728 97729 f796ae __fread_nolock 97728->97729 97729->97711 97729->97729 97731 f80b65 97730->97731 97732 f2fddb 22 API calls 97731->97732 97733 f80b7c 97732->97733 97734 f19cb3 22 API calls 97733->97734 97735 f80b87 97734->97735 97735->97711 97737 f1400a 97736->97737 97740 f140ae 97736->97740 97738 f2fe0b 22 API calls 97737->97738 97741 f1403c 97737->97741 97738->97741 97739 f2fddb 22 API calls 97739->97741 97740->97711 97741->97739 97741->97740 97742->97707 97743->97708 97744->97711 97745->97713 97746 112fa60 97761 112d6b0 97746->97761 97748 112fb01 97764 112f950 97748->97764 97750 112fb2a CreateFileW 97752 112fb79 97750->97752 97753 112fb7e 97750->97753 97753->97752 97754 112fb95 VirtualAlloc 97753->97754 97754->97752 97755 112fbb3 ReadFile 97754->97755 97755->97752 97756 112fbce 97755->97756 97757 112e950 13 API calls 97756->97757 97758 112fc01 97757->97758 97759 112fc24 ExitProcess 97758->97759 97760 112f9e0 CreateProcessW 97758->97760 97759->97752 97760->97759 97767 1130b30 GetPEB 97761->97767 97763 112dd3b 97763->97748 97765 112f959 Sleep 97764->97765 97766 112f967 97765->97766 97768 1130b5a 97767->97768 97768->97763 97769 f1dee5 97772 f1b710 97769->97772 97773 f1b72b 97772->97773 97774 f60146 97773->97774 97775 f600f8 97773->97775 97797 f1b750 97773->97797 97814 f958a2 207 API calls 2 library calls 97774->97814 97778 f60102 97775->97778 97781 f6010f 97775->97781 97775->97797 97812 f95d33 207 API calls 97778->97812 97793 f1ba20 97781->97793 97813 f961d0 207 API calls 2 library calls 97781->97813 97785 f603d9 97785->97785 97788 f1ba4e 97789 f60322 97817 f95c0c 82 API calls 97789->97817 97793->97788 97818 f8359c 82 API calls __wsopen_s 97793->97818 97797->97788 97797->97789 97797->97793 97798 f1bbe0 40 API calls 97797->97798 97799 f2d336 40 API calls 97797->97799 97800 f1ec40 207 API calls 97797->97800 97801 f1a8c7 22 API calls 97797->97801 97803 f1a81b 41 API calls 97797->97803 97804 f2d2f0 40 API calls 97797->97804 97805 f2a01b 207 API calls 97797->97805 97806 f30242 5 API calls __Init_thread_wait 97797->97806 97807 f2edcd 22 API calls 97797->97807 97808 f300a3 29 API calls __onexit 97797->97808 97809 f301f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97797->97809 97810 f2ee53 82 API calls 97797->97810 97811 f2e5ca 207 API calls 97797->97811 97815 f1aceb 23 API calls ISource 97797->97815 97816 f6f6bf 23 API calls 97797->97816 97798->97797 97799->97797 97800->97797 97801->97797 97803->97797 97804->97797 97805->97797 97806->97797 97807->97797 97808->97797 97809->97797 97810->97797 97811->97797 97812->97781 97813->97793 97814->97797 97815->97797 97816->97797 97817->97793 97818->97785 97819 f11044 97824 f110f3 97819->97824 97821 f1104a 97860 f300a3 29 API calls __onexit 97821->97860 97823 f11054 97861 f11398 97824->97861 97828 f1116a 97829 f1a961 22 API calls 97828->97829 97830 f11174 97829->97830 97831 f1a961 22 API calls 97830->97831 97832 f1117e 97831->97832 97833 f1a961 22 API calls 97832->97833 97834 f11188 97833->97834 97835 f1a961 22 API calls 97834->97835 97836 f111c6 97835->97836 97837 f1a961 22 API calls 97836->97837 97838 f11292 97837->97838 97871 f1171c 97838->97871 97842 f112c4 97843 f1a961 22 API calls 97842->97843 97844 f112ce 97843->97844 97845 f21940 9 API calls 97844->97845 97846 f112f9 97845->97846 97892 f11aab 97846->97892 97848 f11315 97849 f11325 GetStdHandle 97848->97849 97850 f52485 97849->97850 97852 f1137a 97849->97852 97851 f5248e 97850->97851 97850->97852 97853 f2fddb 22 API calls 97851->97853 97854 f11387 OleInitialize 97852->97854 97855 f52495 97853->97855 97854->97821 97899 f8011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 97855->97899 97857 f5249e 97900 f80944 CreateThread 97857->97900 97859 f524aa CloseHandle 97859->97852 97860->97823 97901 f113f1 97861->97901 97864 f113f1 22 API calls 97865 f113d0 97864->97865 97866 f1a961 22 API calls 97865->97866 97867 f113dc 97866->97867 97868 f16b57 22 API calls 97867->97868 97869 f11129 97868->97869 97870 f11bc3 6 API calls 97869->97870 97870->97828 97872 f1a961 22 API calls 97871->97872 97873 f1172c 97872->97873 97874 f1a961 22 API calls 97873->97874 97875 f11734 97874->97875 97876 f1a961 22 API calls 97875->97876 97877 f1174f 97876->97877 97878 f2fddb 22 API calls 97877->97878 97879 f1129c 97878->97879 97880 f11b4a 97879->97880 97881 f11b58 97880->97881 97882 f1a961 22 API calls 97881->97882 97883 f11b63 97882->97883 97884 f1a961 22 API calls 97883->97884 97885 f11b6e 97884->97885 97886 f1a961 22 API calls 97885->97886 97887 f11b79 97886->97887 97888 f1a961 22 API calls 97887->97888 97889 f11b84 97888->97889 97890 f2fddb 22 API calls 97889->97890 97891 f11b96 RegisterWindowMessageW 97890->97891 97891->97842 97893 f5272d 97892->97893 97894 f11abb 97892->97894 97908 f83209 23 API calls 97893->97908 97895 f2fddb 22 API calls 97894->97895 97898 f11ac3 97895->97898 97897 f52738 97898->97848 97899->97857 97900->97859 97909 f8092a 28 API calls 97900->97909 97902 f1a961 22 API calls 97901->97902 97903 f113fc 97902->97903 97904 f1a961 22 API calls 97903->97904 97905 f11404 97904->97905 97906 f1a961 22 API calls 97905->97906 97907 f113c6 97906->97907 97907->97864 97908->97897 97910 f62a00 97921 f1d7b0 ISource 97910->97921 97911 f1db11 PeekMessageW 97911->97921 97912 f1d807 GetInputState 97912->97911 97912->97921 97913 f1d9d5 97914 f61cbe TranslateAcceleratorW 97914->97921 97916 f1db8f PeekMessageW 97916->97921 97917 f1da04 timeGetTime 97917->97921 97918 f1db73 TranslateMessage DispatchMessageW 97918->97916 97919 f1dbaf Sleep 97920 f1dbc0 97919->97920 97920->97913 97920->97921 97923 f2e551 timeGetTime 97920->97923 97927 f62c0b GetExitCodeProcess 97920->97927 97930 f62a31 97920->97930 97931 fa29bf GetForegroundWindow 97920->97931 97933 f62ca9 Sleep 97920->97933 97977 f95658 23 API calls 97920->97977 97978 f7e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 97920->97978 97979 f7d4dc 47 API calls 97920->97979 97921->97911 97921->97912 97921->97913 97921->97914 97921->97916 97921->97917 97921->97918 97921->97919 97922 f62b74 Sleep 97921->97922 97924 f61dda timeGetTime 97921->97924 97938 f1ec40 207 API calls 97921->97938 97939 f21310 207 API calls 97921->97939 97942 f1dd50 97921->97942 97949 f1dfd0 97921->97949 97972 f1bf40 207 API calls 2 library calls 97921->97972 97973 f2edf6 IsDialogMessageW GetClassLongW 97921->97973 97975 f83a2a 23 API calls 97921->97975 97976 f8359c 82 API calls __wsopen_s 97921->97976 97922->97920 97923->97920 97974 f2e300 23 API calls 97924->97974 97928 f62c37 CloseHandle 97927->97928 97929 f62c21 WaitForSingleObject 97927->97929 97928->97920 97929->97921 97929->97928 97930->97913 97931->97920 97933->97921 97938->97921 97939->97921 97943 f1dd83 97942->97943 97944 f1dd6f 97942->97944 97981 f8359c 82 API calls __wsopen_s 97943->97981 97980 f1d260 207 API calls 2 library calls 97944->97980 97946 f1dd7a 97946->97921 97948 f62f75 97948->97948 97950 f1e010 97949->97950 97966 f1e0dc ISource 97950->97966 97984 f30242 5 API calls __Init_thread_wait 97950->97984 97952 f8359c 82 API calls 97952->97966 97954 f62fca 97956 f1a961 22 API calls 97954->97956 97954->97966 97955 f1a961 22 API calls 97955->97966 97959 f62fe4 97956->97959 97985 f300a3 29 API calls __onexit 97959->97985 97961 f62fee 97986 f301f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97961->97986 97965 f1a8c7 22 API calls 97965->97966 97966->97952 97966->97955 97966->97965 97967 f204f0 22 API calls 97966->97967 97968 f1ec40 207 API calls 97966->97968 97969 f1e3e1 97966->97969 97982 f1a81b 41 API calls 97966->97982 97983 f2a308 207 API calls 97966->97983 97987 f30242 5 API calls __Init_thread_wait 97966->97987 97988 f300a3 29 API calls __onexit 97966->97988 97989 f301f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97966->97989 97990 f947d4 207 API calls 97966->97990 97991 f968c1 207 API calls 97966->97991 97967->97966 97968->97966 97969->97921 97972->97921 97973->97921 97974->97921 97975->97921 97976->97921 97977->97920 97978->97920 97979->97920 97980->97946 97981->97948 97982->97966 97983->97966 97984->97954 97985->97961 97986->97966 97987->97966 97988->97966 97989->97966 97990->97966 97991->97966 97992 f48402 97997 f481be 97992->97997 97996 f4842a 98002 f481ef try_get_first_available_module 97997->98002 97999 f483ee 98016 f427ec 26 API calls _strftime 97999->98016 98001 f48343 98001->97996 98009 f50984 98001->98009 98005 f48338 98002->98005 98012 f38e0b 40 API calls 2 library calls 98002->98012 98004 f4838c 98004->98005 98013 f38e0b 40 API calls 2 library calls 98004->98013 98005->98001 98015 f3f2d9 20 API calls __dosmaperr 98005->98015 98007 f483ab 98007->98005 98014 f38e0b 40 API calls 2 library calls 98007->98014 98017 f50081 98009->98017 98011 f5099f 98011->97996 98012->98004 98013->98007 98014->98005 98015->97999 98016->98001 98018 f5008d ___DestructExceptionObject 98017->98018 98019 f5009b 98018->98019 98021 f500d4 98018->98021 98075 f3f2d9 20 API calls __dosmaperr 98019->98075 98028 f5065b 98021->98028 98022 f500a0 98076 f427ec 26 API calls _strftime 98022->98076 98027 f500aa __wsopen_s 98027->98011 98078 f5042f 98028->98078 98031 f506a6 98096 f45221 98031->98096 98032 f5068d 98110 f3f2c6 20 API calls __dosmaperr 98032->98110 98035 f506ab 98036 f506b4 98035->98036 98037 f506cb 98035->98037 98112 f3f2c6 20 API calls __dosmaperr 98036->98112 98109 f5039a CreateFileW 98037->98109 98041 f506b9 98113 f3f2d9 20 API calls __dosmaperr 98041->98113 98042 f50781 GetFileType 98045 f5078c GetLastError 98042->98045 98049 f507d3 98042->98049 98044 f50756 GetLastError 98115 f3f2a3 20 API calls __dosmaperr 98044->98115 98116 f3f2a3 20 API calls __dosmaperr 98045->98116 98046 f50704 98046->98042 98046->98044 98114 f5039a CreateFileW 98046->98114 98118 f4516a 21 API calls 2 library calls 98049->98118 98051 f50692 98111 f3f2d9 20 API calls __dosmaperr 98051->98111 98052 f5079a CloseHandle 98052->98051 98055 f507c3 98052->98055 98054 f50749 98054->98042 98054->98044 98117 f3f2d9 20 API calls __dosmaperr 98055->98117 98056 f507f4 98058 f50840 98056->98058 98119 f505ab 72 API calls 3 library calls 98056->98119 98063 f5086d 98058->98063 98120 f5014d 72 API calls 4 library calls 98058->98120 98059 f507c8 98059->98051 98062 f50866 98062->98063 98064 f5087e 98062->98064 98065 f486ae __wsopen_s 29 API calls 98063->98065 98066 f500f8 98064->98066 98067 f508fc CloseHandle 98064->98067 98065->98066 98077 f50121 LeaveCriticalSection __wsopen_s 98066->98077 98121 f5039a CreateFileW 98067->98121 98069 f50927 98070 f50931 GetLastError 98069->98070 98071 f5095d 98069->98071 98122 f3f2a3 20 API calls __dosmaperr 98070->98122 98071->98066 98073 f5093d 98123 f45333 21 API calls 2 library calls 98073->98123 98075->98022 98076->98027 98077->98027 98079 f5046a 98078->98079 98080 f50450 98078->98080 98124 f503bf 98079->98124 98080->98079 98131 f3f2d9 20 API calls __dosmaperr 98080->98131 98083 f5045f 98132 f427ec 26 API calls _strftime 98083->98132 98085 f504a2 98086 f504d1 98085->98086 98133 f3f2d9 20 API calls __dosmaperr 98085->98133 98094 f50524 98086->98094 98135 f3d70d 26 API calls 2 library calls 98086->98135 98089 f5051f 98091 f5059e 98089->98091 98089->98094 98090 f504c6 98134 f427ec 26 API calls _strftime 98090->98134 98136 f427fc 11 API calls _abort 98091->98136 98094->98031 98094->98032 98095 f505aa 98097 f4522d ___DestructExceptionObject 98096->98097 98139 f42f5e EnterCriticalSection 98097->98139 98099 f45234 98101 f45259 98099->98101 98105 f452c7 EnterCriticalSection 98099->98105 98107 f4527b 98099->98107 98103 f45000 __wsopen_s 21 API calls 98101->98103 98102 f452a4 __wsopen_s 98102->98035 98104 f4525e 98103->98104 98104->98107 98143 f45147 EnterCriticalSection 98104->98143 98106 f452d4 LeaveCriticalSection 98105->98106 98105->98107 98106->98099 98140 f4532a 98107->98140 98109->98046 98110->98051 98111->98066 98112->98041 98113->98051 98114->98054 98115->98051 98116->98052 98117->98059 98118->98056 98119->98058 98120->98062 98121->98069 98122->98073 98123->98071 98125 f503d7 98124->98125 98127 f503f2 98125->98127 98137 f3f2d9 20 API calls __dosmaperr 98125->98137 98127->98085 98128 f50416 98138 f427ec 26 API calls _strftime 98128->98138 98130 f50421 98130->98085 98131->98083 98132->98079 98133->98090 98134->98086 98135->98089 98136->98095 98137->98128 98138->98130 98139->98099 98144 f42fa6 LeaveCriticalSection 98140->98144 98142 f45331 98142->98102 98143->98107 98144->98142 98145 f63a41 98149 f810c0 98145->98149 98147 f63a4c 98148 f810c0 53 API calls 98147->98148 98148->98147 98150 f810fa 98149->98150 98155 f810cd 98149->98155 98150->98147 98151 f810fc 98161 f2fa11 53 API calls 98151->98161 98152 f81101 98154 f17510 53 API calls 98152->98154 98156 f81108 98154->98156 98155->98150 98155->98151 98155->98152 98158 f810f4 98155->98158 98157 f16350 22 API calls 98156->98157 98157->98150 98160 f1b270 39 API calls 98158->98160 98160->98150 98161->98152 98162 f11cad SystemParametersInfoW

                                          Executed Functions

                                          Function 00F142DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 234 f142de-f1434d call f1a961 GetVersionExW call f16b57 239 f53617-f5362a 234->239 240 f14353 234->240 241 f5362b-f5362f 239->241 242 f14355-f14357 240->242 243 f53631 241->243 244 f53632-f5363e 241->244 245 f53656 242->245 246 f1435d-f143bc call f193b2 call f137a0 242->246 243->244 244->241 247 f53640-f53642 244->247 250 f5365d-f53660 245->250 263 f143c2-f143c4 246->263 264 f537df-f537e6 246->264 247->242 249 f53648-f5364f 247->249 249->239 252 f53651 249->252 253 f53666-f536a8 250->253 254 f1441b-f14435 GetCurrentProcess IsWow64Process 250->254 252->245 253->254 258 f536ae-f536b1 253->258 256 f14494-f1449a 254->256 257 f14437 254->257 260 f1443d-f14449 256->260 257->260 261 f536b3-f536bd 258->261 262 f536db-f536e5 258->262 269 f53824-f53828 GetSystemInfo 260->269 270 f1444f-f1445e LoadLibraryA 260->270 271 f536bf-f536c5 261->271 272 f536ca-f536d6 261->272 265 f536e7-f536f3 262->265 266 f536f8-f53702 262->266 263->250 273 f143ca-f143dd 263->273 267 f53806-f53809 264->267 268 f537e8 264->268 265->254 277 f53715-f53721 266->277 278 f53704-f53710 266->278 279 f537f4-f537fc 267->279 280 f5380b-f5381a 267->280 276 f537ee 268->276 281 f14460-f1446e GetProcAddress 270->281 282 f1449c-f144a6 GetSystemInfo 270->282 271->254 272->254 274 f143e3-f143e5 273->274 275 f53726-f5372f 273->275 283 f5374d-f53762 274->283 284 f143eb-f143ee 274->284 285 f53731-f53737 275->285 286 f5373c-f53748 275->286 276->279 277->254 278->254 279->267 280->276 287 f5381c-f53822 280->287 281->282 288 f14470-f14474 GetNativeSystemInfo 281->288 289 f14476-f14478 282->289 292 f53764-f5376a 283->292 293 f5376f-f5377b 283->293 290 f53791-f53794 284->290 291 f143f4-f1440f 284->291 285->254 286->254 287->279 288->289 294 f14481-f14493 289->294 295 f1447a-f1447b FreeLibrary 289->295 290->254 298 f5379a-f537c1 290->298 296 f14415 291->296 297 f53780-f5378c 291->297 292->254 293->254 295->294 296->254 297->254 299 f537c3-f537c9 298->299 300 f537ce-f537da 298->300 299->254 300->254
                                          APIs
                                          • GetVersionExW.KERNEL32(?), ref: 00F1430D
                                            • Part of subcall function 00F16B57: _wcslen.LIBCMT ref: 00F16B6A
                                          • GetCurrentProcess.KERNEL32(?,00FACB64,00000000,?,?), ref: 00F14422
                                          • IsWow64Process.KERNEL32(00000000,?,?), ref: 00F14429
                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00F14454
                                          • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00F14466
                                          • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00F14474
                                          • FreeLibrary.KERNEL32(00000000,?,?), ref: 00F1447B
                                          • GetSystemInfo.KERNEL32(?,?,?), ref: 00F144A0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                          • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                          • API String ID: 3290436268-3101561225
                                          • Opcode ID: b45b968ed44afe1f05002fefd3b2417dc22b3b71b28490602c96512c7a8dfaf3
                                          • Instruction ID: 51194602facef63a8965b1a133724d907a3b7dd2fc2b2ce9e28b598ab67fc5c6
                                          • Opcode Fuzzy Hash: b45b968ed44afe1f05002fefd3b2417dc22b3b71b28490602c96512c7a8dfaf3
                                          • Instruction Fuzzy Hash: 1DA1A376D0A2CCCFC711CBAF7CC06D97FA47B66751B184899D8819BA22D2305948FB72
                                          Function 00F142A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 553 f142a2-f142ba CreateStreamOnHGlobal 554 f142da-f142dd 553->554 555 f142bc-f142d3 FindResourceExW 553->555 556 f142d9 555->556 557 f535ba-f535c9 LoadResource 555->557 556->554 557->556 558 f535cf-f535dd SizeofResource 557->558 558->556 559 f535e3-f535ee LockResource 558->559 559->556 560 f535f4-f53612 559->560 560->556
                                          APIs
                                          • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00F150AA,?,?,00000000,00000000), ref: 00F142B2
                                          • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00F150AA,?,?,00000000,00000000), ref: 00F142C9
                                          • LoadResource.KERNEL32(?,00000000,?,?,00F150AA,?,?,00000000,00000000,?,?,?,?,?,?,00F14F20), ref: 00F535BE
                                          • SizeofResource.KERNEL32(?,00000000,?,?,00F150AA,?,?,00000000,00000000,?,?,?,?,?,?,00F14F20), ref: 00F535D3
                                          • LockResource.KERNEL32(00F150AA,?,?,00F150AA,?,?,00000000,00000000,?,?,?,?,?,?,00F14F20,?), ref: 00F535E6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                          • String ID: SCRIPT
                                          • API String ID: 3051347437-3967369404
                                          • Opcode ID: fc3e8caa0ba3bb2016c0943d4b805790c6eaf1d4bd68380417fb98b2627d0343
                                          • Instruction ID: 55108f33f8696cdf5bef9ccb9002af7ab4335e8ad1987d307619fe4832273368
                                          • Opcode Fuzzy Hash: fc3e8caa0ba3bb2016c0943d4b805790c6eaf1d4bd68380417fb98b2627d0343
                                          • Instruction Fuzzy Hash: 35118EB1600705BFD7218B65DC48F677BBAEBC6B51F144169F402D6290DB71EC40A670
                                          Function 00F52BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00F12B6B
                                            • Part of subcall function 00F13A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00FE1418,?,00F12E7F,?,?,?,00000000), ref: 00F13A78
                                            • Part of subcall function 00F19CB3: _wcslen.LIBCMT ref: 00F19CBD
                                          • GetForegroundWindow.USER32(runas,?,?,?,?,?,00FD2224), ref: 00F52C10
                                          • ShellExecuteW.SHELL32(00000000,?,?,00FD2224), ref: 00F52C17
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                          • String ID: runas
                                          • API String ID: 448630720-4000483414
                                          • Opcode ID: bafd94b8747a47d83843e1055c4a11b2d4143c4a7d255c021c19ed7e4783ba54
                                          • Instruction ID: 4526e7ddff3981e8f505b1054f47390f9dac1f28d704779a06767caad0942dff
                                          • Opcode Fuzzy Hash: bafd94b8747a47d83843e1055c4a11b2d4143c4a7d255c021c19ed7e4783ba54
                                          • Instruction Fuzzy Hash: 2911D2316083456AC704FF61DC519EE77A5ABD2320F44042EB182021A3CF388A89B792
                                          Function 00F1D730 Relevance: 21.6, APIs: 14, Instructions: 625windowsleeptimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetInputState.USER32 ref: 00F1D807
                                          • timeGetTime.WINMM ref: 00F1DA07
                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F1DB28
                                          • TranslateMessage.USER32(?), ref: 00F1DB7B
                                          • DispatchMessageW.USER32(?), ref: 00F1DB89
                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F1DB9F
                                          • Sleep.KERNEL32(0000000A), ref: 00F1DBB1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                          • String ID:
                                          • API String ID: 2189390790-0
                                          • Opcode ID: cc80916acb49a3e1f524f31f5bdba02627f276e0e32d85017bcb20092e65b477
                                          • Instruction ID: d85022a5f0556fc360c59c29fa677eb79349a246dd6b6011493b58027e717df8
                                          • Opcode Fuzzy Hash: cc80916acb49a3e1f524f31f5bdba02627f276e0e32d85017bcb20092e65b477
                                          • Instruction Fuzzy Hash: 2E42F371A08745DFD728CF24C884BAAB7F4BF86324F54461DE4568B291D778E884FB82
                                          Function 00F12CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetSysColorBrush.USER32(0000000F), ref: 00F12D07
                                          • RegisterClassExW.USER32(00000030), ref: 00F12D31
                                          • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F12D42
                                          • InitCommonControlsEx.COMCTL32(?), ref: 00F12D5F
                                          • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F12D6F
                                          • LoadIconW.USER32(000000A9), ref: 00F12D85
                                          • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F12D94
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                          • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                          • API String ID: 2914291525-1005189915
                                          • Opcode ID: 1585319b0ed6bcd605fdfb697eeeb635f7a8fa625b3a50fd664d22ea9878c0f1
                                          • Instruction ID: c74e6594abcf0b4346f7fe5cb5e37f6e87bf728f36c7e7559c50c4f7054fc0d6
                                          • Opcode Fuzzy Hash: 1585319b0ed6bcd605fdfb697eeeb635f7a8fa625b3a50fd664d22ea9878c0f1
                                          • Instruction Fuzzy Hash: BE21C0B591125CAFDB00DFA5E889BEDBBB4FB09700F00811AF511AA2A0D7B55544EFA1
                                          Function 00F5065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 302 f5065b-f5068b call f5042f 305 f506a6-f506b2 call f45221 302->305 306 f5068d-f50698 call f3f2c6 302->306 312 f506b4-f506c9 call f3f2c6 call f3f2d9 305->312 313 f506cb-f50714 call f5039a 305->313 311 f5069a-f506a1 call f3f2d9 306->311 322 f5097d-f50983 311->322 312->311 320 f50716-f5071f 313->320 321 f50781-f5078a GetFileType 313->321 324 f50756-f5077c GetLastError call f3f2a3 320->324 325 f50721-f50725 320->325 326 f507d3-f507d6 321->326 327 f5078c-f507bd GetLastError call f3f2a3 CloseHandle 321->327 324->311 325->324 331 f50727-f50754 call f5039a 325->331 329 f507df-f507e5 326->329 330 f507d8-f507dd 326->330 327->311 341 f507c3-f507ce call f3f2d9 327->341 334 f507e9-f50837 call f4516a 329->334 335 f507e7 329->335 330->334 331->321 331->324 344 f50847-f5086b call f5014d 334->344 345 f50839-f50845 call f505ab 334->345 335->334 341->311 352 f5086d 344->352 353 f5087e-f508c1 344->353 345->344 351 f5086f-f50879 call f486ae 345->351 351->322 352->351 354 f508c3-f508c7 353->354 355 f508e2-f508f0 353->355 354->355 357 f508c9-f508dd 354->357 358 f508f6-f508fa 355->358 359 f5097b 355->359 357->355 358->359 361 f508fc-f5092f CloseHandle call f5039a 358->361 359->322 364 f50931-f5095d GetLastError call f3f2a3 call f45333 361->364 365 f50963-f50977 361->365 364->365 365->359
                                          APIs
                                            • Part of subcall function 00F5039A: CreateFileW.KERNELBASE(00000000,00000000,?,00F50704,?,?,00000000,?,00F50704,00000000,0000000C), ref: 00F503B7
                                          • GetLastError.KERNEL32 ref: 00F5076F
                                          • __dosmaperr.LIBCMT ref: 00F50776
                                          • GetFileType.KERNELBASE(00000000), ref: 00F50782
                                          • GetLastError.KERNEL32 ref: 00F5078C
                                          • __dosmaperr.LIBCMT ref: 00F50795
                                          • CloseHandle.KERNEL32(00000000), ref: 00F507B5
                                          • CloseHandle.KERNEL32(?), ref: 00F508FF
                                          • GetLastError.KERNEL32 ref: 00F50931
                                          • __dosmaperr.LIBCMT ref: 00F50938
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                          • String ID: H
                                          • API String ID: 4237864984-2852464175
                                          • Opcode ID: d511e2fe65402bc191fc0b4d97c93ca4a4cfdf16ee2dda939366c50059d87c02
                                          • Instruction ID: dba7ddd01e981a15924fcf054e8a03e996bff51637816122926a387ffe51bcfc
                                          • Opcode Fuzzy Hash: d511e2fe65402bc191fc0b4d97c93ca4a4cfdf16ee2dda939366c50059d87c02
                                          • Instruction Fuzzy Hash: 65A11532E001488FDF19AF68DC91BAE3BA0EB46321F140159FD159F392DF35991AEB91
                                          Function 00F1344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 00F13A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00FE1418,?,00F12E7F,?,?,?,00000000), ref: 00F13A78
                                            • Part of subcall function 00F13357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F13379
                                          • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00F1356A
                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00F5318D
                                          • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00F531CE
                                          • RegCloseKey.ADVAPI32(?), ref: 00F53210
                                          • _wcslen.LIBCMT ref: 00F53277
                                          • _wcslen.LIBCMT ref: 00F53286
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                          • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                          • API String ID: 98802146-2727554177
                                          • Opcode ID: 64afc03ab728187045f9fb63e0c4f9a381f0a2b60c3ac7f803233790d1b97073
                                          • Instruction ID: b83c8b2c42a7ba7f3ef5034bc958b3db98dcfce79656ddea4240d5e6487666ff
                                          • Opcode Fuzzy Hash: 64afc03ab728187045f9fb63e0c4f9a381f0a2b60c3ac7f803233790d1b97073
                                          • Instruction Fuzzy Hash: CA71A1B14043499EC314DF69DC829ABBBECFF85750F40042EF54597161EB789A88EFA2
                                          Function 00F12B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • GetSysColorBrush.USER32(0000000F), ref: 00F12B8E
                                          • LoadCursorW.USER32(00000000,00007F00), ref: 00F12B9D
                                          • LoadIconW.USER32(00000063), ref: 00F12BB3
                                          • LoadIconW.USER32(000000A4), ref: 00F12BC5
                                          • LoadIconW.USER32(000000A2), ref: 00F12BD7
                                          • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F12BEF
                                          • RegisterClassExW.USER32(?), ref: 00F12C40
                                            • Part of subcall function 00F12CD4: GetSysColorBrush.USER32(0000000F), ref: 00F12D07
                                            • Part of subcall function 00F12CD4: RegisterClassExW.USER32(00000030), ref: 00F12D31
                                            • Part of subcall function 00F12CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F12D42
                                            • Part of subcall function 00F12CD4: InitCommonControlsEx.COMCTL32(?), ref: 00F12D5F
                                            • Part of subcall function 00F12CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F12D6F
                                            • Part of subcall function 00F12CD4: LoadIconW.USER32(000000A9), ref: 00F12D85
                                            • Part of subcall function 00F12CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F12D94
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                          • String ID: #$0$AutoIt v3
                                          • API String ID: 423443420-4155596026
                                          • Opcode ID: 6a9b33e408fed3043f8bcdeb19de5974f8e908b5af22a2c5dba4f55c41fc50c9
                                          • Instruction ID: 2af520d5c4423c9b0c3a1c5b64128af7c1ebdb4f27316455ade0a86dd0dc5d11
                                          • Opcode Fuzzy Hash: 6a9b33e408fed3043f8bcdeb19de5974f8e908b5af22a2c5dba4f55c41fc50c9
                                          • Instruction Fuzzy Hash: E7212CB4E0035CAFDB109FA6EC95AAE7FB4FB48B50F04001AF600AA7A0D7B11540EF90
                                          Function 00F13170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 443 f13170-f13185 444 f131e5-f131e7 443->444 445 f13187-f1318a 443->445 444->445 446 f131e9 444->446 447 f131eb 445->447 448 f1318c-f13193 445->448 449 f131d0-f131d8 DefWindowProcW 446->449 450 f131f1-f131f6 447->450 451 f52dfb-f52e23 call f118e2 call f2e499 447->451 452 f13265-f1326d PostQuitMessage 448->452 453 f13199-f1319e 448->453 454 f131de-f131e4 449->454 456 f131f8-f131fb 450->456 457 f1321d-f13244 SetTimer RegisterWindowMessageW 450->457 485 f52e28-f52e2f 451->485 455 f13219-f1321b 452->455 459 f131a4-f131a8 453->459 460 f52e7c-f52e90 call f7bf30 453->460 455->454 461 f13201-f13214 KillTimer call f130f2 call f13c50 456->461 462 f52d9c-f52d9f 456->462 457->455 464 f13246-f13251 CreatePopupMenu 457->464 465 f52e68-f52e77 call f7c161 459->465 466 f131ae-f131b3 459->466 460->455 476 f52e96 460->476 461->455 468 f52dd7-f52df6 MoveWindow 462->468 469 f52da1-f52da5 462->469 464->455 465->455 473 f52e4d-f52e54 466->473 474 f131b9-f131be 466->474 468->455 477 f52da7-f52daa 469->477 478 f52dc6-f52dd2 SetFocus 469->478 473->449 479 f52e5a-f52e63 call f70ad7 473->479 483 f13253-f13263 call f1326f 474->483 484 f131c4-f131ca 474->484 476->449 477->484 486 f52db0-f52dc1 call f118e2 477->486 478->455 479->449 483->455 484->449 484->485 485->449 491 f52e35-f52e48 call f130f2 call f13837 485->491 486->455 491->449
                                          APIs
                                          • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00F1316A,?,?), ref: 00F131D8
                                          • KillTimer.USER32(?,00000001,?,?,?,?,?,00F1316A,?,?), ref: 00F13204
                                          • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F13227
                                          • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00F1316A,?,?), ref: 00F13232
                                          • CreatePopupMenu.USER32 ref: 00F13246
                                          • PostQuitMessage.USER32(00000000), ref: 00F13267
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                          • String ID: TaskbarCreated
                                          • API String ID: 129472671-2362178303
                                          • Opcode ID: c377890cba860f52b496fb33b514aed2264f9f9357e51ad6459d3805b4b8781c
                                          • Instruction ID: 636be5515488bb3a1f2ae2571f31342d39366c4dedb21e6f06b70397c5ad683d
                                          • Opcode Fuzzy Hash: c377890cba860f52b496fb33b514aed2264f9f9357e51ad6459d3805b4b8781c
                                          • Instruction Fuzzy Hash: AD414C32B40288BBDB156B79DD4DBFD3659FB06360F040125F902DA1A2DB758EC0B7A1
                                          Function 0112FC80 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 499 112fc80-112fd2e call 112d6b0 502 112fd35-112fd5b call 1130b90 CreateFileW 499->502 505 112fd62-112fd72 502->505 506 112fd5d 502->506 511 112fd74 505->511 512 112fd79-112fd93 VirtualAlloc 505->512 507 112fead-112feb1 506->507 508 112fef3-112fef6 507->508 509 112feb3-112feb7 507->509 513 112fef9-112ff00 508->513 514 112fec3-112fec7 509->514 515 112feb9-112febc 509->515 511->507 516 112fd95 512->516 517 112fd9a-112fdb1 ReadFile 512->517 518 112ff02-112ff0d 513->518 519 112ff55-112ff6a 513->519 520 112fed7-112fedb 514->520 521 112fec9-112fed3 514->521 515->514 516->507 524 112fdb3 517->524 525 112fdb8-112fdf8 VirtualAlloc 517->525 526 112ff11-112ff1d 518->526 527 112ff0f 518->527 528 112ff7a-112ff82 519->528 529 112ff6c-112ff77 VirtualFree 519->529 522 112feeb 520->522 523 112fedd-112fee7 520->523 521->520 522->508 523->522 524->507 530 112fdfa 525->530 531 112fdff-112fe1a call 1130de0 525->531 532 112ff31-112ff3d 526->532 533 112ff1f-112ff2f 526->533 527->519 529->528 530->507 539 112fe25-112fe2f 531->539 536 112ff4a-112ff50 532->536 537 112ff3f-112ff48 532->537 535 112ff53 533->535 535->513 536->535 537->535 540 112fe62-112fe76 call 1130bf0 539->540 541 112fe31-112fe60 call 1130de0 539->541 546 112fe7a-112fe7e 540->546 547 112fe78 540->547 541->539 549 112fe80-112fe84 CloseHandle 546->549 550 112fe8a-112fe8e 546->550 547->507 549->550 551 112fe90-112fe9b VirtualFree 550->551 552 112fe9e-112fea7 550->552 551->552 552->502 552->507
                                          APIs
                                          • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 0112FD51
                                          • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0112FF77
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050864213.000000000112D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_112d000_New PO.jbxd
                                          Similarity
                                          • API ID: CreateFileFreeVirtual
                                          • String ID:
                                          • API String ID: 204039940-0
                                          • Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                          • Instruction ID: b435c2afa7712baaaf5be55ca452dc85758e58d7b73f1c1be8f1b95882e90af5
                                          • Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                          • Instruction Fuzzy Hash: 6AA13A70E0021AEBDB18CFA4C894BEEBBB5FF48704F208559E215BB281C7759A51CF95
                                          Function 00F12C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 563 f12c63-f12cd3 CreateWindowExW * 2 ShowWindow * 2
                                          APIs
                                          • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F12C91
                                          • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F12CB2
                                          • ShowWindow.USER32(00000000,?,?,?,?,?,?,00F11CAD,?), ref: 00F12CC6
                                          • ShowWindow.USER32(00000000,?,?,?,?,?,?,00F11CAD,?), ref: 00F12CCF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Window$CreateShow
                                          • String ID: AutoIt v3$edit
                                          • API String ID: 1584632944-3779509399
                                          • Opcode ID: 1d77efcbe94a056e81a2eb8148c298537651410a56b0c4d79a0b14c31b05ad75
                                          • Instruction ID: adc431002a4ec24a83f9557b21874629043ef246781918de4c79d106525406c4
                                          • Opcode Fuzzy Hash: 1d77efcbe94a056e81a2eb8148c298537651410a56b0c4d79a0b14c31b05ad75
                                          • Instruction Fuzzy Hash: 84F0DAB55402D87EEB311717AC88E773EBDE7CBF50B00005AF900AB5A0C6721851FAB1
                                          Function 0112FA60 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 140fileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 678 112fa60-112fb77 call 112d6b0 call 112f950 CreateFileW 685 112fb79 678->685 686 112fb7e-112fb8e 678->686 687 112fc2e-112fc33 685->687 689 112fb90 686->689 690 112fb95-112fbaf VirtualAlloc 686->690 689->687 691 112fbb3-112fbca ReadFile 690->691 692 112fbb1 690->692 693 112fbce-112fc08 call 112f990 call 112e950 691->693 694 112fbcc 691->694 692->687 699 112fc24-112fc2c ExitProcess 693->699 700 112fc0a-112fc1f call 112f9e0 693->700 694->687 699->687 700->699
                                          APIs
                                            • Part of subcall function 0112F950: Sleep.KERNELBASE(000001F4), ref: 0112F961
                                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0112FB6D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050864213.000000000112D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_112d000_New PO.jbxd
                                          Similarity
                                          • API ID: CreateFileSleep
                                          • String ID: 68LX7KHYB7ZJIVSAQGNY
                                          • API String ID: 2694422964-2017279361
                                          • Opcode ID: a69128c90fd9a5ddcd407ec578bfd395f7fbc59d488ccc69f9f00154c66dd271
                                          • Instruction ID: b8548e94eac776ac94ab9bc1bc8abb403ca9cc785a16829b730d1027340e7cf2
                                          • Opcode Fuzzy Hash: a69128c90fd9a5ddcd407ec578bfd395f7fbc59d488ccc69f9f00154c66dd271
                                          • Instruction Fuzzy Hash: 0751A170D0425EEAEF15DBA4C908BEEBBB5AF05304F004199E6087B2C0D7B91B45CBA5
                                          Function 00F13B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 738 f13b1c-f13b27 739 f13b99-f13b9b 738->739 740 f13b29-f13b2e 738->740 741 f13b8c-f13b8f 739->741 740->739 742 f13b30-f13b48 RegOpenKeyExW 740->742 742->739 743 f13b4a-f13b69 RegQueryValueExW 742->743 744 f13b80-f13b8b RegCloseKey 743->744 745 f13b6b-f13b76 743->745 744->741 746 f13b90-f13b97 745->746 747 f13b78-f13b7a 745->747 748 f13b7e 746->748 747->748 748->744
                                          APIs
                                          • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00F13B0F,SwapMouseButtons,00000004,?), ref: 00F13B40
                                          • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00F13B0F,SwapMouseButtons,00000004,?), ref: 00F13B61
                                          • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00F13B0F,SwapMouseButtons,00000004,?), ref: 00F13B83
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: CloseOpenQueryValue
                                          • String ID: Control Panel\Mouse
                                          • API String ID: 3677997916-824357125
                                          • Opcode ID: addff0664ff5f7f9c664d7a05a5ee50760040429bcc2121877202f7c92b3a0aa
                                          • Instruction ID: a68cfb62dc82f1ff4fc304210acb5ab8610a449c6db158da9e270f656d95a44b
                                          • Opcode Fuzzy Hash: addff0664ff5f7f9c664d7a05a5ee50760040429bcc2121877202f7c92b3a0aa
                                          • Instruction Fuzzy Hash: 9F112AB5514208FFDB20CFA5DC44AEFBBB8EF45754B108459A805D7110E2319E80A7A0
                                          Function 0112E950 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 749 112e950-112e9f0 call 1130dc0 * 3 756 112e9f2-112e9fc 749->756 757 112ea07 749->757 756->757 758 112e9fe-112ea05 756->758 759 112ea0e-112ea17 757->759 758->759 760 112ea1e-112f0d0 759->760 761 112f0d2-112f0d6 760->761 762 112f0e3-112f110 760->762 763 112f0d8-112f0dc 761->763 764 112f11c-112f149 761->764 777 112f112-112f115 762->777 778 112f11a 762->778 766 112f155-112f182 CreateProcessW 763->766 767 112f0de 763->767 786 112f153 764->786 787 112f14b-112f14e 764->787 769 112f18c-112f1a6 Wow64GetThreadContext 766->769 780 112f184-112f187 766->780 767->769 770 112f1a8 769->770 771 112f1ad-112f1c8 ReadProcessMemory 769->771 774 112f4ba-112f4be 770->774 775 112f1ca 771->775 776 112f1cf-112f1d8 771->776 784 112f4c0-112f4c4 774->784 785 112f50f 774->785 775->774 782 112f201-112f220 call 1130440 776->782 783 112f1da-112f1e9 776->783 781 112f511-112f513 777->781 778->769 780->781 799 112f222 782->799 800 112f227-112f243 call 1130580 782->800 783->782 788 112f1eb-112f1fa call 1130390 783->788 790 112f4c6-112f4d2 TerminateProcess 784->790 791 112f4d9-112f4dd 784->791 785->781 786->769 787->781 788->782 803 112f1fc 788->803 790->791 794 112f4e9-112f4ed 791->794 795 112f4df-112f4e2 791->795 796 112f4f9-112f4fd 794->796 797 112f4ef-112f4f2 794->797 795->794 801 112f50a-112f50d 796->801 802 112f4ff-112f505 call 1130390 796->802 797->796 799->774 805 112f248-112f24a 800->805 801->781 802->801 803->774 807 112f294-112f2b5 call 1130580 805->807 808 112f24c-112f253 805->808 815 112f2b7 807->815 816 112f2bc-112f2da call 1130de0 807->816 809 112f255-112f286 call 1130580 808->809 810 112f28f 808->810 817 112f288 809->817 818 112f28d 809->818 810->774 815->774 821 112f2e5-112f2ef 816->821 817->774 818->807 822 112f2f1-112f323 call 1130de0 821->822 823 112f325-112f329 821->823 822->821 825 112f414-112f431 call 112ff90 823->825 826 112f32f-112f33f 823->826 833 112f433 825->833 834 112f438-112f457 825->834 826->825 829 112f345-112f355 826->829 829->825 832 112f35b-112f37f 829->832 835 112f382-112f386 832->835 833->774 839 112f45b-112f466 call 11302c0 834->839 840 112f459 834->840 835->825 836 112f38c-112f3a1 835->836 838 112f3b5-112f3b9 836->838 841 112f3f7-112f40f 838->841 842 112f3bb-112f3c7 838->842 848 112f46a-112f46e 839->848 849 112f468 839->849 840->774 841->835 844 112f3f5 842->844 845 112f3c9-112f3f3 842->845 844->838 845->844 850 112f470-112f473 848->850 851 112f47a-112f47e 848->851 849->774 850->851 852 112f480-112f483 851->852 853 112f48a-112f48e 851->853 852->853 854 112f490-112f493 853->854 855 112f49a-112f49e 853->855 854->855 856 112f4a0-112f4a6 call 1130390 855->856 857 112f4ab-112f4b4 855->857 856->857 857->760 857->774
                                          APIs
                                          • CreateProcessW.KERNELBASE(?,00000000), ref: 0112F17D
                                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0112F1A1
                                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0112F1C3
                                          • TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 0112F4CC
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050864213.000000000112D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_112d000_New PO.jbxd
                                          Similarity
                                          • API ID: Process$ContextCreateMemoryReadTerminateThreadWow64
                                          • String ID:
                                          • API String ID: 572931308-0
                                          • Opcode ID: 766b881ec6164bc259338bbbecc08836d97cc5066010a81dd887eea552f5ff52
                                          • Instruction ID: 5935a850784c03b3d972eeb787437923f8d7933e455c2227014e4bd67171f0b2
                                          • Opcode Fuzzy Hash: 766b881ec6164bc259338bbbecc08836d97cc5066010a81dd887eea552f5ff52
                                          • Instruction Fuzzy Hash: 22621C30A14259DBEB28CFA4C850BDEB772EF58300F1091A9D10DEB394E7799E91CB59
                                          Function 00F1DFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON
                                          Download Yara Rule
                                          Strings
                                          • Variable must be of type 'Object'., xrefs: 00F632B7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Variable must be of type 'Object'.
                                          • API String ID: 0-109567571
                                          • Opcode ID: cd17a6ccc39fa23a198898beb63411a2a6c60076e506c12c1645d5b3e8d09e6f
                                          • Instruction ID: 55f3d0fee54423652e9015185545973c33c0fe06317cc22a6f1c9e16e6fc7ea7
                                          • Opcode Fuzzy Hash: cd17a6ccc39fa23a198898beb63411a2a6c60076e506c12c1645d5b3e8d09e6f
                                          • Instruction Fuzzy Hash: CCC27975E00215CFCB24CF58C880BADB7B1BF18320F248569ED56AB291D775ED82EB91
                                          Function 00F13923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1369 f13923-f13939 1370 f13a13-f13a17 1369->1370 1371 f1393f-f13954 call f16270 1369->1371 1374 f53393-f533a2 LoadStringW 1371->1374 1375 f1395a-f13976 call f16b57 1371->1375 1377 f533ad-f533b6 1374->1377 1381 f533c9-f533e5 call f16350 call f13fcf 1375->1381 1382 f1397c-f13980 1375->1382 1379 f13994-f13a0e call f32340 call f13a18 call f34983 Shell_NotifyIconW call f1988f 1377->1379 1380 f533bc-f533c4 call f1a8c7 1377->1380 1379->1370 1380->1379 1381->1379 1395 f533eb-f53409 call f133c6 call f13fcf call f133c6 1381->1395 1382->1377 1384 f13986-f1398f call f16350 1382->1384 1384->1379 1395->1379
                                          APIs
                                          • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00F533A2
                                            • Part of subcall function 00F16B57: _wcslen.LIBCMT ref: 00F16B6A
                                          • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F13A04
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: IconLoadNotifyShell_String_wcslen
                                          • String ID: Line:
                                          • API String ID: 2289894680-1585850449
                                          • Opcode ID: d023eca7b2301bf2e7dc1c56e13378f2a943308bd39e7e1a105a04d5604cea85
                                          • Instruction ID: 9ea926ef1b92a2300f8ef346a3261b59f3ede2e8e63ed87f05a20c103ee1b14c
                                          • Opcode Fuzzy Hash: d023eca7b2301bf2e7dc1c56e13378f2a943308bd39e7e1a105a04d5604cea85
                                          • Instruction Fuzzy Hash: EF31C671408344AED725EB20DC45FEFB7D8AF44720F00452AF59993191DF789689EBC2
                                          Function 00F2FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00F30668
                                            • Part of subcall function 00F332A4: RaiseException.KERNEL32(?,?,?,00F3068A,?,00FE1444,?,?,?,?,?,?,00F3068A,00F11129,00FD8738,00F11129), ref: 00F33304
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00F30685
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Exception@8Throw$ExceptionRaise
                                          • String ID: Unknown exception
                                          • API String ID: 3476068407-410509341
                                          • Opcode ID: c8850795b2f23061a04faf7340498fd3c3bee80acb4d6e2e6d681e5ba83be58f
                                          • Instruction ID: 027d44a78bd18a5cb00105a13659a00c0094f9480c1e416cab69c947ce48ec2f
                                          • Opcode Fuzzy Hash: c8850795b2f23061a04faf7340498fd3c3bee80acb4d6e2e6d681e5ba83be58f
                                          • Instruction Fuzzy Hash: 76F0C23490020DB7CB00F6A4EC56D9E777C9E00370FA04532B824D6596EF75EA6AF981
                                          Function 00F97F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00F982F5
                                          • TerminateProcess.KERNEL32(00000000), ref: 00F982FC
                                          • FreeLibrary.KERNEL32(?,?,?,?), ref: 00F984DD
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Process$CurrentFreeLibraryTerminate
                                          • String ID:
                                          • API String ID: 146820519-0
                                          • Opcode ID: ecbe3dc614063cdd2c820636dbb6aaaf1f3fb7f3eb9dc409b1998e861d468bd5
                                          • Instruction ID: e3eefad2e4edf5d3ccd0a2defd1e7ea7a34bb2d2a5a6af9fdc055dfec9fb5124
                                          • Opcode Fuzzy Hash: ecbe3dc614063cdd2c820636dbb6aaaf1f3fb7f3eb9dc409b1998e861d468bd5
                                          • Instruction Fuzzy Hash: E7127C71A083019FDB14DF28C484B6ABBE5FF85364F04895DE8898B252CB35ED46DF92
                                          Function 00F110F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F11BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F11BF4
                                            • Part of subcall function 00F11BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00F11BFC
                                            • Part of subcall function 00F11BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F11C07
                                            • Part of subcall function 00F11BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F11C12
                                            • Part of subcall function 00F11BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00F11C1A
                                            • Part of subcall function 00F11BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00F11C22
                                            • Part of subcall function 00F11B4A: RegisterWindowMessageW.USER32(00000004,?,00F112C4), ref: 00F11BA2
                                          • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00F1136A
                                          • OleInitialize.OLE32 ref: 00F11388
                                          • CloseHandle.KERNEL32(00000000,00000000), ref: 00F524AB
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                          • String ID:
                                          • API String ID: 1986988660-0
                                          • Opcode ID: d457c21cee50b8a44737cee8bd217f3063f94c6f6e912b5994b1a1adb5982943
                                          • Instruction ID: e6568cf6cbb5c4c51e84106542e43b694424b6494599af787a4f5eac891db5d7
                                          • Opcode Fuzzy Hash: d457c21cee50b8a44737cee8bd217f3063f94c6f6e912b5994b1a1adb5982943
                                          • Instruction Fuzzy Hash: BC7191B59013C88FC784DF7BAD856993AE1FB89344798422AD10ACF362EB344585FF51
                                          Function 00F486AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • CloseHandle.KERNELBASE(00000000,00000000,?,?,00F485CC,?,00FD8CC8,0000000C), ref: 00F48704
                                          • GetLastError.KERNEL32(?,00F485CC,?,00FD8CC8,0000000C), ref: 00F4870E
                                          • __dosmaperr.LIBCMT ref: 00F48739
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: CloseErrorHandleLast__dosmaperr
                                          • String ID:
                                          • API String ID: 2583163307-0
                                          • Opcode ID: 917d4ebf4581bf70158a0113f45076b9ac435105ba5324115e0ee361471ff4bc
                                          • Instruction ID: 43dc4dc8034392dffefcd9f4d8ec7f7eeb0dd22775cfd2e556e799ac3553032e
                                          • Opcode Fuzzy Hash: 917d4ebf4581bf70158a0113f45076b9ac435105ba5324115e0ee361471ff4bc
                                          • Instruction Fuzzy Hash: B1010833E0566427D6A57634AC85B7E7F4A4B82BB4F2A0119EC188B1D3DEA48C83B190
                                          Function 00F21310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                          Download Yara Rule
                                          APIs
                                          • __Init_thread_footer.LIBCMT ref: 00F217F6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Init_thread_footer
                                          • String ID: CALL
                                          • API String ID: 1385522511-4196123274
                                          • Opcode ID: 975eded6ca5efd7dbbc133638d0af7b5114dd7398df8a744a58265695c43e202
                                          • Instruction ID: 5dd6214eaf8403dbe0fe980ee1c3ceb2769583972ae746bd35bc06f3824f5b7f
                                          • Opcode Fuzzy Hash: 975eded6ca5efd7dbbc133638d0af7b5114dd7398df8a744a58265695c43e202
                                          • Instruction Fuzzy Hash: 6422BB70A083119FC714DF14D891B2ABBF1BF95314F28896DF48A8B3A1D735E845EB86
                                          Function 00F12DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetOpenFileNameW.COMDLG32(?), ref: 00F52C8C
                                            • Part of subcall function 00F13AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F13A97,?,?,00F12E7F,?,?,?,00000000), ref: 00F13AC2
                                            • Part of subcall function 00F12DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F12DC4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Name$Path$FileFullLongOpen
                                          • String ID: X
                                          • API String ID: 779396738-3081909835
                                          • Opcode ID: f60d69b3b0bd957922de1f5b72a9bed2b903e181c91d5fad382068f5481308bb
                                          • Instruction ID: 9c9054675554ff0a3bb947527de47a535f5a08baf398273c418505fe03dcf840
                                          • Opcode Fuzzy Hash: f60d69b3b0bd957922de1f5b72a9bed2b903e181c91d5fad382068f5481308bb
                                          • Instruction Fuzzy Hash: 4E210571A002589FCB41DF94CC45BEE7BF8AF49310F00801AE405E7341DBB85A89AFA1
                                          Function 0112F9E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateProcessW.KERNELBASE(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 0112FA3A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050864213.000000000112D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_112d000_New PO.jbxd
                                          Similarity
                                          • API ID: CreateProcess
                                          • String ID: D
                                          • API String ID: 963392458-2746444292
                                          • Opcode ID: 6cb96521d7c40653040d1dd33bb025be60ddcfc4f79d8507ccbbce5ff7b1491f
                                          • Instruction ID: 5363184bddadf3eb68058b4a81cad7f4ae3bc43112eeeaeef7a00d33853f8f72
                                          • Opcode Fuzzy Hash: 6cb96521d7c40653040d1dd33bb025be60ddcfc4f79d8507ccbbce5ff7b1491f
                                          • Instruction Fuzzy Hash: 7B011D7194031DABDB28DBE0CC49FFE777CAF44705F408549EA16AA180EB7496188B61
                                          Function 0112E94D Relevance: 3.4, APIs: 2, Instructions: 400processthreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateProcessW.KERNELBASE(?,00000000), ref: 0112F17D
                                          • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 0112F1A1
                                          • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 0112F1C3
                                          • TerminateProcess.KERNELBASE(00000000,00000000,?), ref: 0112F4CC
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050864213.000000000112D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_112d000_New PO.jbxd
                                          Similarity
                                          • API ID: Process$ContextCreateMemoryReadTerminateThreadWow64
                                          • String ID:
                                          • API String ID: 572931308-0
                                          • Opcode ID: 0c26ce5ed657937ab7cef85eaaffec4c201bc4c0441aa9bb0c46e3760ea72e56
                                          • Instruction ID: 3deeb39ac5284646ba8549f15905b07a7ff562995b6630d41744fbf32386725b
                                          • Opcode Fuzzy Hash: 0c26ce5ed657937ab7cef85eaaffec4c201bc4c0441aa9bb0c46e3760ea72e56
                                          • Instruction Fuzzy Hash: BC12DE24E24658C6EB24DF64D8507DEB232EF68300F1090E9D10DEB7A5E77A4E91CB5A
                                          Function 00F13837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F13908
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: IconNotifyShell_
                                          • String ID:
                                          • API String ID: 1144537725-0
                                          • Opcode ID: 2023d7364f33daa5c51a260a9dca6fb24bab5e44985b2d9cc725ab84c6de402c
                                          • Instruction ID: 30db3f92a5de18314aefe82e30b5aa73186039098bc412e6e35c70d63497264c
                                          • Opcode Fuzzy Hash: 2023d7364f33daa5c51a260a9dca6fb24bab5e44985b2d9cc725ab84c6de402c
                                          • Instruction Fuzzy Hash: BE31B4B1904305DFD721DF25D8847D7BBE8FB49728F00092EF99997240E771AA84EB92
                                          Function 00F15745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00F1949C,?,00008000), ref: 00F15773
                                          • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,00F1949C,?,00008000), ref: 00F54052
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: dc141f4dc9ebf74aee2df1d6316b1b805d3f4d78a43470ba73ea681057fffc67
                                          • Instruction ID: ed478240d59db05448fe69c3e03fca08ce211f02705d14cee55e8693798cec44
                                          • Opcode Fuzzy Hash: dc141f4dc9ebf74aee2df1d6316b1b805d3f4d78a43470ba73ea681057fffc67
                                          • Instruction Fuzzy Hash: 34018431645225F6E3314A25CC0EF977F54DF42B74F108200BF5C5A1E0CBB45494DB90
                                          Function 00F1B710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                                          Download Yara Rule
                                          APIs
                                          • __Init_thread_footer.LIBCMT ref: 00F1BB4E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Init_thread_footer
                                          • String ID:
                                          • API String ID: 1385522511-0
                                          • Opcode ID: be4d01d22a515dd4e18d15e39cbb337afc691aa7931003ebb53bc082d02bbab4
                                          • Instruction ID: 36a32d1920e086faa718b2cb44f913da10fbe1e5ca94b30fadab2c08f570272b
                                          • Opcode Fuzzy Hash: be4d01d22a515dd4e18d15e39cbb337afc691aa7931003ebb53bc082d02bbab4
                                          • Instruction Fuzzy Hash: D332BC31E04209DFDB14CF54C895BBEB7B9EF44324F248059E905AB291DB78ED82EB91
                                          Function 00F9709C Relevance: 1.8, APIs: 1, Instructions: 326COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: LoadString
                                          • String ID:
                                          • API String ID: 2948472770-0
                                          • Opcode ID: e3b50a5c6ded282f57a7c2a0e8a884dc72825950e2c7500b10098f54aaef5e2b
                                          • Instruction ID: a5a0859f7432d5454b1035672436a39a4a28328070a835d8cbea63316b3aac1f
                                          • Opcode Fuzzy Hash: e3b50a5c6ded282f57a7c2a0e8a884dc72825950e2c7500b10098f54aaef5e2b
                                          • Instruction Fuzzy Hash: 11D15A71E04209EFDF14EF98D8819EDBBB5FF48320F144059E915AB291EB34AD81EB90
                                          Function 00F2FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ProtectVirtual
                                          • String ID:
                                          • API String ID: 544645111-0
                                          • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                          • Instruction ID: 8a5420aadb0c102411aef3bcb7238b45e79898679a6826f0640279edc3409f08
                                          • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                          • Instruction Fuzzy Hash: FE311375A101199BC718CF59E090A69F7B1FB49310BA482B5E809CB612D731EEC4EBC0
                                          Function 00F14ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F14E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F14EDD,?,00FE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F14E9C
                                            • Part of subcall function 00F14E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F14EAE
                                            • Part of subcall function 00F14E90: FreeLibrary.KERNEL32(00000000,?,?,00F14EDD,?,00FE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F14EC0
                                          • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00FE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F14EFD
                                            • Part of subcall function 00F14E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F53CDE,?,00FE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F14E62
                                            • Part of subcall function 00F14E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F14E74
                                            • Part of subcall function 00F14E59: FreeLibrary.KERNEL32(00000000,?,?,00F53CDE,?,00FE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F14E87
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Library$Load$AddressFreeProc
                                          • String ID:
                                          • API String ID: 2632591731-0
                                          • Opcode ID: 47dc252553f6f1f97933d7a55d40c0e5fdfebb3f368647587fdd1c0832906d3f
                                          • Instruction ID: 7c4fd768e06003a03fd7215689cc6f328e47163474c8d98fdcc7221eb9522e26
                                          • Opcode Fuzzy Hash: 47dc252553f6f1f97933d7a55d40c0e5fdfebb3f368647587fdd1c0832906d3f
                                          • Instruction Fuzzy Hash: B411C432600205AACB14AB64DC16BED77A59F80B11F104429F552AB2C1DE79AA85BB90
                                          Function 00F48402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: __wsopen_s
                                          • String ID:
                                          • API String ID: 3347428461-0
                                          • Opcode ID: c547e861a7ea58f3fb63933a3f90be7dc28211399209b0bbbffebc3d7202c777
                                          • Instruction ID: b1348e60669165dffedd977325e802420dee80743b45e1e77e8aba4e12f070bb
                                          • Opcode Fuzzy Hash: c547e861a7ea58f3fb63933a3f90be7dc28211399209b0bbbffebc3d7202c777
                                          • Instruction Fuzzy Hash: B811487590410AAFCB05DF58E9409DE7BF4EF48350F104059FC08AB312DA31DA12DBA4
                                          Function 00F45000 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F44C7D: RtlAllocateHeap.NTDLL(00000008,00F11129,00000000,?,00F42E29,00000001,00000364,?,?,?,00F3F2DE,00F43863,00FE1444,?,00F2FDF5,?), ref: 00F44CBE
                                          • _free.LIBCMT ref: 00F4506C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: AllocateHeap_free
                                          • String ID:
                                          • API String ID: 614378929-0
                                          • Opcode ID: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                          • Instruction ID: ff90fb87b764b0ec56c90a04c0efa511c8b6e3c4408ac02fd16debd44b9b5b2d
                                          • Opcode Fuzzy Hash: 9ba45ce058d1080761d5af908226540236078fd1fc19e2e0238d0ad147f07c6e
                                          • Instruction Fuzzy Hash: C40126766047056BE3219E699C81A9AFFE9FB89370F65052DE98493281EA30A805C6B4
                                          Function 00F3E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                          • Instruction ID: 24f438c6a63d8f5c54042046d145140a00ba9f03643c7180cc27d8267d420e4a
                                          • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                          • Instruction Fuzzy Hash: C5F02832921A1497D7313A6ADC06B9B3B989F52375F100729FC20931D2CB7CE802BAA5
                                          Function 00F19CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: _wcslen
                                          • String ID:
                                          • API String ID: 176396367-0
                                          • Opcode ID: 925dd5c5bacb953470c4b1c403d787b0688307d40fd5fb7636ab76acd22fdb11
                                          • Instruction ID: 230e4edc6d13b341f8535f351436f4934cf2ad1775f6ce4efa4675ec65c996a7
                                          • Opcode Fuzzy Hash: 925dd5c5bacb953470c4b1c403d787b0688307d40fd5fb7636ab76acd22fdb11
                                          • Instruction Fuzzy Hash: BDF028B36006016ED7109F28DC02BA7BBA8EB44770F10853AF619CB1D1DB75E45497E0
                                          Function 00F44C7D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000008,00F11129,00000000,?,00F42E29,00000001,00000364,?,?,?,00F3F2DE,00F43863,00FE1444,?,00F2FDF5,?), ref: 00F44CBE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: c7348e0f35436dac628a5b7c03b89d58dfb056b3b5b350b5f1f1d47ce613fbdb
                                          • Instruction ID: 952f57c79e53d5149b445023a39178fa469727c71a09fc32da00d247bb16addc
                                          • Opcode Fuzzy Hash: c7348e0f35436dac628a5b7c03b89d58dfb056b3b5b350b5f1f1d47ce613fbdb
                                          • Instruction Fuzzy Hash: 28F0B432A0222466DB215F62AC85B5A3F89BF417B1B1C4111BE15BA181CA30F80076F0
                                          Function 00F43820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,?,00FE1444,?,00F2FDF5,?,?,00F1A976,00000010,00FE1440,00F113FC,?,00F113C6,?,00F11129), ref: 00F43852
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: a98cc05d9228173c3196294e2abbb4fdff801c18011f8d3dc34de275684509e2
                                          • Instruction ID: e8eb92896be6bef51758e1257afff02084b09f677db6c11d3bb1b7ad957b3ca4
                                          • Opcode Fuzzy Hash: a98cc05d9228173c3196294e2abbb4fdff801c18011f8d3dc34de275684509e2
                                          • Instruction Fuzzy Hash: 21E02B3390022496E73127779C00B9BBF49AF427B0F090020BC1496581DB21ED01B5F0
                                          Function 00F14F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                          Download Yara Rule
                                          APIs
                                          • FreeLibrary.KERNEL32(?,?,00FE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F14F6D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: FreeLibrary
                                          • String ID:
                                          • API String ID: 3664257935-0
                                          • Opcode ID: 4a478c7643de6a7031e6602555a8e9360e648a4bdec607933c3f65389fcd324b
                                          • Instruction ID: 13182f07b8602efc9692877a736f6d7d68c45fe31b37229d12ec0676fe61c02a
                                          • Opcode Fuzzy Hash: 4a478c7643de6a7031e6602555a8e9360e648a4bdec607933c3f65389fcd324b
                                          • Instruction Fuzzy Hash: 8EF0A971505302CFCB348F20D8A08A2BBE4EF50329320897EE1EA87620C731A889EF00
                                          Function 00F7CCFF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,00F5EE51,00FD3630,00000002), ref: 00F7CD26
                                            • Part of subcall function 00F7CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,00F7CD19,?,?,?), ref: 00F7CC59
                                            • Part of subcall function 00F7CC37: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,00F7CD19,?,?,?,?,00F5EE51,00FD3630,00000002), ref: 00F7CC6E
                                            • Part of subcall function 00F7CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,00F7CD19,?,?,?,?,00F5EE51,00FD3630,00000002), ref: 00F7CC7A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: File$Pointer$Write
                                          • String ID:
                                          • API String ID: 3847668363-0
                                          • Opcode ID: 1bea129bff30838affd1c8c7c2f4e2d6f73fc62a201188c579f6005a1647e9ac
                                          • Instruction ID: 9b2750981542fc416f74ec5af59656b5ab833b74868b5213b572ef73017c343a
                                          • Opcode Fuzzy Hash: 1bea129bff30838affd1c8c7c2f4e2d6f73fc62a201188c579f6005a1647e9ac
                                          • Instruction Fuzzy Hash: 3CE06576500704EFC7219F46DD01CAABBF9FF85760710852FE955C2110D775AA14EBA1
                                          Function 00F12DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00F12DC4
                                            • Part of subcall function 00F16B57: _wcslen.LIBCMT ref: 00F16B6A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: LongNamePath_wcslen
                                          • String ID:
                                          • API String ID: 541455249-0
                                          • Opcode ID: 5fb011c537c05601279d91ccdec769288b55cd5a92672991047a904489c11ad5
                                          • Instruction ID: cffb4ed40f32eab118de55ed1662f3ecb57b61821ce1c9b91e484dfc01664543
                                          • Opcode Fuzzy Hash: 5fb011c537c05601279d91ccdec769288b55cd5a92672991047a904489c11ad5
                                          • Instruction Fuzzy Hash: E7E0CD726041245BC710D2589C05FEA77DDDFC8790F050071FD09D7248D964AD849590
                                          Function 00F12B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F13837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F13908
                                            • Part of subcall function 00F1D730: GetInputState.USER32 ref: 00F1D807
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00F12B6B
                                            • Part of subcall function 00F130F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00F1314E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                          • String ID:
                                          • API String ID: 3667716007-0
                                          • Opcode ID: 2eec9435dbaf40af9bb6a6cc919fc2087343bcc295c88a77c6adcba8c22bf079
                                          • Instruction ID: 2d276100dc56e54b0336c4a1277ebf7dfadf9d06d7458ef63c03e0ea215a5add
                                          • Opcode Fuzzy Hash: 2eec9435dbaf40af9bb6a6cc919fc2087343bcc295c88a77c6adcba8c22bf079
                                          • Instruction Fuzzy Hash: 2DE0863270824807CA08FB76AC525EDB7999BD6365F40153EF142472A3CE7889C56392
                                          Function 00F5039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNELBASE(00000000,00000000,?,00F50704,?,?,00000000,?,00F50704,00000000,0000000C), ref: 00F503B7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: CreateFile
                                          • String ID:
                                          • API String ID: 823142352-0
                                          • Opcode ID: 2f028c707127e42d129ba3a64f74663ee526435c6bd86a1f45e53123dc71f136
                                          • Instruction ID: cc65f9007837b5d5c8d9937631f60d0e0cfda1da97003ba0cc58a6e7fce7fd34
                                          • Opcode Fuzzy Hash: 2f028c707127e42d129ba3a64f74663ee526435c6bd86a1f45e53123dc71f136
                                          • Instruction Fuzzy Hash: E0D06C3214010DBBDF028F84DD06EDA3BAAFB48714F014000BE1856020C736E821AB90
                                          Function 00F11CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                          Download Yara Rule
                                          APIs
                                          • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00F11CBC
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: InfoParametersSystem
                                          • String ID:
                                          • API String ID: 3098949447-0
                                          • Opcode ID: bcd6056206b98916a7fbed5586f35c4b4bd606381c30128d4e7e52239124ea99
                                          • Instruction ID: f2ee9df6c36abc5b878e8626d54179be5231e6b1fe2449ae0ede40d77ff97410
                                          • Opcode Fuzzy Hash: bcd6056206b98916a7fbed5586f35c4b4bd606381c30128d4e7e52239124ea99
                                          • Instruction Fuzzy Hash: DDC09B3528034C9FF2144780BD8AF107754B348B00F484001F6095D5F3D7B11810F690
                                          Function 00F8744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F15745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00F1949C,?,00008000), ref: 00F15773
                                          • GetLastError.KERNEL32(00000002,00000000), ref: 00F876DE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: CreateErrorFileLast
                                          • String ID:
                                          • API String ID: 1214770103-0
                                          • Opcode ID: dd9415f8d5fcbb2faa88134e91b88289d8fae17577eef1ceb546935aa3afb761
                                          • Instruction ID: 07a1c947f93e6cfd2705d5d25d5f31d82829f5f4e6d6931c15c1139f7ac60596
                                          • Opcode Fuzzy Hash: dd9415f8d5fcbb2faa88134e91b88289d8fae17577eef1ceb546935aa3afb761
                                          • Instruction Fuzzy Hash: AE81A1306087019FCB14FF28C891BA9B7E1AF88310F18451DF8995B392DB34ED85EB92
                                          Function 0112F94C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Sleep.KERNELBASE(000001F4), ref: 0112F961
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050864213.000000000112D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_112d000_New PO.jbxd
                                          Similarity
                                          • API ID: Sleep
                                          • String ID:
                                          • API String ID: 3472027048-0
                                          • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                          • Instruction ID: ed19d068347abce86c3240c05ec459467cb9944470bc1911c75ba079526d1659
                                          • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                          • Instruction Fuzzy Hash: FAE09A7494020EAFDB04EFA4D54969E7BB4EF04301F1005A1FD05D6681DB309A648A62
                                          Function 00F16246 Relevance: 1.3, APIs: 1, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                          • CloseHandle.KERNELBASE(?,?,00000000,00F524E0), ref: 00F16266
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID:
                                          • API String ID: 2962429428-0
                                          • Opcode ID: 26689c2b753c11fdad8bdf87763e0be21164b00856e2b0a3b39daf8d73e5c15a
                                          • Instruction ID: e0b29cc3e4827060f80e3a9edcd74c7374e3587eb09dab56393bfe84fd308156
                                          • Opcode Fuzzy Hash: 26689c2b753c11fdad8bdf87763e0be21164b00856e2b0a3b39daf8d73e5c15a
                                          • Instruction Fuzzy Hash: 69E09275800B01DEDB314F1AE804492FBE5FEE13613204A2ED0E592660D7B05886EF50
                                          Function 0112F950 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Sleep.KERNELBASE(000001F4), ref: 0112F961
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050864213.000000000112D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_112d000_New PO.jbxd
                                          Similarity
                                          • API ID: Sleep
                                          • String ID:
                                          • API String ID: 3472027048-0
                                          • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                          • Instruction ID: bcdc42a6bd310a343782cec1b151963f16324958e7a81fc90d97d75cd2f034f2
                                          • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                          • Instruction Fuzzy Hash: 2DE0E67494020EEFDB00EFB4D54969E7FB4EF04301F100161FD01D2281D7309D60CA62

                                          Non-executed Functions

                                          Function 00FA9576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F29BB2
                                          • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00FA961A
                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FA965B
                                          • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00FA969F
                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FA96C9
                                          • SendMessageW.USER32 ref: 00FA96F2
                                          • GetKeyState.USER32(00000011), ref: 00FA978B
                                          • GetKeyState.USER32(00000009), ref: 00FA9798
                                          • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00FA97AE
                                          • GetKeyState.USER32(00000010), ref: 00FA97B8
                                          • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FA97E9
                                          • SendMessageW.USER32 ref: 00FA9810
                                          • SendMessageW.USER32(?,00001030,?,00FA7E95), ref: 00FA9918
                                          • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00FA992E
                                          • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00FA9941
                                          • SetCapture.USER32(?), ref: 00FA994A
                                          • ClientToScreen.USER32(?,?), ref: 00FA99AF
                                          • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00FA99BC
                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00FA99D6
                                          • ReleaseCapture.USER32 ref: 00FA99E1
                                          • GetCursorPos.USER32(?), ref: 00FA9A19
                                          • ScreenToClient.USER32(?,?), ref: 00FA9A26
                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 00FA9A80
                                          • SendMessageW.USER32 ref: 00FA9AAE
                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00FA9AEB
                                          • SendMessageW.USER32 ref: 00FA9B1A
                                          • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00FA9B3B
                                          • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00FA9B4A
                                          • GetCursorPos.USER32(?), ref: 00FA9B68
                                          • ScreenToClient.USER32(?,?), ref: 00FA9B75
                                          • GetParent.USER32(?), ref: 00FA9B93
                                          • SendMessageW.USER32(?,00001012,00000000,?), ref: 00FA9BFA
                                          • SendMessageW.USER32 ref: 00FA9C2B
                                          • ClientToScreen.USER32(?,?), ref: 00FA9C84
                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00FA9CB4
                                          • SendMessageW.USER32(?,00001111,00000000,?), ref: 00FA9CDE
                                          • SendMessageW.USER32 ref: 00FA9D01
                                          • ClientToScreen.USER32(?,?), ref: 00FA9D4E
                                          • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00FA9D82
                                            • Part of subcall function 00F29944: GetWindowLongW.USER32(?,000000EB), ref: 00F29952
                                          • GetWindowLongW.USER32(?,000000F0), ref: 00FA9E05
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                          • String ID: @GUI_DRAGID$F
                                          • API String ID: 3429851547-4164748364
                                          • Opcode ID: 64c14a22b02890a90f9eda3c6bddd94b4606619fef7336861c50f179640e84c8
                                          • Instruction ID: 728eb95646aea594809633cc1beb90c9910b4bffcde379f9155ba346778ea291
                                          • Opcode Fuzzy Hash: 64c14a22b02890a90f9eda3c6bddd94b4606619fef7336861c50f179640e84c8
                                          • Instruction Fuzzy Hash: 774281B5608245AFD724CF24CC84EAABBE5FF4A320F140629F559873A1D7B1D850EF91
                                          Function 00FA4873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00FA48F3
                                          • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00FA4908
                                          • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00FA4927
                                          • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00FA494B
                                          • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00FA495C
                                          • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00FA497B
                                          • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00FA49AE
                                          • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00FA49D4
                                          • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00FA4A0F
                                          • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00FA4A56
                                          • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00FA4A7E
                                          • IsMenu.USER32(?), ref: 00FA4A97
                                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FA4AF2
                                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FA4B20
                                          • GetWindowLongW.USER32(?,000000F0), ref: 00FA4B94
                                          • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00FA4BE3
                                          • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00FA4C82
                                          • wsprintfW.USER32 ref: 00FA4CAE
                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FA4CC9
                                          • GetWindowTextW.USER32(?,00000000,00000001), ref: 00FA4CF1
                                          • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00FA4D13
                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FA4D33
                                          • GetWindowTextW.USER32(?,00000000,00000001), ref: 00FA4D5A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                          • String ID: %d/%02d/%02d
                                          • API String ID: 4054740463-328681919
                                          • Opcode ID: 512ad6e8e105cd3e4674fb1407caea5b174fe43f24a981c7a3d8663c22d5f498
                                          • Instruction ID: 9d9ceae37b031dd4e3e69396b36afcaff8907f052c650001a0d8903c18d155dd
                                          • Opcode Fuzzy Hash: 512ad6e8e105cd3e4674fb1407caea5b174fe43f24a981c7a3d8663c22d5f498
                                          • Instruction Fuzzy Hash: BC1218B5900218AFEB258F24DC45FAE7BF8EF86710F144129F519DB2D1DBB4A940EB90
                                          Function 00F2F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00F2F998
                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F6F474
                                          • IsIconic.USER32(00000000), ref: 00F6F47D
                                          • ShowWindow.USER32(00000000,00000009), ref: 00F6F48A
                                          • SetForegroundWindow.USER32(00000000), ref: 00F6F494
                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F6F4AA
                                          • GetCurrentThreadId.KERNEL32 ref: 00F6F4B1
                                          • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F6F4BD
                                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 00F6F4CE
                                          • AttachThreadInput.USER32(?,00000000,00000001), ref: 00F6F4D6
                                          • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00F6F4DE
                                          • SetForegroundWindow.USER32(00000000), ref: 00F6F4E1
                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F6F4F6
                                          • keybd_event.USER32(00000012,00000000), ref: 00F6F501
                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F6F50B
                                          • keybd_event.USER32(00000012,00000000), ref: 00F6F510
                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F6F519
                                          • keybd_event.USER32(00000012,00000000), ref: 00F6F51E
                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F6F528
                                          • keybd_event.USER32(00000012,00000000), ref: 00F6F52D
                                          • SetForegroundWindow.USER32(00000000), ref: 00F6F530
                                          • AttachThreadInput.USER32(?,000000FF,00000000), ref: 00F6F557
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                          • String ID: Shell_TrayWnd
                                          • API String ID: 4125248594-2988720461
                                          • Opcode ID: ec4a01e8dffcbee3d6185506bf3e8b03efd4958f747f80b6fe0cf22cf33fa310
                                          • Instruction ID: d99df8363ab17de285da8ccffb4ab3be5ec426d33cd73ffe3c78a91abbcf5def
                                          • Opcode Fuzzy Hash: ec4a01e8dffcbee3d6185506bf3e8b03efd4958f747f80b6fe0cf22cf33fa310
                                          • Instruction Fuzzy Hash: 25311EB1E4021CBEEB216BB59C4AFBF7E6CEB45B50F140065FA05E61D1CAB15D00BAA1
                                          Function 00F71201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F7170D
                                            • Part of subcall function 00F716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F7173A
                                            • Part of subcall function 00F716C3: GetLastError.KERNEL32 ref: 00F7174A
                                          • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00F71286
                                          • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00F712A8
                                          • CloseHandle.KERNEL32(?), ref: 00F712B9
                                          • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00F712D1
                                          • GetProcessWindowStation.USER32 ref: 00F712EA
                                          • SetProcessWindowStation.USER32(00000000), ref: 00F712F4
                                          • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00F71310
                                            • Part of subcall function 00F710BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F711FC), ref: 00F710D4
                                            • Part of subcall function 00F710BF: CloseHandle.KERNEL32(?,?,00F711FC), ref: 00F710E9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                          • String ID: $default$winsta0
                                          • API String ID: 22674027-1027155976
                                          • Opcode ID: a2f481254973dc17aaceacb03bc4738d6d1f2f6d6cd6ad19d9e7c035658c108b
                                          • Instruction ID: 07a09b7c65a491e0f38da1691db03434d28a384dc50afdb6c3ea0a9fffd4bcc7
                                          • Opcode Fuzzy Hash: a2f481254973dc17aaceacb03bc4738d6d1f2f6d6cd6ad19d9e7c035658c108b
                                          • Instruction Fuzzy Hash: 218191B1900208AFDF21DFA8DC49FEE7BB9FF05710F14811AF918A6150D7349958EB62
                                          Function 00F70B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F71114
                                            • Part of subcall function 00F710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00F70B9B,?,?,?), ref: 00F71120
                                            • Part of subcall function 00F710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00F70B9B,?,?,?), ref: 00F7112F
                                            • Part of subcall function 00F710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00F70B9B,?,?,?), ref: 00F71136
                                            • Part of subcall function 00F710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F7114D
                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F70BCC
                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F70C00
                                          • GetLengthSid.ADVAPI32(?), ref: 00F70C17
                                          • GetAce.ADVAPI32(?,00000000,?), ref: 00F70C51
                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F70C6D
                                          • GetLengthSid.ADVAPI32(?), ref: 00F70C84
                                          • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00F70C8C
                                          • HeapAlloc.KERNEL32(00000000), ref: 00F70C93
                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F70CB4
                                          • CopySid.ADVAPI32(00000000), ref: 00F70CBB
                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F70CEA
                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F70D0C
                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F70D1E
                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F70D45
                                          • HeapFree.KERNEL32(00000000), ref: 00F70D4C
                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F70D55
                                          • HeapFree.KERNEL32(00000000), ref: 00F70D5C
                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F70D65
                                          • HeapFree.KERNEL32(00000000), ref: 00F70D6C
                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00F70D78
                                          • HeapFree.KERNEL32(00000000), ref: 00F70D7F
                                            • Part of subcall function 00F71193: GetProcessHeap.KERNEL32(00000008,00F70BB1,?,00000000,?,00F70BB1,?), ref: 00F711A1
                                            • Part of subcall function 00F71193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00F70BB1,?), ref: 00F711A8
                                            • Part of subcall function 00F71193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00F70BB1,?), ref: 00F711B7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                          • String ID:
                                          • API String ID: 4175595110-0
                                          • Opcode ID: 40eb7cef07638a9b3def7fc56dd54b7cdd7e17914a06f3a38ed74fa8c003e417
                                          • Instruction ID: 130ccdb0e2a52c69de79f305828456633327640232cb3df39ee19c46204f1b18
                                          • Opcode Fuzzy Hash: 40eb7cef07638a9b3def7fc56dd54b7cdd7e17914a06f3a38ed74fa8c003e417
                                          • Instruction Fuzzy Hash: 06715DB1D0020AEBDF10DFA5DC44FAEBBB8BF05310F048516F919E6291DB75A905EBA1
                                          Function 00F8EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenClipboard.USER32(00FACC08), ref: 00F8EB29
                                          • IsClipboardFormatAvailable.USER32(0000000D), ref: 00F8EB37
                                          • GetClipboardData.USER32(0000000D), ref: 00F8EB43
                                          • CloseClipboard.USER32 ref: 00F8EB4F
                                          • GlobalLock.KERNEL32(00000000), ref: 00F8EB87
                                          • CloseClipboard.USER32 ref: 00F8EB91
                                          • GlobalUnlock.KERNEL32(00000000), ref: 00F8EBBC
                                          • IsClipboardFormatAvailable.USER32(00000001), ref: 00F8EBC9
                                          • GetClipboardData.USER32(00000001), ref: 00F8EBD1
                                          • GlobalLock.KERNEL32(00000000), ref: 00F8EBE2
                                          • GlobalUnlock.KERNEL32(00000000), ref: 00F8EC22
                                          • IsClipboardFormatAvailable.USER32(0000000F), ref: 00F8EC38
                                          • GetClipboardData.USER32(0000000F), ref: 00F8EC44
                                          • GlobalLock.KERNEL32(00000000), ref: 00F8EC55
                                          • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00F8EC77
                                          • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00F8EC94
                                          • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00F8ECD2
                                          • GlobalUnlock.KERNEL32(00000000), ref: 00F8ECF3
                                          • CountClipboardFormats.USER32 ref: 00F8ED14
                                          • CloseClipboard.USER32 ref: 00F8ED59
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                          • String ID:
                                          • API String ID: 420908878-0
                                          • Opcode ID: 6f53a7b8cd238fbbf62951eda067b05a7b165b82eed5b076f59a486c45f9c835
                                          • Instruction ID: 52889095c4e241d65106e6b3c1d5d70a5e1722d531f2b2fb6fa9d196f74cf8a0
                                          • Opcode Fuzzy Hash: 6f53a7b8cd238fbbf62951eda067b05a7b165b82eed5b076f59a486c45f9c835
                                          • Instruction Fuzzy Hash: 8861E2752043059FD300EF20CC94FAAB7E4AF85724F14451DF856972A2DB31ED49EBA2
                                          Function 00F8698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(?,?), ref: 00F869BE
                                          • FindClose.KERNEL32(00000000), ref: 00F86A12
                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F86A4E
                                          • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F86A75
                                            • Part of subcall function 00F19CB3: _wcslen.LIBCMT ref: 00F19CBD
                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 00F86AB2
                                          • FileTimeToSystemTime.KERNEL32(?,?), ref: 00F86ADF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                          • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                          • API String ID: 3830820486-3289030164
                                          • Opcode ID: 37ceb1a3db8184f18f50321b53ff2bd246a59aef8ab4eb5195d210f17433fb1e
                                          • Instruction ID: a3c528f4309eb931faf97f56d960552d1edd3819ee3f5fd56c519c0752b9aa79
                                          • Opcode Fuzzy Hash: 37ceb1a3db8184f18f50321b53ff2bd246a59aef8ab4eb5195d210f17433fb1e
                                          • Instruction Fuzzy Hash: 24D14072508300AEC714EBA4DC91EEBB7ECAF88704F44491DF585D7191EB78DA48DBA2
                                          Function 00F89642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00F89663
                                          • GetFileAttributesW.KERNEL32(?), ref: 00F896A1
                                          • SetFileAttributesW.KERNEL32(?,?), ref: 00F896BB
                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00F896D3
                                          • FindClose.KERNEL32(00000000), ref: 00F896DE
                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00F896FA
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00F8974A
                                          • SetCurrentDirectoryW.KERNEL32(00FD6B7C), ref: 00F89768
                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00F89772
                                          • FindClose.KERNEL32(00000000), ref: 00F8977F
                                          • FindClose.KERNEL32(00000000), ref: 00F8978F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                          • String ID: *.*
                                          • API String ID: 1409584000-438819550
                                          • Opcode ID: abe225f7383ba20f00f7384ea6b6f4bcdf711830e46962cc63d157ad854204f6
                                          • Instruction ID: 30982d149637369aecd6eb03cf89c65885842e9e1f44a758bfef093a3e5d6029
                                          • Opcode Fuzzy Hash: abe225f7383ba20f00f7384ea6b6f4bcdf711830e46962cc63d157ad854204f6
                                          • Instruction Fuzzy Hash: 8831C3729042196ADF10AFB4DC08AEE77AC9F4A330F184156F815E21A0EB74DE40AB64
                                          Function 00F8979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 00F897BE
                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00F89819
                                          • FindClose.KERNEL32(00000000), ref: 00F89824
                                          • FindFirstFileW.KERNEL32(*.*,?), ref: 00F89840
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00F89890
                                          • SetCurrentDirectoryW.KERNEL32(00FD6B7C), ref: 00F898AE
                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00F898B8
                                          • FindClose.KERNEL32(00000000), ref: 00F898C5
                                          • FindClose.KERNEL32(00000000), ref: 00F898D5
                                            • Part of subcall function 00F7DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00F7DB00
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                          • String ID: *.*
                                          • API String ID: 2640511053-438819550
                                          • Opcode ID: 84478d7b02675e68fd4e56005578043a06125f77c139f72fdd22ea9ec99f051f
                                          • Instruction ID: 3546caae4ab36c7322281659a151a232119e9eab4564cf27627227bbc9475322
                                          • Opcode Fuzzy Hash: 84478d7b02675e68fd4e56005578043a06125f77c139f72fdd22ea9ec99f051f
                                          • Instruction Fuzzy Hash: DA31A37290461A6EDF10BFB4DC48AEE77AC9F46334F584156E814E21A0DBB4DE44EB60
                                          Function 00F88195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLocalTime.KERNEL32(?), ref: 00F88257
                                          • SystemTimeToFileTime.KERNEL32(?,?), ref: 00F88267
                                          • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00F88273
                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F88310
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00F88324
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00F88356
                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00F8838C
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00F88395
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: CurrentDirectoryTime$File$Local$System
                                          • String ID: *.*
                                          • API String ID: 1464919966-438819550
                                          • Opcode ID: 86463a0f87019d8482a1a76aa71e7ee5d46c68496a9b52977904d161bd80a254
                                          • Instruction ID: e04bfd8c704ab5405b3ad6e3a424402e8e83a966c9f3c2b4923d10a5c7723323
                                          • Opcode Fuzzy Hash: 86463a0f87019d8482a1a76aa71e7ee5d46c68496a9b52977904d161bd80a254
                                          • Instruction Fuzzy Hash: A2615BB25043059FCB10EF64C84499EB3E9FF89360F44891EF98987251EB35E946DB92
                                          Function 00F7D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F13AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F13A97,?,?,00F12E7F,?,?,?,00000000), ref: 00F13AC2
                                            • Part of subcall function 00F7E199: GetFileAttributesW.KERNEL32(?,00F7CF95), ref: 00F7E19A
                                          • FindFirstFileW.KERNEL32(?,?), ref: 00F7D122
                                          • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00F7D1DD
                                          • MoveFileW.KERNEL32(?,?), ref: 00F7D1F0
                                          • DeleteFileW.KERNEL32(?,?,?,?), ref: 00F7D20D
                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00F7D237
                                            • Part of subcall function 00F7D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00F7D21C,?,?), ref: 00F7D2B2
                                          • FindClose.KERNEL32(00000000,?,?,?), ref: 00F7D253
                                          • FindClose.KERNEL32(00000000), ref: 00F7D264
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                          • String ID: \*.*
                                          • API String ID: 1946585618-1173974218
                                          • Opcode ID: f6dae162abc41bcf3d101d36a273cd16b8f3ea496aa0ada3e744f760e158c248
                                          • Instruction ID: a5e34854a9ba7e34fc1cbf11fa12212be3a4ceefbb91f91ac0290d5c650f9207
                                          • Opcode Fuzzy Hash: f6dae162abc41bcf3d101d36a273cd16b8f3ea496aa0ada3e744f760e158c248
                                          • Instruction Fuzzy Hash: B1618F71C0510D9ACF05EBE0CD529EDB7B5AF15310FA48066E406B7192EB346F4AEBA1
                                          Function 00F8ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                          • String ID:
                                          • API String ID: 1737998785-0
                                          • Opcode ID: c8345da6347a9fee01f9f4a10a019af9c9a3f77ef2e71c99c620aec145ea2e31
                                          • Instruction ID: 0662c757a048f5a8ba1c2b4784c924e15538fd21bed35469c4ac288a58da2ae8
                                          • Opcode Fuzzy Hash: c8345da6347a9fee01f9f4a10a019af9c9a3f77ef2e71c99c620aec145ea2e31
                                          • Instruction Fuzzy Hash: 2D41AB75604611AFE320EF15D888B99BBE1FF45328F15C099E4198B7A2C735EC42EBD0
                                          Function 00F7E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F716C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F7170D
                                            • Part of subcall function 00F716C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F7173A
                                            • Part of subcall function 00F716C3: GetLastError.KERNEL32 ref: 00F7174A
                                          • ExitWindowsEx.USER32(?,00000000), ref: 00F7E932
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                          • String ID: $ $@$SeShutdownPrivilege
                                          • API String ID: 2234035333-3163812486
                                          • Opcode ID: b9c65f1c88f8f6aed5ecbe9fe498e4ab52d56939d8586f6072db527a31192a76
                                          • Instruction ID: 2f43180bf7f2401d10ef85c1f5dcd9b9ec2a1cb15350829a4fcf6dfa0649efbb
                                          • Opcode Fuzzy Hash: b9c65f1c88f8f6aed5ecbe9fe498e4ab52d56939d8586f6072db527a31192a76
                                          • Instruction Fuzzy Hash: 03012B73A10214AFEB6426749C85BBB727CA718750F148463FA07E21D1D6645C40B2D2
                                          Function 00F91204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00F91276
                                          • WSAGetLastError.WSOCK32 ref: 00F91283
                                          • bind.WSOCK32(00000000,?,00000010), ref: 00F912BA
                                          • WSAGetLastError.WSOCK32 ref: 00F912C5
                                          • closesocket.WSOCK32(00000000), ref: 00F912F4
                                          • listen.WSOCK32(00000000,00000005), ref: 00F91303
                                          • WSAGetLastError.WSOCK32 ref: 00F9130D
                                          • closesocket.WSOCK32(00000000), ref: 00F9133C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ErrorLast$closesocket$bindlistensocket
                                          • String ID:
                                          • API String ID: 540024437-0
                                          • Opcode ID: b4a06e2b615e8a161ce99da1dedac1b14b12d1e7c3af4dce3d392e5a771608b0
                                          • Instruction ID: e751cf3d82622caae5e7643065ecce5dfef0c37df448124e86f6600aff1c25cf
                                          • Opcode Fuzzy Hash: b4a06e2b615e8a161ce99da1dedac1b14b12d1e7c3af4dce3d392e5a771608b0
                                          • Instruction Fuzzy Hash: 2B41A471A001059FEB10EF24C488B69BBF6BF46328F188198D8568F2D6C775EC81DBE1
                                          Function 00F4B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 00F4B9D4
                                          • _free.LIBCMT ref: 00F4B9F8
                                          • _free.LIBCMT ref: 00F4BB7F
                                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00FB3700), ref: 00F4BB91
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00FE121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00F4BC09
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00FE1270,000000FF,?,0000003F,00000000,?), ref: 00F4BC36
                                          • _free.LIBCMT ref: 00F4BD4B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                          • String ID:
                                          • API String ID: 314583886-0
                                          • Opcode ID: d1370393a6d74236c1fc077c50b8fc252e60fbd37317ac6ba056cff4079dd45d
                                          • Instruction ID: ee5b4c34ef0ceda141c4fec90fc892d0e77906839d373af4d6c2ea5651f189aa
                                          • Opcode Fuzzy Hash: d1370393a6d74236c1fc077c50b8fc252e60fbd37317ac6ba056cff4079dd45d
                                          • Instruction Fuzzy Hash: FAC10571E04249AFDB209F698C81BAA7FB9EF41320F14419AED90DB253EB34DE41B750
                                          Function 00F7D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F13AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F13A97,?,?,00F12E7F,?,?,?,00000000), ref: 00F13AC2
                                            • Part of subcall function 00F7E199: GetFileAttributesW.KERNEL32(?,00F7CF95), ref: 00F7E19A
                                          • FindFirstFileW.KERNEL32(?,?), ref: 00F7D420
                                          • DeleteFileW.KERNEL32(?,?,?,?), ref: 00F7D470
                                          • FindNextFileW.KERNEL32(00000000,00000010), ref: 00F7D481
                                          • FindClose.KERNEL32(00000000), ref: 00F7D498
                                          • FindClose.KERNEL32(00000000), ref: 00F7D4A1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                          • String ID: \*.*
                                          • API String ID: 2649000838-1173974218
                                          • Opcode ID: bf173f75b45fe70e3f8a0487e2ff05996368048b44ea09d8d1b955f7c0320291
                                          • Instruction ID: 04334f842756f49a99e5088c143a72eb11aef5816604cfaec261dc042313041e
                                          • Opcode Fuzzy Hash: bf173f75b45fe70e3f8a0487e2ff05996368048b44ea09d8d1b955f7c0320291
                                          • Instruction Fuzzy Hash: A73190710083459BC304EF64CC519EFB7E8AE92314F848A1EF4D593191EB34AA49EBA3
                                          Function 00F4E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: __floor_pentium4
                                          • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                          • API String ID: 4168288129-2761157908
                                          • Opcode ID: 32df9c12351c7f1a9c3365fdb991465147fe2743cf45a177df49d71ecb6f43f0
                                          • Instruction ID: b7665c229070ef32eef16451079936b7a431c2ab7588c134a7705dd9b171501d
                                          • Opcode Fuzzy Hash: 32df9c12351c7f1a9c3365fdb991465147fe2743cf45a177df49d71ecb6f43f0
                                          • Instruction Fuzzy Hash: ACC23B72E046288FDB25CE28DD407EABBB5FB84315F1541EAD84DE7240E778AE859F40
                                          Function 00F8648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _wcslen.LIBCMT ref: 00F864DC
                                          • CoInitialize.OLE32(00000000), ref: 00F86639
                                          • CoCreateInstance.OLE32(00FAFCF8,00000000,00000001,00FAFB68,?), ref: 00F86650
                                          • CoUninitialize.OLE32 ref: 00F868D4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: CreateInitializeInstanceUninitialize_wcslen
                                          • String ID: .lnk
                                          • API String ID: 886957087-24824748
                                          • Opcode ID: 504f754559eb83b913bda27282ecc79ed04c87d0c423d0f5336c7399a53630e9
                                          • Instruction ID: e1573bdb9b454a334bb33ad57cee9a520a69e33b30388074c21694e32b58f334
                                          • Opcode Fuzzy Hash: 504f754559eb83b913bda27282ecc79ed04c87d0c423d0f5336c7399a53630e9
                                          • Instruction Fuzzy Hash: 31D15971508301AFC304EF24C891AABB7E8FF98714F04496DF595CB291EB74E949DBA2
                                          Function 00F922DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetForegroundWindow.USER32(?,?,00000000), ref: 00F922E8
                                            • Part of subcall function 00F8E4EC: GetWindowRect.USER32(?,?), ref: 00F8E504
                                          • GetDesktopWindow.USER32 ref: 00F92312
                                          • GetWindowRect.USER32(00000000), ref: 00F92319
                                          • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00F92355
                                          • GetCursorPos.USER32(?), ref: 00F92381
                                          • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00F923DF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                          • String ID:
                                          • API String ID: 2387181109-0
                                          • Opcode ID: f138b892ee6b0ca1c9a693b696b445c710208ba6a8245b9ace561d3c26547457
                                          • Instruction ID: a312c033bdeba653701527bbb9193155db2a33f4ad8e8ad5fdfb1f3b1c6d10a8
                                          • Opcode Fuzzy Hash: f138b892ee6b0ca1c9a693b696b445c710208ba6a8245b9ace561d3c26547457
                                          • Instruction Fuzzy Hash: A2319E72905319AFDB20DF54C849E5BB7A9FF89314F00091AF98997191DB34E908DB92
                                          Function 00F89B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F19CB3: _wcslen.LIBCMT ref: 00F19CBD
                                          • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00F89B78
                                          • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00F89C8B
                                            • Part of subcall function 00F83874: GetInputState.USER32 ref: 00F838CB
                                            • Part of subcall function 00F83874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F83966
                                          • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00F89BA8
                                          • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00F89C75
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                          • String ID: *.*
                                          • API String ID: 1972594611-438819550
                                          • Opcode ID: 51f8cd909850be78c5b130b94d843bf6d226d3ce3bd118df6e468693130526b0
                                          • Instruction ID: 121f36306c4bcbf7714ed9d163cae25b312a90738dd630cbd45ca75039839214
                                          • Opcode Fuzzy Hash: 51f8cd909850be78c5b130b94d843bf6d226d3ce3bd118df6e468693130526b0
                                          • Instruction Fuzzy Hash: 0B418371D0420A9FCF15EF64CC45AEE7BF4EF46320F144056E815A2191EB759E84EFA1
                                          Function 00F2997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F29BB2
                                          • DefDlgProcW.USER32(?,?,?,?,?), ref: 00F29A4E
                                          • GetSysColor.USER32(0000000F), ref: 00F29B23
                                          • SetBkColor.GDI32(?,00000000), ref: 00F29B36
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Color$LongProcWindow
                                          • String ID:
                                          • API String ID: 3131106179-0
                                          • Opcode ID: 6ed705caf61efac0058ade3ab9fa9bbbb2352131a1226811d4c8441af9b1a6a7
                                          • Instruction ID: ef3bb4e62abb77f3b3e90a9a44f44158690e0c0478094988d0d3f19093474022
                                          • Opcode Fuzzy Hash: 6ed705caf61efac0058ade3ab9fa9bbbb2352131a1226811d4c8441af9b1a6a7
                                          • Instruction Fuzzy Hash: 8FA14BB190C264AEE724AA3DAC98F7F369DEF43364F140119F402C7591CAAD9D41F671
                                          Function 00F91806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F9304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00F9307A
                                            • Part of subcall function 00F9304E: _wcslen.LIBCMT ref: 00F9309B
                                          • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00F9185D
                                          • WSAGetLastError.WSOCK32 ref: 00F91884
                                          • bind.WSOCK32(00000000,?,00000010), ref: 00F918DB
                                          • WSAGetLastError.WSOCK32 ref: 00F918E6
                                          • closesocket.WSOCK32(00000000), ref: 00F91915
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                          • String ID:
                                          • API String ID: 1601658205-0
                                          • Opcode ID: 3d192cc2732d328d40e652eb338affaa75268ca936c56e76f47954f5a63310e0
                                          • Instruction ID: 671626fee31d92be16a7df21cd083a90604f64586f56388de2e500f28422862d
                                          • Opcode Fuzzy Hash: 3d192cc2732d328d40e652eb338affaa75268ca936c56e76f47954f5a63310e0
                                          • Instruction Fuzzy Hash: 6851B471A002109FEB10EF24D886F6A77E5AB45718F088058F9159F3D3DB75AD41EBE1
                                          Function 00FA1C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                          • String ID:
                                          • API String ID: 292994002-0
                                          • Opcode ID: b71fe456defea251c41baf48f606f4e8b3f8726e879aef913f541142bbf38ca5
                                          • Instruction ID: cc752b148cebdafac3f3bfba254acc7513a1180aea588a84bbfc930f4a9bf419
                                          • Opcode Fuzzy Hash: b71fe456defea251c41baf48f606f4e8b3f8726e879aef913f541142bbf38ca5
                                          • Instruction Fuzzy Hash: 3721A6B1B402155FD7208F1AC844BA67BE5FF86334F1A8058E8468B351C775EC42EBD4
                                          Function 00F18060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                          • API String ID: 0-1546025612
                                          • Opcode ID: 8fb11b3f419f5907818f009c4094adcf53fe76ee110bfd6cd585696356fbd22d
                                          • Instruction ID: 09825318d2da924827cb65f914169c3a8859b0eb85784619a54587248d313422
                                          • Opcode Fuzzy Hash: 8fb11b3f419f5907818f009c4094adcf53fe76ee110bfd6cd585696356fbd22d
                                          • Instruction Fuzzy Hash: 54A28D71E0061ACBDF24CF58C9507EDB7B1BB54761F2481AAED15A7280EB309DC6EB90
                                          Function 00F9A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 00F9A6AC
                                          • Process32FirstW.KERNEL32(00000000,?), ref: 00F9A6BA
                                            • Part of subcall function 00F19CB3: _wcslen.LIBCMT ref: 00F19CBD
                                          • Process32NextW.KERNEL32(00000000,?), ref: 00F9A79C
                                          • CloseHandle.KERNEL32(00000000), ref: 00F9A7AB
                                            • Part of subcall function 00F2CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00F53303,?), ref: 00F2CE8A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                          • String ID:
                                          • API String ID: 1991900642-0
                                          • Opcode ID: 478684c9220a5ca17db3e45958bcc24035388cc6be8b4e0ba9fd6275bcb3c414
                                          • Instruction ID: 722fe351c1748de979a47c3afb8cd7816dc5f330440b0fc0cd279f0cfb3c24a8
                                          • Opcode Fuzzy Hash: 478684c9220a5ca17db3e45958bcc24035388cc6be8b4e0ba9fd6275bcb3c414
                                          • Instruction Fuzzy Hash: A7518DB1508300AFD710EF24CC86AABBBE8FF89754F40891DF58597252EB34D944DBA2
                                          Function 00F7AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00F7AAAC
                                          • SetKeyboardState.USER32(00000080), ref: 00F7AAC8
                                          • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00F7AB36
                                          • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00F7AB88
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: KeyboardState$InputMessagePostSend
                                          • String ID:
                                          • API String ID: 432972143-0
                                          • Opcode ID: a4ba9a4e0099330e77d1f2ffbf6174b4b83044a8b2c257ea38b7d3e260fb5171
                                          • Instruction ID: 11232d4ede8501653a32417b206a4487285679964dc8a73efaccf78b0c70eb7b
                                          • Opcode Fuzzy Hash: a4ba9a4e0099330e77d1f2ffbf6174b4b83044a8b2c257ea38b7d3e260fb5171
                                          • Instruction Fuzzy Hash: 3E312971E40608AEFB35CA68CC05BFE77A6ABC5320F04C21BF189521D1D3788991E7A3
                                          Function 00F8CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InternetReadFile.WININET(?,?,00000400,?), ref: 00F8CE89
                                          • GetLastError.KERNEL32(?,00000000), ref: 00F8CEEA
                                          • SetEvent.KERNEL32(?,?,00000000), ref: 00F8CEFE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ErrorEventFileInternetLastRead
                                          • String ID:
                                          • API String ID: 234945975-0
                                          • Opcode ID: 34cb6fbb9d5c3122747d19eab950588b1254c5e8dfc05af7333dd89e59ad23e8
                                          • Instruction ID: ec625a9fc308bcc9873edcb56951f05c6b093f81e237c4462ef86650d3475be9
                                          • Opcode Fuzzy Hash: 34cb6fbb9d5c3122747d19eab950588b1254c5e8dfc05af7333dd89e59ad23e8
                                          • Instruction Fuzzy Hash: 7E219DB1900305ABEB30EF65D948BA6B7F8EB40364F10441EE646D2151EB74EE04ABB0
                                          Function 00F7DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(?,00F55222), ref: 00F7DBCE
                                          • GetFileAttributesW.KERNEL32(?), ref: 00F7DBDD
                                          • FindFirstFileW.KERNEL32(?,?), ref: 00F7DBEE
                                          • FindClose.KERNEL32(00000000), ref: 00F7DBFA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: FileFind$AttributesCloseFirstlstrlen
                                          • String ID:
                                          • API String ID: 2695905019-0
                                          • Opcode ID: 46dae4dfb3a0abb58f37b6decb6ed4772749cd2c7888922c763248c6cba439ed
                                          • Instruction ID: 9b6e914df988fdef2eba061db013cfec5015df111293edcfa3db9e1ad4e6b231
                                          • Opcode Fuzzy Hash: 46dae4dfb3a0abb58f37b6decb6ed4772749cd2c7888922c763248c6cba439ed
                                          • Instruction Fuzzy Hash: 8FF0E5718109185782216B7CEC0D9AA37BC9E02334B908703F83AC20F0EBB05D54E6D6
                                          Function 00F78298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00F782AA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: lstrlen
                                          • String ID: ($|
                                          • API String ID: 1659193697-1631851259
                                          • Opcode ID: 4f2f069cecda3551122e75d49bf27699e4f51095717b17680255546d033ac9cd
                                          • Instruction ID: 0f2e6cec57b3a6c11fec37e77f40bf99c454f9d5491702dd92d365b1dcfb91ea
                                          • Opcode Fuzzy Hash: 4f2f069cecda3551122e75d49bf27699e4f51095717b17680255546d033ac9cd
                                          • Instruction Fuzzy Hash: 16324575A007059FCB28CF59C484A6AB7F0FF48760B15C46EE49ADB3A1EB70E942DB41
                                          Function 00F85C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(?,?), ref: 00F85CC1
                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00F85D17
                                          • FindClose.KERNEL32(?), ref: 00F85D5F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Find$File$CloseFirstNext
                                          • String ID:
                                          • API String ID: 3541575487-0
                                          • Opcode ID: 1e64dc3812555221e877e2e4f3abd9e31401fed9375ec73978ab3f85ceac69a7
                                          • Instruction ID: c008c6c18b6bfc75abc246cf119fdf934f6775e9ac485371e57f03774d68a954
                                          • Opcode Fuzzy Hash: 1e64dc3812555221e877e2e4f3abd9e31401fed9375ec73978ab3f85ceac69a7
                                          • Instruction Fuzzy Hash: 1351AA75A046019FC714DF28C884A96B7E4FF4A324F14855EE95A8B3A2CB30EC45DF91
                                          Function 00F42622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • IsDebuggerPresent.KERNEL32 ref: 00F4271A
                                          • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00F42724
                                          • UnhandledExceptionFilter.KERNEL32(?), ref: 00F42731
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                          • String ID:
                                          • API String ID: 3906539128-0
                                          • Opcode ID: af65c46d824775380e3fb31d6d5cbc6bbbd8c8621132d384c1aa8aac756cce97
                                          • Instruction ID: 6ad348dcd64dcf382dd26fd4c73c9b5bdb9b45fce6d86b9ba5e31db741ba71d9
                                          • Opcode Fuzzy Hash: af65c46d824775380e3fb31d6d5cbc6bbbd8c8621132d384c1aa8aac756cce97
                                          • Instruction Fuzzy Hash: 1531D57490121C9BCB61DF64DD887DCBBB8AF08320F5041EAE80CA7260EB349F819F44
                                          Function 00F851CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNEL32(00000001), ref: 00F851DA
                                          • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00F85238
                                          • SetErrorMode.KERNEL32(00000000), ref: 00F852A1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ErrorMode$DiskFreeSpace
                                          • String ID:
                                          • API String ID: 1682464887-0
                                          • Opcode ID: f04022dc3da9008dbf3484178a6f39eb5d4f73feae19bcedf1f3b42fcc5fccc1
                                          • Instruction ID: 16000cb66742f021ca14673fb0a774231b29993c8eb9ca7b6d92d2aa4d8b3527
                                          • Opcode Fuzzy Hash: f04022dc3da9008dbf3484178a6f39eb5d4f73feae19bcedf1f3b42fcc5fccc1
                                          • Instruction Fuzzy Hash: 8E314B75A005189FDB00EF54D884EEDBBB5FF49318F088099E805AB362DB35E856DBA0
                                          Function 00F716C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F2FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00F30668
                                            • Part of subcall function 00F2FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00F30685
                                          • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F7170D
                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F7173A
                                          • GetLastError.KERNEL32 ref: 00F7174A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                          • String ID:
                                          • API String ID: 577356006-0
                                          • Opcode ID: 6e09c38dd636a62d97ecdc8812c0ba542d247c6507eafdf9073167ae310d32cc
                                          • Instruction ID: 95674c26b90714930534801cd318e986c9149bcd2e2940acb35e0d5249b38377
                                          • Opcode Fuzzy Hash: 6e09c38dd636a62d97ecdc8812c0ba542d247c6507eafdf9073167ae310d32cc
                                          • Instruction Fuzzy Hash: 531191B2414308AFD7189F54EC86D6AB7BDFB44714B20C52EE05A97241EB70BC469A60
                                          Function 00F7D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00F7D608
                                          • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00F7D645
                                          • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00F7D650
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: CloseControlCreateDeviceFileHandle
                                          • String ID:
                                          • API String ID: 33631002-0
                                          • Opcode ID: 7c2058e7edc026ba59621f85e861d25711857ec67f4018a9a58715f81c6f7fef
                                          • Instruction ID: 4bdc1c896cc5334b0c5f12ccd9ea2b318b25c957004efa49418a77eb4bad9b68
                                          • Opcode Fuzzy Hash: 7c2058e7edc026ba59621f85e861d25711857ec67f4018a9a58715f81c6f7fef
                                          • Instruction Fuzzy Hash: 79115EB5E05228BFDB108F95DC45FAFBBBCEB45B60F108116F908E7290D6704A059BE1
                                          Function 00F71663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00F7168C
                                          • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00F716A1
                                          • FreeSid.ADVAPI32(?), ref: 00F716B1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: AllocateCheckFreeInitializeMembershipToken
                                          • String ID:
                                          • API String ID: 3429775523-0
                                          • Opcode ID: aed67277c8e5867b9a7a71446f905976ef6f1e4fc672295cb35595cd8700cd6d
                                          • Instruction ID: 37dd705213021eaebbf7e2cde4170a855202455b5d427b253a66063728539fb2
                                          • Opcode Fuzzy Hash: aed67277c8e5867b9a7a71446f905976ef6f1e4fc672295cb35595cd8700cd6d
                                          • Instruction Fuzzy Hash: E2F0F4B195030DFBDB00DFE49C89AAEBBBCFB08604F508565E501E2181E774AA449A90
                                          Function 00F34CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentProcess.KERNEL32(00F428E9,?,00F34CBE,00F428E9,00FD88B8,0000000C,00F34E15,00F428E9,00000002,00000000,?,00F428E9), ref: 00F34D09
                                          • TerminateProcess.KERNEL32(00000000,?,00F34CBE,00F428E9,00FD88B8,0000000C,00F34E15,00F428E9,00000002,00000000,?,00F428E9), ref: 00F34D10
                                          • ExitProcess.KERNEL32 ref: 00F34D22
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Process$CurrentExitTerminate
                                          • String ID:
                                          • API String ID: 1703294689-0
                                          • Opcode ID: 203cb351ed87e93d7c41eb9ecdc3dfd45b4b81d78f909905368957679470f44b
                                          • Instruction ID: 78038989cfd1955f3de3d1ac556c349cfdce4f56abf39240fac271fc1cdcb42f
                                          • Opcode Fuzzy Hash: 203cb351ed87e93d7c41eb9ecdc3dfd45b4b81d78f909905368957679470f44b
                                          • Instruction Fuzzy Hash: 95E0B671400249ABCF11AF54DD09A593F69EB427A1F104014FC059A132CB39FD42EA80
                                          Function 00F4C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: /
                                          • API String ID: 0-2043925204
                                          • Opcode ID: 95cb962c3bfe9e281a57355c72ee840e54363cd73944f57dac92f970a79b4cea
                                          • Instruction ID: 2fb6709a79a0538c735a565c92b3611c16e92c6b407def5b004abf94e1012e44
                                          • Opcode Fuzzy Hash: 95cb962c3bfe9e281a57355c72ee840e54363cd73944f57dac92f970a79b4cea
                                          • Instruction Fuzzy Hash: A54129769012196FCB20DFB9CC49EBB7B78EB84324F504269FD05D7180E6709E41DB90
                                          Function 00F6D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetUserNameW.ADVAPI32(?,?), ref: 00F6D28C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: NameUser
                                          • String ID: X64
                                          • API String ID: 2645101109-893830106
                                          • Opcode ID: a5f5322b997eb5134c05c2381494a70ced107d3fa81a36c63267e1526c8ced7b
                                          • Instruction ID: 38f290aaa8e6e19dbd66da034082098263cd9d44a4ad43d5f2c14a0e1be4a1ac
                                          • Opcode Fuzzy Hash: a5f5322b997eb5134c05c2381494a70ced107d3fa81a36c63267e1526c8ced7b
                                          • Instruction Fuzzy Hash: 6CD0CAB680116DEACB94CBA0EC88EDAB3BCBB04305F104292F106E2000DB349648AF20
                                          Function 00F3CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                          • Instruction ID: 252280e8e656c53b127d1db349f06a83f8e0cdfe11b8d9254b29ecd7f162768b
                                          • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                          • Instruction Fuzzy Hash: 72020D72E002199BDF14CFA9C8806ADFBF1FF88324F258169D919F7384D731AA419B94
                                          Function 00F868EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(?,?), ref: 00F86918
                                          • FindClose.KERNEL32(00000000), ref: 00F86961
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Find$CloseFileFirst
                                          • String ID:
                                          • API String ID: 2295610775-0
                                          • Opcode ID: 5508006847b5fcfcf53225e53e600217abee75a17687e1e9cf6904664682faf6
                                          • Instruction ID: bbc358a6097a4562f4ac012306ad1b81ae961c4eaba3d2950a99b090e46f6488
                                          • Opcode Fuzzy Hash: 5508006847b5fcfcf53225e53e600217abee75a17687e1e9cf6904664682faf6
                                          • Instruction Fuzzy Hash: BE119D716042009FC710DF29D888A56BBE5FF89328F15C6A9E4698F7A2CB34EC45DBD1
                                          Function 00F837B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00F94891,?,?,00000035,?), ref: 00F837E4
                                          • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00F94891,?,?,00000035,?), ref: 00F837F4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ErrorFormatLastMessage
                                          • String ID:
                                          • API String ID: 3479602957-0
                                          • Opcode ID: 0d7e505d9230bb352af77b919dc0fe6862a0ea7e5c02ee65f588689683d3a4d2
                                          • Instruction ID: 1cf98f57ced605e612b1ed233419090075cf1affcdbb3f75671321deaa1d13b4
                                          • Opcode Fuzzy Hash: 0d7e505d9230bb352af77b919dc0fe6862a0ea7e5c02ee65f588689683d3a4d2
                                          • Instruction Fuzzy Hash: 82F0E5B16083292AEB2027668C4DFEB3AAEEFC5B61F000175F509D2291D9A09944D7F0
                                          Function 00F7B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00F7B25D
                                          • keybd_event.USER32(?,75A8C0D0,?,00000000), ref: 00F7B270
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: InputSendkeybd_event
                                          • String ID:
                                          • API String ID: 3536248340-0
                                          • Opcode ID: bad2e2111c267f35d4f88ae1c39f124d006429296c8a1d05227b16de45e29c40
                                          • Instruction ID: 1a3ea2ac728fd1c349afb41a4195f9ec151af25b705d897aee6a77f92e883d8b
                                          • Opcode Fuzzy Hash: bad2e2111c267f35d4f88ae1c39f124d006429296c8a1d05227b16de45e29c40
                                          • Instruction Fuzzy Hash: C2F01D7180424DABDB059FA0C805BBE7BB4FF09319F04800AF955A5192C7798611EF95
                                          Function 00F710BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                          Download Yara Rule
                                          APIs
                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F711FC), ref: 00F710D4
                                          • CloseHandle.KERNEL32(?,?,00F711FC), ref: 00F710E9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: AdjustCloseHandlePrivilegesToken
                                          • String ID:
                                          • API String ID: 81990902-0
                                          • Opcode ID: 17fc16b15bb7b0f8fc6890b54dcc162b7f68aa30c3991d77cd941bd100fcaa89
                                          • Instruction ID: 0514453781fee335ad85930983739fd0820b29c5ee54ac5353291c8b8a86a99f
                                          • Opcode Fuzzy Hash: 17fc16b15bb7b0f8fc6890b54dcc162b7f68aa30c3991d77cd941bd100fcaa89
                                          • Instruction Fuzzy Hash: C1E0BF72414610AEF7252B55FC05E7777A9EF05320B14C82EF5A6804B1DB626C94EB50
                                          Function 00F1CAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON
                                          Download Yara Rule
                                          Strings
                                          • Variable is not of type 'Object'., xrefs: 00F60C40
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: Variable is not of type 'Object'.
                                          • API String ID: 0-1840281001
                                          • Opcode ID: d47e7e45c4aba19673204b89e5bc50577d544079c9a1d200dbd457d1540589d7
                                          • Instruction ID: 516f6a1b03181ede6e80e3a35b295478c87a84e1a201a30ee190de9dea823cea
                                          • Opcode Fuzzy Hash: d47e7e45c4aba19673204b89e5bc50577d544079c9a1d200dbd457d1540589d7
                                          • Instruction Fuzzy Hash: 9B329E31D40218DFCF14DF90D881BEEB7B5BF15314F248059E806AB292DB75AD86EBA1
                                          Function 00F4676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00F46766,?,?,00000008,?,?,00F4FEFE,00000000), ref: 00F46998
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ExceptionRaise
                                          • String ID:
                                          • API String ID: 3997070919-0
                                          • Opcode ID: a049aceb04a21786fcacd38b5e7b45afd24153aa98f4b7e7acc12fd48b882e49
                                          • Instruction ID: ac7f79ed9e97b0c9099b83bfe9719a6c352fadc8cd26319b109b4dacf9533854
                                          • Opcode Fuzzy Hash: a049aceb04a21786fcacd38b5e7b45afd24153aa98f4b7e7acc12fd48b882e49
                                          • Instruction Fuzzy Hash: 4FB15A32A106089FD719CF28C48AB657FE0FF46364F258658EC99CF2A2C735E981DB41
                                          Function 00F2B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID: 0-3916222277
                                          • Opcode ID: 05032a61a5206a586b7314abb3bc315c47e3a1d65d7519c422dd55d0decdcac2
                                          • Instruction ID: f42512728ffd1ffaed5edd00e7508ab2fa833c51ea1ff43160a61baf3b4d04ff
                                          • Opcode Fuzzy Hash: 05032a61a5206a586b7314abb3bc315c47e3a1d65d7519c422dd55d0decdcac2
                                          • Instruction Fuzzy Hash: 5F126E71D002299BCB24DF58D8917EEB7F5FF48310F14819AE849EB251EB349E81EB90
                                          Function 00F8EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • BlockInput.USER32(00000001), ref: 00F8EABD
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: BlockInput
                                          • String ID:
                                          • API String ID: 3456056419-0
                                          • Opcode ID: dff70facf044d998e298d7577d72d2728f5d46ae096e058df3a2c2c63b8ed512
                                          • Instruction ID: d04f599df1d6e20061184d993b574be30c0edbc84a11a0c93c3176922ccbd182
                                          • Opcode Fuzzy Hash: dff70facf044d998e298d7577d72d2728f5d46ae096e058df3a2c2c63b8ed512
                                          • Instruction Fuzzy Hash: 50E04F322002049FC710EF59D804EDAF7E9AF98770F048416FC49C7351DB74E8819BA0
                                          Function 00F309D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,00F303EE), ref: 00F309DA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled
                                          • String ID:
                                          • API String ID: 3192549508-0
                                          • Opcode ID: ebb2b841400283a49fcc91d093c12057f4637e541e18f11ab124a6ebce57aa73
                                          • Instruction ID: df6577423455aa1cf95e483709b0190d169b60b5a887982c142aa7488a14baaf
                                          • Opcode Fuzzy Hash: ebb2b841400283a49fcc91d093c12057f4637e541e18f11ab124a6ebce57aa73
                                          • Instruction Fuzzy Hash:
                                          Function 00F3781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: 0
                                          • API String ID: 0-4108050209
                                          • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                          • Instruction ID: ce5a7c3651295effc828a2114b6b761e8187784c81ba9eefb021d64917570584
                                          • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                          • Instruction Fuzzy Hash: FA5138E2E0D7456BDF38B568885A7BF73C59B02370F280A09E882D7282C619DE06F351
                                          Function 00F46DD9 Relevance: .6, Instructions: 637COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c8d2675b50eb4c0e863bbbe7060efa20091ad094efa5aa3f1152c6fc4a85f423
                                          • Instruction ID: ab1485a48399d73373109667bad0618777ba715691f5b975689aec4f5ba589d7
                                          • Opcode Fuzzy Hash: c8d2675b50eb4c0e863bbbe7060efa20091ad094efa5aa3f1152c6fc4a85f423
                                          • Instruction Fuzzy Hash: 22326522D28F014DDB63A634CC62336AA49AFB73D5F15C737FC1AB59A5EB28C4836500
                                          Function 00F2CC39 Relevance: .6, Instructions: 635COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 897280c0ebf088fe90b6518e9cc62b07a3043a949685685e5ef1589b6be7ac4b
                                          • Instruction ID: d9120c73bdaf91d5111f0c84c3c116f4083894ca1b6301cd0d51e54f609e13c5
                                          • Opcode Fuzzy Hash: 897280c0ebf088fe90b6518e9cc62b07a3043a949685685e5ef1589b6be7ac4b
                                          • Instruction Fuzzy Hash: FA320532E011958BCF28CF69D89467D7BA1EB45320F28816BD5DADB291D234DE81FBC1
                                          Function 00F17920 Relevance: .6, Instructions: 563COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 553dd1f00ef0a61ff8f3114e9235412c8de7b27a88b0c9267ead260f6028e318
                                          • Instruction ID: 1cb43ad020efc10200bbca358d88eb3b0f09850c97b8c18d3710edd44ed8f8e5
                                          • Opcode Fuzzy Hash: 553dd1f00ef0a61ff8f3114e9235412c8de7b27a88b0c9267ead260f6028e318
                                          • Instruction Fuzzy Hash: 5322E271E0460ADFDF04DF64C851AEEB3B6FF44710F204129E816A7291EB3AAD55EB50
                                          Function 00F191C0 Relevance: .5, Instructions: 475COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: ed72df699134574571c092e77a48c961733ff14448a34c28b5b425e3008fba4d
                                          • Instruction ID: 5097d3109d3c59b918dc8fd2585819a4be7092ffd20809b6bdc04fb1bf4d90a2
                                          • Opcode Fuzzy Hash: ed72df699134574571c092e77a48c961733ff14448a34c28b5b425e3008fba4d
                                          • Instruction Fuzzy Hash: 7002F6B1E00209EBCB04DF64D881AAEB7B5FF44310F118169E916DB290EB75EE54EBC1
                                          Function 00F31C77 Relevance: .3, Instructions: 254COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                          • Instruction ID: be3f717f30267bba8d75a1f2af84a67dfeea039e6a4eaf72143a4ae1b20819aa
                                          • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                          • Instruction Fuzzy Hash: 04918933A090A34ADB69463E853417EFFE17A523B1B1A079DD8F2CA1C1FE10D954F620
                                          Function 00F319B0 Relevance: .2, Instructions: 240COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                          • Instruction ID: 614fb24c1e16410ea03450a603866f0adfc8f454a2453987b23c5f3ddd4f8b96
                                          • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                          • Instruction Fuzzy Hash: 749155736090E34ADB2D467A857417EFFE16A923B2B1A079DD4F2CA1C1FE14C564F620
                                          Function 00F37A4A Relevance: .2, Instructions: 237COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c97070d0cbd1d98720751e63b71f37e5b5e94026f8273d5066136bf5b1fc9cf8
                                          • Instruction ID: 92e9ea95c262398435586fb0db22fdead194370ee850ac57508c7ef1ace05335
                                          • Opcode Fuzzy Hash: c97070d0cbd1d98720751e63b71f37e5b5e94026f8273d5066136bf5b1fc9cf8
                                          • Instruction Fuzzy Hash: EB617AF2A08349A6DE34BA288C95BBEB3A4DF81770F140919F843DB295D6199E42F315
                                          Function 00F37CA7 Relevance: .2, Instructions: 237COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e6d04a954e76f5f844f604bab67a9096ad8f09508f4220cd44ef7661c9e10453
                                          • Instruction ID: 4f1ed011db7026da55855e9846cbd724336863bd5e80155b2b2960d2548e66d5
                                          • Opcode Fuzzy Hash: e6d04a954e76f5f844f604bab67a9096ad8f09508f4220cd44ef7661c9e10453
                                          • Instruction Fuzzy Hash: 40616BF2E0C74966DE38BA288C55BBF73949F41770F100959F843DB281DA19AD82F255
                                          Function 00F31706 Relevance: .2, Instructions: 232COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                          • Instruction ID: c685d9ff3d8cebc9d15ffebb7783edfdbb1ff66f892d75c3c391e388429e8750
                                          • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                          • Instruction Fuzzy Hash: 38816433A090A349DB6D863A853453EFFE17A923B1B1E079DD4F2CA1C1EE24C564F620
                                          Function 01130CA0 Relevance: .1, Instructions: 92COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050864213.000000000112D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_112d000_New PO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                          • Instruction ID: d49d81a3219a66cdf188e5d9ea11ce883e16c845cc5de45fe1ff8da00411ccce
                                          • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                          • Instruction Fuzzy Hash: 8841D271D1051CEBDF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB80
                                          Function 00F82046 Relevance: .1, Instructions: 72COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e368dcc111f985badaf476e44c6981459c1074c27c43d85af590bf633b5cd9da
                                          • Instruction ID: a4604d1d831552bf837d089d0db4b8128b7b8886e7259d98eb4227311218bf0d
                                          • Opcode Fuzzy Hash: e368dcc111f985badaf476e44c6981459c1074c27c43d85af590bf633b5cd9da
                                          • Instruction Fuzzy Hash: C6210D327206558BDB68CF79C8536BE73E9A754320F14862EE4A7C73D0DE79A904D780
                                          Function 01130B30 Relevance: .0, Instructions: 35COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050864213.000000000112D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_112d000_New PO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                          • Instruction ID: 0b454889a9ea4f1b55430b9a10397dab6f09a599e1b994d0e7277838d5acc0bf
                                          • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                          • Instruction Fuzzy Hash: F8019278A00109EFCB48DF98C5909AEF7F5FF88314F208599E809A7305D730AE42DB80
                                          Function 01130B90 Relevance: .0, Instructions: 35COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050864213.000000000112D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_112d000_New PO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                          • Instruction ID: 463245595b995e789e6c9ddb9aa2f57d859d242348a27e2348923bdae43b3886
                                          • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                          • Instruction Fuzzy Hash: F3019278A00209EFCB48DF98C5909AEF7F5FB8C314F208699E809A7305D730AE41DB80
                                          Function 0112F520 Relevance: .0, Instructions: 6COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050864213.000000000112D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_112d000_New PO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                          • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                          • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                          • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                          Function 00F92ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DeleteObject.GDI32(00000000), ref: 00F92B30
                                          • DeleteObject.GDI32(00000000), ref: 00F92B43
                                          • DestroyWindow.USER32 ref: 00F92B52
                                          • GetDesktopWindow.USER32 ref: 00F92B6D
                                          • GetWindowRect.USER32(00000000), ref: 00F92B74
                                          • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00F92CA3
                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00F92CB1
                                          • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F92CF8
                                          • GetClientRect.USER32(00000000,?), ref: 00F92D04
                                          • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00F92D40
                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F92D62
                                          • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F92D75
                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F92D80
                                          • GlobalLock.KERNEL32(00000000), ref: 00F92D89
                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F92D98
                                          • GlobalUnlock.KERNEL32(00000000), ref: 00F92DA1
                                          • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F92DA8
                                          • GlobalFree.KERNEL32(00000000), ref: 00F92DB3
                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F92DC5
                                          • OleLoadPicture.OLEAUT32(?,00000000,00000000,00FAFC38,00000000), ref: 00F92DDB
                                          • GlobalFree.KERNEL32(00000000), ref: 00F92DEB
                                          • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00F92E11
                                          • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00F92E30
                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F92E52
                                          • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00F9303F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                          • String ID: $AutoIt v3$DISPLAY$static
                                          • API String ID: 2211948467-2373415609
                                          • Opcode ID: 5bb43aa045e9cd51b45412cbf6f713889876d190867932af8c832e7a6fc74f07
                                          • Instruction ID: bd2c487b7c11cdc987edd579e3458c2a42a53ef596b72b528a3b04c7878710a5
                                          • Opcode Fuzzy Hash: 5bb43aa045e9cd51b45412cbf6f713889876d190867932af8c832e7a6fc74f07
                                          • Instruction Fuzzy Hash: 700260B1A00209EFDB14DF64CC89EAE7BB9FB49314F048158F915AB2A1D774DD41EBA0
                                          Function 00FA70D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetTextColor.GDI32(?,00000000), ref: 00FA712F
                                          • GetSysColorBrush.USER32(0000000F), ref: 00FA7160
                                          • GetSysColor.USER32(0000000F), ref: 00FA716C
                                          • SetBkColor.GDI32(?,000000FF), ref: 00FA7186
                                          • SelectObject.GDI32(?,?), ref: 00FA7195
                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 00FA71C0
                                          • GetSysColor.USER32(00000010), ref: 00FA71C8
                                          • CreateSolidBrush.GDI32(00000000), ref: 00FA71CF
                                          • FrameRect.USER32(?,?,00000000), ref: 00FA71DE
                                          • DeleteObject.GDI32(00000000), ref: 00FA71E5
                                          • InflateRect.USER32(?,000000FE,000000FE), ref: 00FA7230
                                          • FillRect.USER32(?,?,?), ref: 00FA7262
                                          • GetWindowLongW.USER32(?,000000F0), ref: 00FA7284
                                            • Part of subcall function 00FA73E8: GetSysColor.USER32(00000012), ref: 00FA7421
                                            • Part of subcall function 00FA73E8: SetTextColor.GDI32(?,?), ref: 00FA7425
                                            • Part of subcall function 00FA73E8: GetSysColorBrush.USER32(0000000F), ref: 00FA743B
                                            • Part of subcall function 00FA73E8: GetSysColor.USER32(0000000F), ref: 00FA7446
                                            • Part of subcall function 00FA73E8: GetSysColor.USER32(00000011), ref: 00FA7463
                                            • Part of subcall function 00FA73E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FA7471
                                            • Part of subcall function 00FA73E8: SelectObject.GDI32(?,00000000), ref: 00FA7482
                                            • Part of subcall function 00FA73E8: SetBkColor.GDI32(?,00000000), ref: 00FA748B
                                            • Part of subcall function 00FA73E8: SelectObject.GDI32(?,?), ref: 00FA7498
                                            • Part of subcall function 00FA73E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00FA74B7
                                            • Part of subcall function 00FA73E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FA74CE
                                            • Part of subcall function 00FA73E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00FA74DB
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                          • String ID:
                                          • API String ID: 4124339563-0
                                          • Opcode ID: b247839c6156a2475efa5febef05834a15281ec5642d87953db22d1cfd101a7c
                                          • Instruction ID: d04c71757c27198e8bae4d89cb1ec8c44354b5f3d08410e3822f7d8d4b2ea011
                                          • Opcode Fuzzy Hash: b247839c6156a2475efa5febef05834a15281ec5642d87953db22d1cfd101a7c
                                          • Instruction Fuzzy Hash: EAA1B2B2508305AFDB00AF60DC48E6B7BE9FF4A320F140A19F962961E1D771E944EF91
                                          Function 00F28D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DestroyWindow.USER32(?,?), ref: 00F28E14
                                          • SendMessageW.USER32(?,00001308,?,00000000), ref: 00F66AC5
                                          • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00F66AFE
                                          • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00F66F43
                                            • Part of subcall function 00F28F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F28BE8,?,00000000,?,?,?,?,00F28BBA,00000000,?), ref: 00F28FC5
                                          • SendMessageW.USER32(?,00001053), ref: 00F66F7F
                                          • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00F66F96
                                          • ImageList_Destroy.COMCTL32(00000000,?), ref: 00F66FAC
                                          • ImageList_Destroy.COMCTL32(00000000,?), ref: 00F66FB7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                          • String ID: 0
                                          • API String ID: 2760611726-4108050209
                                          • Opcode ID: 8cadbf5f5379b2cb02763ceeeee922029308a9d93c76381e26a6537a2a1878b0
                                          • Instruction ID: 71819e3400a04f9dd9f9a23e563ef4ab765d45c6c40bb3983cbb04a783feb7d1
                                          • Opcode Fuzzy Hash: 8cadbf5f5379b2cb02763ceeeee922029308a9d93c76381e26a6537a2a1878b0
                                          • Instruction Fuzzy Hash: 3512AC30A01655EFDB25CF14D884BAABBE5FB45320F184469F495CB262CB32AC52FB91
                                          Function 00F92711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DestroyWindow.USER32(00000000), ref: 00F9273E
                                          • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00F9286A
                                          • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00F928A9
                                          • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00F928B9
                                          • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00F92900
                                          • GetClientRect.USER32(00000000,?), ref: 00F9290C
                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00F92955
                                          • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00F92964
                                          • GetStockObject.GDI32(00000011), ref: 00F92974
                                          • SelectObject.GDI32(00000000,00000000), ref: 00F92978
                                          • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00F92988
                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F92991
                                          • DeleteDC.GDI32(00000000), ref: 00F9299A
                                          • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00F929C6
                                          • SendMessageW.USER32(00000030,00000000,00000001), ref: 00F929DD
                                          • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00F92A1D
                                          • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00F92A31
                                          • SendMessageW.USER32(00000404,00000001,00000000), ref: 00F92A42
                                          • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00F92A77
                                          • GetStockObject.GDI32(00000011), ref: 00F92A82
                                          • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00F92A8D
                                          • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00F92A97
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                          • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                          • API String ID: 2910397461-517079104
                                          • Opcode ID: 8856f8b1c694674b651e845a912d6b1cb2549ef994920e50b845b602df12be23
                                          • Instruction ID: 821aa8072f3e24e3cd7da1aad279e681480942fd3f357d98cb91087263e74100
                                          • Opcode Fuzzy Hash: 8856f8b1c694674b651e845a912d6b1cb2549ef994920e50b845b602df12be23
                                          • Instruction Fuzzy Hash: ACB14BB1A00219AFEB14DFA9CC89FAE7BA9FB49710F004115F915EB290D774ED40DBA0
                                          Function 00F84ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNEL32(00000001), ref: 00F84AED
                                          • GetDriveTypeW.KERNEL32(?,00FACB68,?,\\.\,00FACC08), ref: 00F84BCA
                                          • SetErrorMode.KERNEL32(00000000,00FACB68,?,\\.\,00FACC08), ref: 00F84D36
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ErrorMode$DriveType
                                          • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                          • API String ID: 2907320926-4222207086
                                          • Opcode ID: f6a13042484865ddfe7f19038c239a61008b03947770fac047b195350e3fd488
                                          • Instruction ID: eb7b14fa1092df947b0eb08cf93c6d7ad20cbce641cda72bf6fe02146a7227d4
                                          • Opcode Fuzzy Hash: f6a13042484865ddfe7f19038c239a61008b03947770fac047b195350e3fd488
                                          • Instruction Fuzzy Hash: F96194317052079BCB04FF14CA81AE9B7B6AB46354B288416F806EB791DB75FD41FB82
                                          Function 00FA73E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSysColor.USER32(00000012), ref: 00FA7421
                                          • SetTextColor.GDI32(?,?), ref: 00FA7425
                                          • GetSysColorBrush.USER32(0000000F), ref: 00FA743B
                                          • GetSysColor.USER32(0000000F), ref: 00FA7446
                                          • CreateSolidBrush.GDI32(?), ref: 00FA744B
                                          • GetSysColor.USER32(00000011), ref: 00FA7463
                                          • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FA7471
                                          • SelectObject.GDI32(?,00000000), ref: 00FA7482
                                          • SetBkColor.GDI32(?,00000000), ref: 00FA748B
                                          • SelectObject.GDI32(?,?), ref: 00FA7498
                                          • InflateRect.USER32(?,000000FF,000000FF), ref: 00FA74B7
                                          • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FA74CE
                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00FA74DB
                                          • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FA752A
                                          • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00FA7554
                                          • InflateRect.USER32(?,000000FD,000000FD), ref: 00FA7572
                                          • DrawFocusRect.USER32(?,?), ref: 00FA757D
                                          • GetSysColor.USER32(00000011), ref: 00FA758E
                                          • SetTextColor.GDI32(?,00000000), ref: 00FA7596
                                          • DrawTextW.USER32(?,00FA70F5,000000FF,?,00000000), ref: 00FA75A8
                                          • SelectObject.GDI32(?,?), ref: 00FA75BF
                                          • DeleteObject.GDI32(?), ref: 00FA75CA
                                          • SelectObject.GDI32(?,?), ref: 00FA75D0
                                          • DeleteObject.GDI32(?), ref: 00FA75D5
                                          • SetTextColor.GDI32(?,?), ref: 00FA75DB
                                          • SetBkColor.GDI32(?,?), ref: 00FA75E5
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                          • String ID:
                                          • API String ID: 1996641542-0
                                          • Opcode ID: 6a94c83988e58ca880bce8f75f771fbe6dbe808e1af5bd2bb6f86c0260148c27
                                          • Instruction ID: ad1c4316043c7074d9f991e594f814ae4c952015e914f71667790acf4b402c58
                                          • Opcode Fuzzy Hash: 6a94c83988e58ca880bce8f75f771fbe6dbe808e1af5bd2bb6f86c0260148c27
                                          • Instruction Fuzzy Hash: 3B6171B2D00218AFDF019FA4DC49EAE7FB9EF0A320F154125F915AB2A1D7749940EF90
                                          Function 00FA0FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCursorPos.USER32(?), ref: 00FA1128
                                          • GetDesktopWindow.USER32 ref: 00FA113D
                                          • GetWindowRect.USER32(00000000), ref: 00FA1144
                                          • GetWindowLongW.USER32(?,000000F0), ref: 00FA1199
                                          • DestroyWindow.USER32(?), ref: 00FA11B9
                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00FA11ED
                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FA120B
                                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00FA121D
                                          • SendMessageW.USER32(00000000,00000421,?,?), ref: 00FA1232
                                          • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00FA1245
                                          • IsWindowVisible.USER32(00000000), ref: 00FA12A1
                                          • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00FA12BC
                                          • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00FA12D0
                                          • GetWindowRect.USER32(00000000,?), ref: 00FA12E8
                                          • MonitorFromPoint.USER32(?,?,00000002), ref: 00FA130E
                                          • GetMonitorInfoW.USER32(00000000,?), ref: 00FA1328
                                          • CopyRect.USER32(?,?), ref: 00FA133F
                                          • SendMessageW.USER32(00000000,00000412,00000000), ref: 00FA13AA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                          • String ID: ($0$tooltips_class32
                                          • API String ID: 698492251-4156429822
                                          • Opcode ID: 90e5e1787551b5f540acf3288884726b709634f63554d215b71eaadf750b6b68
                                          • Instruction ID: 47faa9f0e2d8ef3fd6e95de5606e80df042d81665389117227de7549c4d63c71
                                          • Opcode Fuzzy Hash: 90e5e1787551b5f540acf3288884726b709634f63554d215b71eaadf750b6b68
                                          • Instruction Fuzzy Hash: F2B19DB1608341AFDB04DF64C884BABBBE5FF85350F00891CF9999B2A1D771E844EB91
                                          Function 00FA0241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CharUpperBuffW.USER32(?,?), ref: 00FA02E5
                                          • _wcslen.LIBCMT ref: 00FA031F
                                          • _wcslen.LIBCMT ref: 00FA0389
                                          • _wcslen.LIBCMT ref: 00FA03F1
                                          • _wcslen.LIBCMT ref: 00FA0475
                                          • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00FA04C5
                                          • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FA0504
                                            • Part of subcall function 00F2F9F2: _wcslen.LIBCMT ref: 00F2F9FD
                                            • Part of subcall function 00F7223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F72258
                                            • Part of subcall function 00F7223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F7228A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: _wcslen$MessageSend$BuffCharUpper
                                          • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                          • API String ID: 1103490817-719923060
                                          • Opcode ID: 4762c0995b61c35ebe1cb250fa9151a5b47ef27dca456a703e84dabb94ed99a0
                                          • Instruction ID: bed29f78c917bc5c47989f17a4692dc5efb5ea8f0681c87cefd49e428609eb1f
                                          • Opcode Fuzzy Hash: 4762c0995b61c35ebe1cb250fa9151a5b47ef27dca456a703e84dabb94ed99a0
                                          • Instruction Fuzzy Hash: 89E1F3716183008FC714EF24D85092AB3E6FF89324F14496DF8969B3A2DB34ED45EB81
                                          Function 00F28891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F28968
                                          • GetSystemMetrics.USER32(00000007), ref: 00F28970
                                          • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F2899B
                                          • GetSystemMetrics.USER32(00000008), ref: 00F289A3
                                          • GetSystemMetrics.USER32(00000004), ref: 00F289C8
                                          • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00F289E5
                                          • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00F289F5
                                          • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00F28A28
                                          • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00F28A3C
                                          • GetClientRect.USER32(00000000,000000FF), ref: 00F28A5A
                                          • GetStockObject.GDI32(00000011), ref: 00F28A76
                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 00F28A81
                                            • Part of subcall function 00F2912D: GetCursorPos.USER32(?), ref: 00F29141
                                            • Part of subcall function 00F2912D: ScreenToClient.USER32(00000000,?), ref: 00F2915E
                                            • Part of subcall function 00F2912D: GetAsyncKeyState.USER32(00000001), ref: 00F29183
                                            • Part of subcall function 00F2912D: GetAsyncKeyState.USER32(00000002), ref: 00F2919D
                                          • SetTimer.USER32(00000000,00000000,00000028,00F290FC), ref: 00F28AA8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                          • String ID: AutoIt v3 GUI
                                          • API String ID: 1458621304-248962490
                                          • Opcode ID: 77cbedcd2e961c9fc011c7f2878d3262285acb962bf866a4b777c795ed5a22d7
                                          • Instruction ID: da71aed544062d2bd71227c265b3a8d04031d9a694c513b600a8ccffe4372143
                                          • Opcode Fuzzy Hash: 77cbedcd2e961c9fc011c7f2878d3262285acb962bf866a4b777c795ed5a22d7
                                          • Instruction Fuzzy Hash: 85B19E71A002199FDB14DFA8DD85BAE3BB5FB48314F104229FA15EB290DB74E941EF90
                                          Function 00F70D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F710F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F71114
                                            • Part of subcall function 00F710F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00F70B9B,?,?,?), ref: 00F71120
                                            • Part of subcall function 00F710F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00F70B9B,?,?,?), ref: 00F7112F
                                            • Part of subcall function 00F710F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00F70B9B,?,?,?), ref: 00F71136
                                            • Part of subcall function 00F710F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F7114D
                                          • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F70DF5
                                          • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F70E29
                                          • GetLengthSid.ADVAPI32(?), ref: 00F70E40
                                          • GetAce.ADVAPI32(?,00000000,?), ref: 00F70E7A
                                          • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F70E96
                                          • GetLengthSid.ADVAPI32(?), ref: 00F70EAD
                                          • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00F70EB5
                                          • HeapAlloc.KERNEL32(00000000), ref: 00F70EBC
                                          • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F70EDD
                                          • CopySid.ADVAPI32(00000000), ref: 00F70EE4
                                          • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F70F13
                                          • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F70F35
                                          • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F70F47
                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F70F6E
                                          • HeapFree.KERNEL32(00000000), ref: 00F70F75
                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F70F7E
                                          • HeapFree.KERNEL32(00000000), ref: 00F70F85
                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F70F8E
                                          • HeapFree.KERNEL32(00000000), ref: 00F70F95
                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00F70FA1
                                          • HeapFree.KERNEL32(00000000), ref: 00F70FA8
                                            • Part of subcall function 00F71193: GetProcessHeap.KERNEL32(00000008,00F70BB1,?,00000000,?,00F70BB1,?), ref: 00F711A1
                                            • Part of subcall function 00F71193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00F70BB1,?), ref: 00F711A8
                                            • Part of subcall function 00F71193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00F70BB1,?), ref: 00F711B7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                          • String ID:
                                          • API String ID: 4175595110-0
                                          • Opcode ID: 847596b0736a66d964cf1034df7bb3bf1b12179f57182c64e48a8ca21b86f2c8
                                          • Instruction ID: 15c2060cb5f2cd18fa69fe8676308541b070952ba5bae1cdc7ad886255c0bd1b
                                          • Opcode Fuzzy Hash: 847596b0736a66d964cf1034df7bb3bf1b12179f57182c64e48a8ca21b86f2c8
                                          • Instruction Fuzzy Hash: B9713CB290020AEBDB20DFA5DC45FEEBBB8FF05310F148116F919E6191DB719905DBA1
                                          Function 00F9C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F9C4BD
                                          • RegCreateKeyExW.ADVAPI32(?,?,00000000,00FACC08,00000000,?,00000000,?,?), ref: 00F9C544
                                          • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00F9C5A4
                                          • _wcslen.LIBCMT ref: 00F9C5F4
                                          • _wcslen.LIBCMT ref: 00F9C66F
                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00F9C6B2
                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00F9C7C1
                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00F9C84D
                                          • RegCloseKey.ADVAPI32(?), ref: 00F9C881
                                          • RegCloseKey.ADVAPI32(00000000), ref: 00F9C88E
                                          • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00F9C960
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                          • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                          • API String ID: 9721498-966354055
                                          • Opcode ID: 962cb7b8dc35f96ba5013cef3067f87bc5d8c5c91d3c3a6d842a910a08b751f7
                                          • Instruction ID: b730b06732a131571ec4d733dbd8d9f5d4e6720d3599fbfa7f76ad6dc2c625ae
                                          • Opcode Fuzzy Hash: 962cb7b8dc35f96ba5013cef3067f87bc5d8c5c91d3c3a6d842a910a08b751f7
                                          • Instruction Fuzzy Hash: B3127A756043019FDB14EF14C891A6AB7E5EF88724F09885CF84A9B3A2DB35FC41EB81
                                          Function 00FA091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CharUpperBuffW.USER32(?,?), ref: 00FA09C6
                                          • _wcslen.LIBCMT ref: 00FA0A01
                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FA0A54
                                          • _wcslen.LIBCMT ref: 00FA0A8A
                                          • _wcslen.LIBCMT ref: 00FA0B06
                                          • _wcslen.LIBCMT ref: 00FA0B81
                                            • Part of subcall function 00F2F9F2: _wcslen.LIBCMT ref: 00F2F9FD
                                            • Part of subcall function 00F72BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F72BFA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: _wcslen$MessageSend$BuffCharUpper
                                          • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                          • API String ID: 1103490817-4258414348
                                          • Opcode ID: b7fcbe73d67f7ba2efa6d5163b281c68492b0b5e1e6679bd3826296b786a31f3
                                          • Instruction ID: 5e4767262cb8fdbb8a917510ba2d9a122a73ea0b90d7304b51345084f26ece9d
                                          • Opcode Fuzzy Hash: b7fcbe73d67f7ba2efa6d5163b281c68492b0b5e1e6679bd3826296b786a31f3
                                          • Instruction Fuzzy Hash: 16E1CF726083018FC714EF24D85092AB7E2FF89364F14895DF8999B362DB34ED45EB91
                                          Function 00F9C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: _wcslen$BuffCharUpper
                                          • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                          • API String ID: 1256254125-909552448
                                          • Opcode ID: 4d54c8062f344cf04500ae3bc2cdc9035af6aed71f1f5b9bccadbed98fba196b
                                          • Instruction ID: e114cf4f65b76a34d08b1bc02742c206313882a9cf7a0280e228949fbf7ce260
                                          • Opcode Fuzzy Hash: 4d54c8062f344cf04500ae3bc2cdc9035af6aed71f1f5b9bccadbed98fba196b
                                          • Instruction Fuzzy Hash: 94711533A0016A8BEF20DE78CD516BE3391ABA0774F550529F8569B285F639DD84F3E0
                                          Function 00FA833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _wcslen.LIBCMT ref: 00FA835A
                                          • _wcslen.LIBCMT ref: 00FA836E
                                          • _wcslen.LIBCMT ref: 00FA8391
                                          • _wcslen.LIBCMT ref: 00FA83B4
                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00FA83F2
                                          • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00FA5BF2), ref: 00FA844E
                                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FA8487
                                          • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00FA84CA
                                          • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FA8501
                                          • FreeLibrary.KERNEL32(?), ref: 00FA850D
                                          • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00FA851D
                                          • DestroyIcon.USER32(?,?,?,?,?,00FA5BF2), ref: 00FA852C
                                          • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00FA8549
                                          • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00FA8555
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                          • String ID: .dll$.exe$.icl
                                          • API String ID: 799131459-1154884017
                                          • Opcode ID: 9a6f10093a558555770097cffde1cab3901ceeeeaee0072c5a5c499c901ca0b1
                                          • Instruction ID: b745070c912a30851dbd648a74f2fdfbc74dbd510c181a5b04d98f384f974628
                                          • Opcode Fuzzy Hash: 9a6f10093a558555770097cffde1cab3901ceeeeaee0072c5a5c499c901ca0b1
                                          • Instruction Fuzzy Hash: B161F1B1900209BEEB14DF64CC45BFE77A8BF09761F104509FC15DA1D1EBB8A981E7A0
                                          Function 00F17778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                          • API String ID: 0-1645009161
                                          • Opcode ID: 59cf04e1aee629d1c38ef87ffa66f06e920e5146c3ffe96373e4c3cfcf7e2e45
                                          • Instruction ID: ab3811961e8e8a5f7883239067c8125b976f2655437c910b1da2335694e310b8
                                          • Opcode Fuzzy Hash: 59cf04e1aee629d1c38ef87ffa66f06e920e5146c3ffe96373e4c3cfcf7e2e45
                                          • Instruction Fuzzy Hash: EF8106B1A04705ABDB20BF60DC52FEE3B74AF05760F044024FD09AA192EB78D985F7A1
                                          Function 00F75A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadIconW.USER32(00000063), ref: 00F75A2E
                                          • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00F75A40
                                          • SetWindowTextW.USER32(?,?), ref: 00F75A57
                                          • GetDlgItem.USER32(?,000003EA), ref: 00F75A6C
                                          • SetWindowTextW.USER32(00000000,?), ref: 00F75A72
                                          • GetDlgItem.USER32(?,000003E9), ref: 00F75A82
                                          • SetWindowTextW.USER32(00000000,?), ref: 00F75A88
                                          • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00F75AA9
                                          • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00F75AC3
                                          • GetWindowRect.USER32(?,?), ref: 00F75ACC
                                          • _wcslen.LIBCMT ref: 00F75B33
                                          • SetWindowTextW.USER32(?,?), ref: 00F75B6F
                                          • GetDesktopWindow.USER32 ref: 00F75B75
                                          • GetWindowRect.USER32(00000000), ref: 00F75B7C
                                          • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00F75BD3
                                          • GetClientRect.USER32(?,?), ref: 00F75BE0
                                          • PostMessageW.USER32(?,00000005,00000000,?), ref: 00F75C05
                                          • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00F75C2F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                          • String ID:
                                          • API String ID: 895679908-0
                                          • Opcode ID: 7fd0236e8e4447f286c417188eb608e6e7679a11581d1bdc0106f86803d8bfaf
                                          • Instruction ID: 78d2ebcaeb22eb1eaa5cd5d210825e0668f7e9d35d28489e54bdf807b89754bf
                                          • Opcode Fuzzy Hash: 7fd0236e8e4447f286c417188eb608e6e7679a11581d1bdc0106f86803d8bfaf
                                          • Instruction Fuzzy Hash: CA717F71900B099FDB20DFA8CE85F6EBBF5FF48B14F104919E14AA26A0D7B4E944DB50
                                          Function 00F300C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                          Download Yara Rule
                                          APIs
                                          • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00F300C6
                                            • Part of subcall function 00F300ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00FE070C,00000FA0,F4CA6E08,?,?,?,?,00F523B3,000000FF), ref: 00F3011C
                                            • Part of subcall function 00F300ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00F523B3,000000FF), ref: 00F30127
                                            • Part of subcall function 00F300ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00F523B3,000000FF), ref: 00F30138
                                            • Part of subcall function 00F300ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00F3014E
                                            • Part of subcall function 00F300ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00F3015C
                                            • Part of subcall function 00F300ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00F3016A
                                            • Part of subcall function 00F300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F30195
                                            • Part of subcall function 00F300ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F301A0
                                          • ___scrt_fastfail.LIBCMT ref: 00F300E7
                                            • Part of subcall function 00F300A3: __onexit.LIBCMT ref: 00F300A9
                                          Strings
                                          • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00F30122
                                          • kernel32.dll, xrefs: 00F30133
                                          • WakeAllConditionVariable, xrefs: 00F30162
                                          • SleepConditionVariableCS, xrefs: 00F30154
                                          • InitializeConditionVariable, xrefs: 00F30148
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                          • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                          • API String ID: 66158676-1714406822
                                          • Opcode ID: ae90f1dbe776af6883f1f108ab9a3d7df12ea1c0f20e30d5e773e7f8ba3d4ba6
                                          • Instruction ID: 52d297bbcfc3a45edbc9409646a9248e23c14a734bbb128772a2b026c6a016a9
                                          • Opcode Fuzzy Hash: ae90f1dbe776af6883f1f108ab9a3d7df12ea1c0f20e30d5e773e7f8ba3d4ba6
                                          • Instruction Fuzzy Hash: 3E21F6B2E447156BE7216BA4AC55B2A73A4EB46B71F00013BF801E7291DFB4DC00BAD1
                                          Function 00F730F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: _wcslen
                                          • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                          • API String ID: 176396367-1603158881
                                          • Opcode ID: b21d95e34a31bcc4ac6d6ee5dcad85b1c4ccc182cf416518255d1fdc9a56b0b3
                                          • Instruction ID: 805c08a03f3614ec3999555234189a68951168868ab0fef1cfa4a768a1df9a57
                                          • Opcode Fuzzy Hash: b21d95e34a31bcc4ac6d6ee5dcad85b1c4ccc182cf416518255d1fdc9a56b0b3
                                          • Instruction Fuzzy Hash: F7E1B332E00516BACB18DF74C8517EEBBB1BF54720F58C12BE45AA7241DB30AE85B791
                                          Function 00F844C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                          Download Yara Rule
                                          APIs
                                          • CharLowerBuffW.USER32(00000000,00000000,00FACC08), ref: 00F84527
                                          • _wcslen.LIBCMT ref: 00F8453B
                                          • _wcslen.LIBCMT ref: 00F84599
                                          • _wcslen.LIBCMT ref: 00F845F4
                                          • _wcslen.LIBCMT ref: 00F8463F
                                          • _wcslen.LIBCMT ref: 00F846A7
                                            • Part of subcall function 00F2F9F2: _wcslen.LIBCMT ref: 00F2F9FD
                                          • GetDriveTypeW.KERNEL32(?,00FD6BF0,00000061), ref: 00F84743
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: _wcslen$BuffCharDriveLowerType
                                          • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                          • API String ID: 2055661098-1000479233
                                          • Opcode ID: ed30b2552c43f19f32459d973aacd4a13efb9c9115208520646836237e915a58
                                          • Instruction ID: 404036e4343d82e98cf17e28d52183cef4561ba7425fa03278aa2460e64913c9
                                          • Opcode Fuzzy Hash: ed30b2552c43f19f32459d973aacd4a13efb9c9115208520646836237e915a58
                                          • Instruction Fuzzy Hash: D4B1C371A083029FC710EF28C890AAEF7E5AFA5770F54491DF496C7291E734E944EB92
                                          Function 00F9AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _wcslen.LIBCMT ref: 00F9B198
                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F9B1B0
                                          • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F9B1D4
                                          • _wcslen.LIBCMT ref: 00F9B200
                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F9B214
                                          • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F9B236
                                          • _wcslen.LIBCMT ref: 00F9B332
                                            • Part of subcall function 00F805A7: GetStdHandle.KERNEL32(000000F6), ref: 00F805C6
                                          • _wcslen.LIBCMT ref: 00F9B34B
                                          • _wcslen.LIBCMT ref: 00F9B366
                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F9B3B6
                                          • GetLastError.KERNEL32(00000000), ref: 00F9B407
                                          • CloseHandle.KERNEL32(?), ref: 00F9B439
                                          • CloseHandle.KERNEL32(00000000), ref: 00F9B44A
                                          • CloseHandle.KERNEL32(00000000), ref: 00F9B45C
                                          • CloseHandle.KERNEL32(00000000), ref: 00F9B46E
                                          • CloseHandle.KERNEL32(?), ref: 00F9B4E3
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                          • String ID:
                                          • API String ID: 2178637699-0
                                          • Opcode ID: d84b1d6ea8b51bebd1c5b1390d2ffb5e9473af74e649fae26822b46df9bf77b0
                                          • Instruction ID: 7b9c1318610bbe6d2a85cbebd2839c188a008bde75c972f9ebb69c1645e8a32f
                                          • Opcode Fuzzy Hash: d84b1d6ea8b51bebd1c5b1390d2ffb5e9473af74e649fae26822b46df9bf77b0
                                          • Instruction Fuzzy Hash: EDF1B131A04300DFDB15EF24D991B6EBBE1AF85320F18855DF4998B2A2DB35EC44EB52
                                          Function 00F1326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetMenuItemCount.USER32(00FE1990), ref: 00F52F8D
                                          • GetMenuItemCount.USER32(00FE1990), ref: 00F5303D
                                          • GetCursorPos.USER32(?), ref: 00F53081
                                          • SetForegroundWindow.USER32(00000000), ref: 00F5308A
                                          • TrackPopupMenuEx.USER32(00FE1990,00000000,?,00000000,00000000,00000000), ref: 00F5309D
                                          • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00F530A9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                          • String ID: 0
                                          • API String ID: 36266755-4108050209
                                          • Opcode ID: 4e16844a7c178e18ad67374c82a73d79cd16bbc6bb94fbb213d6abdb41532b79
                                          • Instruction ID: 81eeddc469333f45d36843a05757f8f2fe0c603af70c3f80c141d5ccb96b254d
                                          • Opcode Fuzzy Hash: 4e16844a7c178e18ad67374c82a73d79cd16bbc6bb94fbb213d6abdb41532b79
                                          • Instruction Fuzzy Hash: 8C713A71A44245BFEB219F24DC49F9ABFA4FF02374F204206FA156A1E0C7B1A954F791
                                          Function 00FA6CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DestroyWindow.USER32(?,?), ref: 00FA6DEB
                                            • Part of subcall function 00F16B57: _wcslen.LIBCMT ref: 00F16B6A
                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00FA6E5F
                                          • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00FA6E81
                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FA6E94
                                          • DestroyWindow.USER32(?), ref: 00FA6EB5
                                          • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00F10000,00000000), ref: 00FA6EE4
                                          • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FA6EFD
                                          • GetDesktopWindow.USER32 ref: 00FA6F16
                                          • GetWindowRect.USER32(00000000), ref: 00FA6F1D
                                          • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00FA6F35
                                          • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00FA6F4D
                                            • Part of subcall function 00F29944: GetWindowLongW.USER32(?,000000EB), ref: 00F29952
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                          • String ID: 0$tooltips_class32
                                          • API String ID: 2429346358-3619404913
                                          • Opcode ID: 385985307de1dcf7814dd6551aa6130b74d4f894b79ac90a73e7fd2f8c8565fb
                                          • Instruction ID: 6f7d4fb1a0114a399359fa86b3ce862b3c98c5ad4f011fd587bf94efaeb56c3b
                                          • Opcode Fuzzy Hash: 385985307de1dcf7814dd6551aa6130b74d4f894b79ac90a73e7fd2f8c8565fb
                                          • Instruction Fuzzy Hash: D47179B4544244AFDB21CF18DC84FAABBE9FB8A314F08041EF999C72A1D770E905EB55
                                          Function 00FA911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F29BB2
                                          • DragQueryPoint.SHELL32(?,?), ref: 00FA9147
                                            • Part of subcall function 00FA7674: ClientToScreen.USER32(?,?), ref: 00FA769A
                                            • Part of subcall function 00FA7674: GetWindowRect.USER32(?,?), ref: 00FA7710
                                            • Part of subcall function 00FA7674: PtInRect.USER32(?,?,00FA8B89), ref: 00FA7720
                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00FA91B0
                                          • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00FA91BB
                                          • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00FA91DE
                                          • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00FA9225
                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00FA923E
                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 00FA9255
                                          • SendMessageW.USER32(?,000000B1,?,?), ref: 00FA9277
                                          • DragFinish.SHELL32(?), ref: 00FA927E
                                          • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00FA9371
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                          • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                          • API String ID: 221274066-3440237614
                                          • Opcode ID: e329dae97d0e16fe4afb1b220a01da4d587bcf2b6b089b1185e4fc1c8c0c4835
                                          • Instruction ID: 1a70944e28b011f1fca421284fadfb50a4d10318ecaf0dca1fa82740ffb4d68c
                                          • Opcode Fuzzy Hash: e329dae97d0e16fe4afb1b220a01da4d587bcf2b6b089b1185e4fc1c8c0c4835
                                          • Instruction Fuzzy Hash: E7618CB1108305AFD701DF61DC85DAFBBE8EF89350F40092EF595932A1DB709A49EB92
                                          Function 00F8C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F8C4B0
                                          • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00F8C4C3
                                          • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00F8C4D7
                                          • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00F8C4F0
                                          • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00F8C533
                                          • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00F8C549
                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F8C554
                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00F8C584
                                          • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00F8C5DC
                                          • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00F8C5F0
                                          • InternetCloseHandle.WININET(00000000), ref: 00F8C5FB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                          • String ID:
                                          • API String ID: 3800310941-3916222277
                                          • Opcode ID: aeee401ef33e8ee53f15c09bde4b998086b4d68e82897db1d934c44bf284eb1c
                                          • Instruction ID: bcc23adbcd20926d470808f06b6f1afd02702e98ea715769a6be0f6594e25456
                                          • Opcode Fuzzy Hash: aeee401ef33e8ee53f15c09bde4b998086b4d68e82897db1d934c44bf284eb1c
                                          • Instruction Fuzzy Hash: FF513BB1500609BFDB21AF64CD88AAB7BFCFF09754F04442AF9459A650DB34E944ABF0
                                          Function 00FA856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00FA8592
                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FA85A2
                                          • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FA85AD
                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FA85BA
                                          • GlobalLock.KERNEL32(00000000), ref: 00FA85C8
                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FA85D7
                                          • GlobalUnlock.KERNEL32(00000000), ref: 00FA85E0
                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FA85E7
                                          • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00FA85F8
                                          • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00FAFC38,?), ref: 00FA8611
                                          • GlobalFree.KERNEL32(00000000), ref: 00FA8621
                                          • GetObjectW.GDI32(?,00000018,?), ref: 00FA8641
                                          • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00FA8671
                                          • DeleteObject.GDI32(?), ref: 00FA8699
                                          • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00FA86AF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                          • String ID:
                                          • API String ID: 3840717409-0
                                          • Opcode ID: 710bf5596f95c80a35f809ee23af0078d98b6bfaf0666e47b141bc7ccaf27f45
                                          • Instruction ID: 4c809e1f8b512b85dd920138534b330748d67773749694eac6e11125a1b57655
                                          • Opcode Fuzzy Hash: 710bf5596f95c80a35f809ee23af0078d98b6bfaf0666e47b141bc7ccaf27f45
                                          • Instruction Fuzzy Hash: 9A41EBB5A00208AFDB11DFA5DC48EAA7BB8FF8A765F144158F905E7260DB709D01EB60
                                          Function 00F814BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VariantInit.OLEAUT32(00000000), ref: 00F81502
                                          • VariantCopy.OLEAUT32(?,?), ref: 00F8150B
                                          • VariantClear.OLEAUT32(?), ref: 00F81517
                                          • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00F815FB
                                          • VarR8FromDec.OLEAUT32(?,?), ref: 00F81657
                                          • VariantInit.OLEAUT32(?), ref: 00F81708
                                          • SysFreeString.OLEAUT32(?), ref: 00F8178C
                                          • VariantClear.OLEAUT32(?), ref: 00F817D8
                                          • VariantClear.OLEAUT32(?), ref: 00F817E7
                                          • VariantInit.OLEAUT32(00000000), ref: 00F81823
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                          • String ID: %4d%02d%02d%02d%02d%02d$Default
                                          • API String ID: 1234038744-3931177956
                                          • Opcode ID: d7e55b6c5490dbfbb6c29e02a98db9b04e69b73bbecc6ac3619476f305072768
                                          • Instruction ID: 9558716078b4b187d2938dde49a0e726e681bb3f0f7aff386e9dc3ed60b2db6f
                                          • Opcode Fuzzy Hash: d7e55b6c5490dbfbb6c29e02a98db9b04e69b73bbecc6ac3619476f305072768
                                          • Instruction Fuzzy Hash: 55D11472A00115DBCB10AF65E885BFDB7B9BF46700F18825AE846AF180DB34DC46FB91
                                          Function 00F9B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F19CB3: _wcslen.LIBCMT ref: 00F19CBD
                                            • Part of subcall function 00F9C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F9B6AE,?,?), ref: 00F9C9B5
                                            • Part of subcall function 00F9C998: _wcslen.LIBCMT ref: 00F9C9F1
                                            • Part of subcall function 00F9C998: _wcslen.LIBCMT ref: 00F9CA68
                                            • Part of subcall function 00F9C998: _wcslen.LIBCMT ref: 00F9CA9E
                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F9B6F4
                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F9B772
                                          • RegDeleteValueW.ADVAPI32(?,?), ref: 00F9B80A
                                          • RegCloseKey.ADVAPI32(?), ref: 00F9B87E
                                          • RegCloseKey.ADVAPI32(?), ref: 00F9B89C
                                          • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00F9B8F2
                                          • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00F9B904
                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00F9B922
                                          • FreeLibrary.KERNEL32(00000000), ref: 00F9B983
                                          • RegCloseKey.ADVAPI32(00000000), ref: 00F9B994
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                          • String ID: RegDeleteKeyExW$advapi32.dll
                                          • API String ID: 146587525-4033151799
                                          • Opcode ID: 1988f5f07aba38e2512b696c4a092746529ad43678ecce1d2c044fe081908d87
                                          • Instruction ID: 47c9103f6c652a056837ee1600acc4f7460a1bf8ac615f2ec68c183d3e6c0385
                                          • Opcode Fuzzy Hash: 1988f5f07aba38e2512b696c4a092746529ad43678ecce1d2c044fe081908d87
                                          • Instruction Fuzzy Hash: F7C1B130608201AFEB14DF14D994F2ABBE1FF84314F14855CF5598B2A2CB75EC86EB91
                                          Function 00F9255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDC.USER32(00000000), ref: 00F925D8
                                          • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00F925E8
                                          • CreateCompatibleDC.GDI32(?), ref: 00F925F4
                                          • SelectObject.GDI32(00000000,?), ref: 00F92601
                                          • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00F9266D
                                          • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00F926AC
                                          • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00F926D0
                                          • SelectObject.GDI32(?,?), ref: 00F926D8
                                          • DeleteObject.GDI32(?), ref: 00F926E1
                                          • DeleteDC.GDI32(?), ref: 00F926E8
                                          • ReleaseDC.USER32(00000000,?), ref: 00F926F3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                          • String ID: (
                                          • API String ID: 2598888154-3887548279
                                          • Opcode ID: 63286c600622c09d61f1bfe00f14b9ac6aa6a0c8f3f322c476b40ca5084d411b
                                          • Instruction ID: 3c4fb677ca0d80825175077d6b9566ecd8918bc7780883f20fda1b975b90b2a0
                                          • Opcode Fuzzy Hash: 63286c600622c09d61f1bfe00f14b9ac6aa6a0c8f3f322c476b40ca5084d411b
                                          • Instruction Fuzzy Hash: D161D1B5E00219EFDF05CFA4D884AAEBBB5FF48310F208529E955A7250E774A941DFA0
                                          Function 00F4DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • ___free_lconv_mon.LIBCMT ref: 00F4DAA1
                                            • Part of subcall function 00F4D63C: _free.LIBCMT ref: 00F4D659
                                            • Part of subcall function 00F4D63C: _free.LIBCMT ref: 00F4D66B
                                            • Part of subcall function 00F4D63C: _free.LIBCMT ref: 00F4D67D
                                            • Part of subcall function 00F4D63C: _free.LIBCMT ref: 00F4D68F
                                            • Part of subcall function 00F4D63C: _free.LIBCMT ref: 00F4D6A1
                                            • Part of subcall function 00F4D63C: _free.LIBCMT ref: 00F4D6B3
                                            • Part of subcall function 00F4D63C: _free.LIBCMT ref: 00F4D6C5
                                            • Part of subcall function 00F4D63C: _free.LIBCMT ref: 00F4D6D7
                                            • Part of subcall function 00F4D63C: _free.LIBCMT ref: 00F4D6E9
                                            • Part of subcall function 00F4D63C: _free.LIBCMT ref: 00F4D6FB
                                            • Part of subcall function 00F4D63C: _free.LIBCMT ref: 00F4D70D
                                            • Part of subcall function 00F4D63C: _free.LIBCMT ref: 00F4D71F
                                            • Part of subcall function 00F4D63C: _free.LIBCMT ref: 00F4D731
                                          • _free.LIBCMT ref: 00F4DA96
                                            • Part of subcall function 00F429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F4D7D1,00000000,00000000,00000000,00000000,?,00F4D7F8,00000000,00000007,00000000,?,00F4DBF5,00000000), ref: 00F429DE
                                            • Part of subcall function 00F429C8: GetLastError.KERNEL32(00000000,?,00F4D7D1,00000000,00000000,00000000,00000000,?,00F4D7F8,00000000,00000007,00000000,?,00F4DBF5,00000000,00000000), ref: 00F429F0
                                          • _free.LIBCMT ref: 00F4DAB8
                                          • _free.LIBCMT ref: 00F4DACD
                                          • _free.LIBCMT ref: 00F4DAD8
                                          • _free.LIBCMT ref: 00F4DAFA
                                          • _free.LIBCMT ref: 00F4DB0D
                                          • _free.LIBCMT ref: 00F4DB1B
                                          • _free.LIBCMT ref: 00F4DB26
                                          • _free.LIBCMT ref: 00F4DB5E
                                          • _free.LIBCMT ref: 00F4DB65
                                          • _free.LIBCMT ref: 00F4DB82
                                          • _free.LIBCMT ref: 00F4DB9A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                          • String ID:
                                          • API String ID: 161543041-0
                                          • Opcode ID: 98cb1cca28a579ec4e89b6ef746939aaa3ca7305ddcf4104131d6788a87851f0
                                          • Instruction ID: 3586ab857309f4f7c1fc4e4ec15b1812f4078a282f56a6db7b615af6952802d6
                                          • Opcode Fuzzy Hash: 98cb1cca28a579ec4e89b6ef746939aaa3ca7305ddcf4104131d6788a87851f0
                                          • Instruction Fuzzy Hash: A7314C31A046059FEB61AA39EC45B567FE9FF40320F55442AF849D7292DB39AC40F720
                                          Function 00F7365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetClassNameW.USER32(?,?,00000100), ref: 00F7369C
                                          • _wcslen.LIBCMT ref: 00F736A7
                                          • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00F73797
                                          • GetClassNameW.USER32(?,?,00000400), ref: 00F7380C
                                          • GetDlgCtrlID.USER32(?), ref: 00F7385D
                                          • GetWindowRect.USER32(?,?), ref: 00F73882
                                          • GetParent.USER32(?), ref: 00F738A0
                                          • ScreenToClient.USER32(00000000), ref: 00F738A7
                                          • GetClassNameW.USER32(?,?,00000100), ref: 00F73921
                                          • GetWindowTextW.USER32(?,?,00000400), ref: 00F7395D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                          • String ID: %s%u
                                          • API String ID: 4010501982-679674701
                                          • Opcode ID: 5b31abe479d85b9d3c6f29eb3c1e498d7df95fc91c6f43f401aac517f5accc27
                                          • Instruction ID: 5aba6cb1e8da2b7ea95e06d04d3097334557eb05928f02055ecc0d6331b60262
                                          • Opcode Fuzzy Hash: 5b31abe479d85b9d3c6f29eb3c1e498d7df95fc91c6f43f401aac517f5accc27
                                          • Instruction Fuzzy Hash: FA91B671604606BFD718DF24C885FAAB7A9FF44360F00C52AF99DD2190DB34EA45EB92
                                          Function 00F74954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetClassNameW.USER32(?,?,00000400), ref: 00F74994
                                          • GetWindowTextW.USER32(?,?,00000400), ref: 00F749DA
                                          • _wcslen.LIBCMT ref: 00F749EB
                                          • CharUpperBuffW.USER32(?,00000000), ref: 00F749F7
                                          • _wcsstr.LIBVCRUNTIME ref: 00F74A2C
                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 00F74A64
                                          • GetWindowTextW.USER32(?,?,00000400), ref: 00F74A9D
                                          • GetClassNameW.USER32(00000018,?,00000400), ref: 00F74AE6
                                          • GetClassNameW.USER32(?,?,00000400), ref: 00F74B20
                                          • GetWindowRect.USER32(?,?), ref: 00F74B8B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                          • String ID: ThumbnailClass
                                          • API String ID: 1311036022-1241985126
                                          • Opcode ID: 887ff62c3b5ff38d3f23cdee06d0e9ca49daacddad7b730afafa49b2ce36e52d
                                          • Instruction ID: 0880e17c5a7f4c028f3155a1708d3f008fa03360c9947a13c3ccfb27fbdb8c0f
                                          • Opcode Fuzzy Hash: 887ff62c3b5ff38d3f23cdee06d0e9ca49daacddad7b730afafa49b2ce36e52d
                                          • Instruction Fuzzy Hash: 0491B1714082059FDB05DF14C981FAA77E8FF84324F04846AFD899A196DB34FD45EBA2
                                          Function 00FA8D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F29BB2
                                          • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00FA8D5A
                                          • GetFocus.USER32 ref: 00FA8D6A
                                          • GetDlgCtrlID.USER32(00000000), ref: 00FA8D75
                                          • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00FA8E1D
                                          • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00FA8ECF
                                          • GetMenuItemCount.USER32(?), ref: 00FA8EEC
                                          • GetMenuItemID.USER32(?,00000000), ref: 00FA8EFC
                                          • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00FA8F2E
                                          • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00FA8F70
                                          • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00FA8FA1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                          • String ID: 0
                                          • API String ID: 1026556194-4108050209
                                          • Opcode ID: fcd8de086628a87cefcaf3f571d269f4975a9fadf08209af98666832c4a0f813
                                          • Instruction ID: 42afa3136917475aa12328e2f702b8987ad22f2b7ac3855cbc9a448102c64540
                                          • Opcode Fuzzy Hash: fcd8de086628a87cefcaf3f571d269f4975a9fadf08209af98666832c4a0f813
                                          • Instruction Fuzzy Hash: D881A4B19043059FDB10CF14DC84AAB7BE9FF8A3A4F14051DF98597291DBB4D902EBA1
                                          Function 00F7DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00F7DC20
                                          • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00F7DC46
                                          • _wcslen.LIBCMT ref: 00F7DC50
                                          • _wcsstr.LIBVCRUNTIME ref: 00F7DCA0
                                          • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00F7DCBC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                                          • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                          • API String ID: 1939486746-1459072770
                                          • Opcode ID: bac486a7b326c1643a9790ba634be52c8f076d279026c07b74fae9ca67cf1938
                                          • Instruction ID: 6b0ed2965f2e6405f05533485c59f8f3679a42ecbfec8e67d71d21a083cd9119
                                          • Opcode Fuzzy Hash: bac486a7b326c1643a9790ba634be52c8f076d279026c07b74fae9ca67cf1938
                                          • Instruction Fuzzy Hash: E14134729402157ADB15A770EC43EBF37BCEF42760F14406AF904E6182EB79E901B7A6
                                          Function 00F9CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00F9CC64
                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00F9CC8D
                                          • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00F9CD48
                                            • Part of subcall function 00F9CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00F9CCAA
                                            • Part of subcall function 00F9CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00F9CCBD
                                            • Part of subcall function 00F9CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00F9CCCF
                                            • Part of subcall function 00F9CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00F9CD05
                                            • Part of subcall function 00F9CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00F9CD28
                                          • RegDeleteKeyW.ADVAPI32(?,?), ref: 00F9CCF3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                          • String ID: RegDeleteKeyExW$advapi32.dll
                                          • API String ID: 2734957052-4033151799
                                          • Opcode ID: b82069c6fdd9f5c61a31fbdb1b0740f6ad0c8fe68e6c6918f4445b93b8833f77
                                          • Instruction ID: e8554f296e45f2a20230f9b58194ec5fe7f354c412c65bd1c687b791bb5f6e82
                                          • Opcode Fuzzy Hash: b82069c6fdd9f5c61a31fbdb1b0740f6ad0c8fe68e6c6918f4445b93b8833f77
                                          • Instruction Fuzzy Hash: CC317CB1E0112CBBEB219B51DC88EFFBB7CEF46754F000166E915E2240DA349A45BAE0
                                          Function 00F83D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F83D40
                                          • _wcslen.LIBCMT ref: 00F83D6D
                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 00F83D9D
                                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00F83DBE
                                          • RemoveDirectoryW.KERNEL32(?), ref: 00F83DCE
                                          • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00F83E55
                                          • CloseHandle.KERNEL32(00000000), ref: 00F83E60
                                          • CloseHandle.KERNEL32(00000000), ref: 00F83E6B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                                          • String ID: :$\$\??\%s
                                          • API String ID: 1149970189-3457252023
                                          • Opcode ID: 2aa84ec1d4ec72200868d37879f6a93b07a99ffa0ddbf0086382671babf27f1e
                                          • Instruction ID: 483b35fc86122e7f95dc493a6c9c56d4d64b9fd2ddd0f1dae65efea304916fcf
                                          • Opcode Fuzzy Hash: 2aa84ec1d4ec72200868d37879f6a93b07a99ffa0ddbf0086382671babf27f1e
                                          • Instruction Fuzzy Hash: 0E31B4B290021DABDB21ABA0DC49FEF37BCEF89B10F1040B5F505D6160EB7497459B64
                                          Function 00F7E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • timeGetTime.WINMM ref: 00F7E6B4
                                            • Part of subcall function 00F2E551: timeGetTime.WINMM(?,?,00F7E6D4), ref: 00F2E555
                                          • Sleep.KERNEL32(0000000A), ref: 00F7E6E1
                                          • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00F7E705
                                          • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00F7E727
                                          • SetActiveWindow.USER32 ref: 00F7E746
                                          • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00F7E754
                                          • SendMessageW.USER32(00000010,00000000,00000000), ref: 00F7E773
                                          • Sleep.KERNEL32(000000FA), ref: 00F7E77E
                                          • IsWindow.USER32 ref: 00F7E78A
                                          • EndDialog.USER32(00000000), ref: 00F7E79B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                          • String ID: BUTTON
                                          • API String ID: 1194449130-3405671355
                                          • Opcode ID: f2763c31184d8c95fda7ce35813934990032b0447ea36d0cdf558e1d4b858ccb
                                          • Instruction ID: 2c66ca367aed65fd7ec69a7dd8f94155daf91080069e576fc7531ff70edfed6a
                                          • Opcode Fuzzy Hash: f2763c31184d8c95fda7ce35813934990032b0447ea36d0cdf558e1d4b858ccb
                                          • Instruction Fuzzy Hash: 0C21A4B120024CAFEF005F24ECC9E253B6DF759358B148467F51D862B1EBB5AC00BA66
                                          Function 00F7E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F19CB3: _wcslen.LIBCMT ref: 00F19CBD
                                          • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00F7EA5D
                                          • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00F7EA73
                                          • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F7EA84
                                          • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00F7EA96
                                          • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00F7EAA7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: SendString$_wcslen
                                          • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                          • API String ID: 2420728520-1007645807
                                          • Opcode ID: 6bf895d6d081a24fc49851440b9e77828dbbf6678a83cd7247805dbbc7993ea3
                                          • Instruction ID: ae21b7e5d1488ad26d033c179f5202062688c5dd07dc995aa7644f9405788e2a
                                          • Opcode Fuzzy Hash: 6bf895d6d081a24fc49851440b9e77828dbbf6678a83cd7247805dbbc7993ea3
                                          • Instruction Fuzzy Hash: 2B11A331A5021979E720A7A1DC5ADFF7B7CEBD5B10F44042BB811E20D0EEB45945E5B3
                                          Function 00F75CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,00000001), ref: 00F75CE2
                                          • GetWindowRect.USER32(00000000,?), ref: 00F75CFB
                                          • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00F75D59
                                          • GetDlgItem.USER32(?,00000002), ref: 00F75D69
                                          • GetWindowRect.USER32(00000000,?), ref: 00F75D7B
                                          • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00F75DCF
                                          • GetDlgItem.USER32(?,000003E9), ref: 00F75DDD
                                          • GetWindowRect.USER32(00000000,?), ref: 00F75DEF
                                          • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00F75E31
                                          • GetDlgItem.USER32(?,000003EA), ref: 00F75E44
                                          • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00F75E5A
                                          • InvalidateRect.USER32(?,00000000,00000001), ref: 00F75E67
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Window$ItemMoveRect$Invalidate
                                          • String ID:
                                          • API String ID: 3096461208-0
                                          • Opcode ID: dd5fc85f656487f4b9a02a602d2ffca6d2b86695b3b6e4037111fb564d465db0
                                          • Instruction ID: 20723c6aa33528cb24800145e60f7196820ce517b93f52c40a2d7e1aeea0d83e
                                          • Opcode Fuzzy Hash: dd5fc85f656487f4b9a02a602d2ffca6d2b86695b3b6e4037111fb564d465db0
                                          • Instruction Fuzzy Hash: 3151FDB1E00609AFDF18CF68DD89AAEBBB5FB48710F148129F519E7290D7709E04DB91
                                          Function 00F28BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F28F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F28BE8,?,00000000,?,?,?,?,00F28BBA,00000000,?), ref: 00F28FC5
                                          • DestroyWindow.USER32(?), ref: 00F28C81
                                          • KillTimer.USER32(00000000,?,?,?,?,00F28BBA,00000000,?), ref: 00F28D1B
                                          • DestroyAcceleratorTable.USER32(00000000), ref: 00F66973
                                          • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00F28BBA,00000000,?), ref: 00F669A1
                                          • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00F28BBA,00000000,?), ref: 00F669B8
                                          • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00F28BBA,00000000), ref: 00F669D4
                                          • DeleteObject.GDI32(00000000), ref: 00F669E6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                          • String ID:
                                          • API String ID: 641708696-0
                                          • Opcode ID: 71a07e1f97c80ca1ecd0b84a38c7903ca708c0f0be3fb107785658bdc0e561fd
                                          • Instruction ID: 693329cc880dd042a12cde1355d877f349e7029ac7ac17358a3c95f5d2aaa993
                                          • Opcode Fuzzy Hash: 71a07e1f97c80ca1ecd0b84a38c7903ca708c0f0be3fb107785658bdc0e561fd
                                          • Instruction Fuzzy Hash: D861CD31902668DFDB259F25EA88B29B7F1FB41362F14851DE0429B560CB35AD82FF90
                                          Function 00F29838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F29944: GetWindowLongW.USER32(?,000000EB), ref: 00F29952
                                          • GetSysColor.USER32(0000000F), ref: 00F29862
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ColorLongWindow
                                          • String ID:
                                          • API String ID: 259745315-0
                                          • Opcode ID: d1eab0cbd18c765409f24ddde9dc467e52fb477c3ea16ced3e9f7dd6ab0d1634
                                          • Instruction ID: 19da1f8c25153c4cf7d2b4f39bb38598868697d8216c51a6bfdfedda8ffea445
                                          • Opcode Fuzzy Hash: d1eab0cbd18c765409f24ddde9dc467e52fb477c3ea16ced3e9f7dd6ab0d1634
                                          • Instruction Fuzzy Hash: 4E41C4719086549FDB209F38AC88BF93BA5EB17330F584655F9A2872E2C7719C42FB50
                                          Function 00F796E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00F5F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00F79717
                                          • LoadStringW.USER32(00000000,?,00F5F7F8,00000001), ref: 00F79720
                                            • Part of subcall function 00F19CB3: _wcslen.LIBCMT ref: 00F19CBD
                                          • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00F5F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00F79742
                                          • LoadStringW.USER32(00000000,?,00F5F7F8,00000001), ref: 00F79745
                                          • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00F79866
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: HandleLoadModuleString$Message_wcslen
                                          • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                          • API String ID: 747408836-2268648507
                                          • Opcode ID: 8582aa3f8eafa69c2fb6970335afecae999818136ccd365cc718a80c51fb8c3d
                                          • Instruction ID: e8f3fc8f8e0d2073ad2b8631416c4659e5dc8dd93420a0df7f78697d1609108a
                                          • Opcode Fuzzy Hash: 8582aa3f8eafa69c2fb6970335afecae999818136ccd365cc718a80c51fb8c3d
                                          • Instruction Fuzzy Hash: BB419672804219AACF04FBE0DD52DEE7378EF15350F504026F605B2092EB796F88EBA1
                                          Function 00F706DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F16B57: _wcslen.LIBCMT ref: 00F16B6A
                                          • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00F707A2
                                          • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00F707BE
                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00F707DA
                                          • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00F70804
                                          • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00F7082C
                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F70837
                                          • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00F7083C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                          • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                          • API String ID: 323675364-22481851
                                          • Opcode ID: 147ae6c7a8d7eeb7f304956b7eb576a5b46015a6cbe3dc20bf8e35110147732e
                                          • Instruction ID: 401679189a025698e2787f294fd9a6a4b42b6f882ee1fde958302dd701821928
                                          • Opcode Fuzzy Hash: 147ae6c7a8d7eeb7f304956b7eb576a5b46015a6cbe3dc20bf8e35110147732e
                                          • Instruction Fuzzy Hash: 57411872C10229EBCF15EBA4DC95CEDB778BF04750F44812AE905A3161EB74AE44EB91
                                          Function 00F93C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VariantInit.OLEAUT32(?), ref: 00F93C5C
                                          • CoInitialize.OLE32(00000000), ref: 00F93C8A
                                          • CoUninitialize.OLE32 ref: 00F93C94
                                          • _wcslen.LIBCMT ref: 00F93D2D
                                          • GetRunningObjectTable.OLE32(00000000,?), ref: 00F93DB1
                                          • SetErrorMode.KERNEL32(00000001,00000029), ref: 00F93ED5
                                          • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00F93F0E
                                          • CoGetObject.OLE32(?,00000000,00FAFB98,?), ref: 00F93F2D
                                          • SetErrorMode.KERNEL32(00000000), ref: 00F93F40
                                          • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00F93FC4
                                          • VariantClear.OLEAUT32(?), ref: 00F93FD8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                          • String ID:
                                          • API String ID: 429561992-0
                                          • Opcode ID: 79873f2a8aae80326f6f7c4ce53d3a2ac0940e91cd1b7631a34e04f3902f1009
                                          • Instruction ID: 0c16f0b591482791b3e553c6de31969531d24a3e1dc8bd011d5b2e4b5cd7d7a8
                                          • Opcode Fuzzy Hash: 79873f2a8aae80326f6f7c4ce53d3a2ac0940e91cd1b7631a34e04f3902f1009
                                          • Instruction Fuzzy Hash: 58C147716083059FDB00DF68C88492BB7E9FF89758F00491DF98A9B250DB31EE45DB92
                                          Function 00F87A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CoInitialize.OLE32(00000000), ref: 00F87AF3
                                          • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00F87B8F
                                          • SHGetDesktopFolder.SHELL32(?), ref: 00F87BA3
                                          • CoCreateInstance.OLE32(00FAFD08,00000000,00000001,00FD6E6C,?), ref: 00F87BEF
                                          • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00F87C74
                                          • CoTaskMemFree.OLE32(?,?), ref: 00F87CCC
                                          • SHBrowseForFolderW.SHELL32(?), ref: 00F87D57
                                          • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00F87D7A
                                          • CoTaskMemFree.OLE32(00000000), ref: 00F87D81
                                          • CoTaskMemFree.OLE32(00000000), ref: 00F87DD6
                                          • CoUninitialize.OLE32 ref: 00F87DDC
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                          • String ID:
                                          • API String ID: 2762341140-0
                                          • Opcode ID: 7783d31c2354f5530a20a815a88036886eef6ed136640dd5322cf91b667e0062
                                          • Instruction ID: 7668f9e2d62ae3e3e7aaf1bee10aec43d2825f789c39a8cca2eb7006d0b64f9f
                                          • Opcode Fuzzy Hash: 7783d31c2354f5530a20a815a88036886eef6ed136640dd5322cf91b667e0062
                                          • Instruction Fuzzy Hash: 61C13C75A04209AFCB14EFA4C884DAEBBF9FF49314B148499E819DB361D734EE41DB90
                                          Function 00FA541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00FA5504
                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FA5515
                                          • CharNextW.USER32(00000158), ref: 00FA5544
                                          • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00FA5585
                                          • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00FA559B
                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FA55AC
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: MessageSend$CharNext
                                          • String ID:
                                          • API String ID: 1350042424-0
                                          • Opcode ID: b608b328989b13a9b1395224062f965a1f2f6bb7943005e9580c7807ca4569a2
                                          • Instruction ID: 21150df50cbd2ea1e9cccd6ff8521dc08e8cc868c4022360ed0dcc5f65ec9ba2
                                          • Opcode Fuzzy Hash: b608b328989b13a9b1395224062f965a1f2f6bb7943005e9580c7807ca4569a2
                                          • Instruction Fuzzy Hash: AC617AB5900608EFDF10DF54CC84AFE7BB9EF0BB24F144145F925AA290D7749A80EBA1
                                          Function 00F6FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00F6FAAF
                                          • SafeArrayAllocData.OLEAUT32(?), ref: 00F6FB08
                                          • VariantInit.OLEAUT32(?), ref: 00F6FB1A
                                          • SafeArrayAccessData.OLEAUT32(?,?), ref: 00F6FB3A
                                          • VariantCopy.OLEAUT32(?,?), ref: 00F6FB8D
                                          • SafeArrayUnaccessData.OLEAUT32(?), ref: 00F6FBA1
                                          • VariantClear.OLEAUT32(?), ref: 00F6FBB6
                                          • SafeArrayDestroyData.OLEAUT32(?), ref: 00F6FBC3
                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F6FBCC
                                          • VariantClear.OLEAUT32(?), ref: 00F6FBDE
                                          • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F6FBE9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                          • String ID:
                                          • API String ID: 2706829360-0
                                          • Opcode ID: 3eb6bd866d19b38830bae574ee011d9845f806be38ca6f16e48113a3b58ad32b
                                          • Instruction ID: 8cea5bf8569c71aa4b6d4d9bd912986544dd6214946e79738b6841291cd7cf25
                                          • Opcode Fuzzy Hash: 3eb6bd866d19b38830bae574ee011d9845f806be38ca6f16e48113a3b58ad32b
                                          • Instruction Fuzzy Hash: BF414E75A00219DFCB00DFA8DC549EEBBB9FF49354F008069E956A7261CB34E945EBA0
                                          Function 00F79C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetKeyboardState.USER32(?), ref: 00F79CA1
                                          • GetAsyncKeyState.USER32(000000A0), ref: 00F79D22
                                          • GetKeyState.USER32(000000A0), ref: 00F79D3D
                                          • GetAsyncKeyState.USER32(000000A1), ref: 00F79D57
                                          • GetKeyState.USER32(000000A1), ref: 00F79D6C
                                          • GetAsyncKeyState.USER32(00000011), ref: 00F79D84
                                          • GetKeyState.USER32(00000011), ref: 00F79D96
                                          • GetAsyncKeyState.USER32(00000012), ref: 00F79DAE
                                          • GetKeyState.USER32(00000012), ref: 00F79DC0
                                          • GetAsyncKeyState.USER32(0000005B), ref: 00F79DD8
                                          • GetKeyState.USER32(0000005B), ref: 00F79DEA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: State$Async$Keyboard
                                          • String ID:
                                          • API String ID: 541375521-0
                                          • Opcode ID: 8c1073041c1dd52d0568cc73f5d9ac12e4f63fc1092c4ba03e11c064733c484a
                                          • Instruction ID: 32b0c06d9391f8406750dbd87ea491eeb917cbd1026672604f9a4580f8fdb7a0
                                          • Opcode Fuzzy Hash: 8c1073041c1dd52d0568cc73f5d9ac12e4f63fc1092c4ba03e11c064733c484a
                                          • Instruction Fuzzy Hash: 8C41D874D0C7CA6DFF31876484043B5BEA06B12364F08C05BDACA566C2EBE499C4E7A3
                                          Function 00F9055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WSAStartup.WSOCK32(00000101,?), ref: 00F905BC
                                          • inet_addr.WSOCK32(?), ref: 00F9061C
                                          • gethostbyname.WSOCK32(?), ref: 00F90628
                                          • IcmpCreateFile.IPHLPAPI ref: 00F90636
                                          • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00F906C6
                                          • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00F906E5
                                          • IcmpCloseHandle.IPHLPAPI(?), ref: 00F907B9
                                          • WSACleanup.WSOCK32 ref: 00F907BF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                          • String ID: Ping
                                          • API String ID: 1028309954-2246546115
                                          • Opcode ID: f06dbdcee599b5f493c2917ccc66340143f39edd6934b94cf416a3618f23b796
                                          • Instruction ID: 12e2d03363fbf8cef500e97e57f73fb2a3221813eb086b965ea12ff4c7011f47
                                          • Opcode Fuzzy Hash: f06dbdcee599b5f493c2917ccc66340143f39edd6934b94cf416a3618f23b796
                                          • Instruction Fuzzy Hash: 57919175A042019FEB10CF15C888F16BBE0AF44328F1585A9F4698B6A2CB34FC45DF92
                                          Function 00F98CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: _wcslen$BuffCharLower
                                          • String ID: cdecl$none$stdcall$winapi
                                          • API String ID: 707087890-567219261
                                          • Opcode ID: 5c3f110b33cc30d78fb69ffad6749dcc7ab0f888d2f59645d18575913084aa82
                                          • Instruction ID: e41939aa086541f6f1e3d560f1090c729afbc6e2192dce7d92c9b85b7af66a52
                                          • Opcode Fuzzy Hash: 5c3f110b33cc30d78fb69ffad6749dcc7ab0f888d2f59645d18575913084aa82
                                          • Instruction Fuzzy Hash: 0851B332E001169BDF14EFA8C8509BEB7A5BF663B0B24422AE416E72C4DB35DD41E790
                                          Function 00F9372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CoInitialize.OLE32 ref: 00F93774
                                          • CoUninitialize.OLE32 ref: 00F9377F
                                          • CoCreateInstance.OLE32(?,00000000,00000017,00FAFB78,?), ref: 00F937D9
                                          • IIDFromString.OLE32(?,?), ref: 00F9384C
                                          • VariantInit.OLEAUT32(?), ref: 00F938E4
                                          • VariantClear.OLEAUT32(?), ref: 00F93936
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                          • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                          • API String ID: 636576611-1287834457
                                          • Opcode ID: 484cd092a8a294d9f5654280ed03601c6819937100a538bfad4866d684f09012
                                          • Instruction ID: a7f8bfe8f97b7fc21370cb19ac6f373993c8e2df281d610031893ae0de2c4240
                                          • Opcode Fuzzy Hash: 484cd092a8a294d9f5654280ed03601c6819937100a538bfad4866d684f09012
                                          • Instruction Fuzzy Hash: B661A1B2608311AFE711DF54C848F6ABBE8EF49710F044809F9859B291D774EE48EB93
                                          Function 00F83388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00F833CF
                                            • Part of subcall function 00F19CB3: _wcslen.LIBCMT ref: 00F19CBD
                                          • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00F833F0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: LoadString$_wcslen
                                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                          • API String ID: 4099089115-3080491070
                                          • Opcode ID: 053a58b7fb703e1d5c6eb5f402dfa044065c81477db1dc8e0d1a6e2308dee297
                                          • Instruction ID: 2692307d57edf32ec1436b688cc34cd218fa2824298c51ab6c806d3df3162415
                                          • Opcode Fuzzy Hash: 053a58b7fb703e1d5c6eb5f402dfa044065c81477db1dc8e0d1a6e2308dee297
                                          • Instruction Fuzzy Hash: 4951B371C0020AAADF14EBA0DD42EEEB379AF04740F144066F505B2161EB796F98FB61
                                          Function 00F7B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: _wcslen$BuffCharUpper
                                          • String ID: APPEND$EXISTS$KEYS$REMOVE
                                          • API String ID: 1256254125-769500911
                                          • Opcode ID: 4ca3a491c1a7657c115504904de9990e213366f8e9aa9614be9d5f2fe7f01942
                                          • Instruction ID: f1f50f1d8d44656d90cf8beda60bb62c31ec6678e1d561518d252bff0dbd4ef0
                                          • Opcode Fuzzy Hash: 4ca3a491c1a7657c115504904de9990e213366f8e9aa9614be9d5f2fe7f01942
                                          • Instruction Fuzzy Hash: 87412B32E0002A9BCB105F7DCC907BE77A1AF62774B24816BE629D7284E735CD81E791
                                          Function 00F85393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNEL32(00000001), ref: 00F853A0
                                          • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00F85416
                                          • GetLastError.KERNEL32 ref: 00F85420
                                          • SetErrorMode.KERNEL32(00000000,READY), ref: 00F854A7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Error$Mode$DiskFreeLastSpace
                                          • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                          • API String ID: 4194297153-14809454
                                          • Opcode ID: 36fc99c8e529513dd42fdcdae63c65f8dadf23f363f48acd03f29ce50d8ee4cd
                                          • Instruction ID: 42f97ba918a4bc2e8a3441be12fcbce5e61a54d4c28cec2af4f34f738638d399
                                          • Opcode Fuzzy Hash: 36fc99c8e529513dd42fdcdae63c65f8dadf23f363f48acd03f29ce50d8ee4cd
                                          • Instruction Fuzzy Hash: 7131CE75A002049FDB10EF68C894BEABBB5EF45715F188066E405CB392DB71ED82EB90
                                          Function 00FA3C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateMenu.USER32 ref: 00FA3C79
                                          • SetMenu.USER32(?,00000000), ref: 00FA3C88
                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FA3D10
                                          • IsMenu.USER32(?), ref: 00FA3D24
                                          • CreatePopupMenu.USER32 ref: 00FA3D2E
                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FA3D5B
                                          • DrawMenuBar.USER32 ref: 00FA3D63
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                          • String ID: 0$F
                                          • API String ID: 161812096-3044882817
                                          • Opcode ID: 60fb384dff5ee55b9aaaa869f3cadb45d3c0d699147767ee63f8051ec6da3bfe
                                          • Instruction ID: 6ec3d12110354ffb4bf51d2ed8593c3bb97b76de9ef760408f1aff4b28868d5c
                                          • Opcode Fuzzy Hash: 60fb384dff5ee55b9aaaa869f3cadb45d3c0d699147767ee63f8051ec6da3bfe
                                          • Instruction Fuzzy Hash: 94412CB5A01209EFDB14CF65D884AEA7BF5FF4A360F140029F946A7360D771AA10EF94
                                          Function 00FA3A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00FA3A9D
                                          • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00FA3AA0
                                          • GetWindowLongW.USER32(?,000000F0), ref: 00FA3AC7
                                          • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FA3AEA
                                          • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00FA3B62
                                          • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00FA3BAC
                                          • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00FA3BC7
                                          • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00FA3BE2
                                          • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00FA3BF6
                                          • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00FA3C13
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: MessageSend$LongWindow
                                          • String ID:
                                          • API String ID: 312131281-0
                                          • Opcode ID: 11d41af3b5a41cef9458f4769af9a74e78f348b4196e2948f1a14535a42d4487
                                          • Instruction ID: 1222fc9026a4e604a5fd9e090c031b9ac4b4032fc562c5c9ae34ad81929af061
                                          • Opcode Fuzzy Hash: 11d41af3b5a41cef9458f4769af9a74e78f348b4196e2948f1a14535a42d4487
                                          • Instruction Fuzzy Hash: 3C616DB5900248AFDB10DF64CC81EEE77F8EF49710F104159FA15A7291D774AE45EB60
                                          Function 00F7B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentThreadId.KERNEL32 ref: 00F7B151
                                          • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00F7A1E1,?,00000001), ref: 00F7B165
                                          • GetWindowThreadProcessId.USER32(00000000), ref: 00F7B16C
                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F7A1E1,?,00000001), ref: 00F7B17B
                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00F7B18D
                                          • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00F7A1E1,?,00000001), ref: 00F7B1A6
                                          • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F7A1E1,?,00000001), ref: 00F7B1B8
                                          • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00F7A1E1,?,00000001), ref: 00F7B1FD
                                          • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00F7A1E1,?,00000001), ref: 00F7B212
                                          • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00F7A1E1,?,00000001), ref: 00F7B21D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                          • String ID:
                                          • API String ID: 2156557900-0
                                          • Opcode ID: 2b66953516b97643abfe7d5568284e63b54a7bdb2435018a56a5fcb05043c3f0
                                          • Instruction ID: 3870d3705b660a1b085a29802e778df11fa02e33e04fe26189388608cf1499ea
                                          • Opcode Fuzzy Hash: 2b66953516b97643abfe7d5568284e63b54a7bdb2435018a56a5fcb05043c3f0
                                          • Instruction Fuzzy Hash: 613152B590020CAFDB119F64EC8CB6D7B6AAB52325F108416FA09DB251D7B49E40EF61
                                          Function 00F42C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 00F42C94
                                            • Part of subcall function 00F429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F4D7D1,00000000,00000000,00000000,00000000,?,00F4D7F8,00000000,00000007,00000000,?,00F4DBF5,00000000), ref: 00F429DE
                                            • Part of subcall function 00F429C8: GetLastError.KERNEL32(00000000,?,00F4D7D1,00000000,00000000,00000000,00000000,?,00F4D7F8,00000000,00000007,00000000,?,00F4DBF5,00000000,00000000), ref: 00F429F0
                                          • _free.LIBCMT ref: 00F42CA0
                                          • _free.LIBCMT ref: 00F42CAB
                                          • _free.LIBCMT ref: 00F42CB6
                                          • _free.LIBCMT ref: 00F42CC1
                                          • _free.LIBCMT ref: 00F42CCC
                                          • _free.LIBCMT ref: 00F42CD7
                                          • _free.LIBCMT ref: 00F42CE2
                                          • _free.LIBCMT ref: 00F42CED
                                          • _free.LIBCMT ref: 00F42CFB
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: 2337b247769be4598e2d75ca982d5684056cd83d57d1d353aa74cbeb1278ca71
                                          • Instruction ID: 50d89c94f672c55486e5a8f1f38975aac1ef9fe930be2da2c9424129e5a29290
                                          • Opcode Fuzzy Hash: 2337b247769be4598e2d75ca982d5684056cd83d57d1d353aa74cbeb1278ca71
                                          • Instruction Fuzzy Hash: 1B119276500108AFDB82EF59DC82CDD3FB5FF05350F9144A5FA489B222DA35EA50BB90
                                          Function 00F11410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                          Download Yara Rule
                                          APIs
                                          • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00F11459
                                          • OleUninitialize.OLE32(?,00000000), ref: 00F114F8
                                          • UnregisterHotKey.USER32(?), ref: 00F116DD
                                          • DestroyWindow.USER32(?), ref: 00F524B9
                                          • FreeLibrary.KERNEL32(?), ref: 00F5251E
                                          • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F5254B
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                          • String ID: close all
                                          • API String ID: 469580280-3243417748
                                          • Opcode ID: c78af2de359abafedd932efb9ea74f10d3d3332992bd3de1b8a017ad5c8b5c9b
                                          • Instruction ID: d365b8062d66e0158282e28843e69154f23b369d829c24d3ad0afc033ed68b9c
                                          • Opcode Fuzzy Hash: c78af2de359abafedd932efb9ea74f10d3d3332992bd3de1b8a017ad5c8b5c9b
                                          • Instruction Fuzzy Hash: F0D1D531701212CFCB19EF14C895B69F7A0BF06711F1442ADEA4A6B252DB31EC56EF91
                                          Function 00F87DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F87FAD
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00F87FC1
                                          • GetFileAttributesW.KERNEL32(?), ref: 00F87FEB
                                          • SetFileAttributesW.KERNEL32(?,00000000), ref: 00F88005
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00F88017
                                          • SetCurrentDirectoryW.KERNEL32(?), ref: 00F88060
                                          • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00F880B0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: CurrentDirectory$AttributesFile
                                          • String ID: *.*
                                          • API String ID: 769691225-438819550
                                          • Opcode ID: bf5d729aad3b10327ecd31261d7c0aee4d94d72680356fa375f67ef3511965e6
                                          • Instruction ID: 51c55b71b6b35d3c329c2ca4d2d4b92c7303e0cf8a73c2396559902d16b83e78
                                          • Opcode Fuzzy Hash: bf5d729aad3b10327ecd31261d7c0aee4d94d72680356fa375f67ef3511965e6
                                          • Instruction Fuzzy Hash: BE81B3729083459BCB20FF14C844AEAB7E8BF85360F64485EF489C7250DB74DD45AB92
                                          Function 00F15BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetWindowLongW.USER32(?,000000EB), ref: 00F15C7A
                                            • Part of subcall function 00F15D0A: GetClientRect.USER32(?,?), ref: 00F15D30
                                            • Part of subcall function 00F15D0A: GetWindowRect.USER32(?,?), ref: 00F15D71
                                            • Part of subcall function 00F15D0A: ScreenToClient.USER32(?,?), ref: 00F15D99
                                          • GetDC.USER32 ref: 00F546F5
                                          • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00F54708
                                          • SelectObject.GDI32(00000000,00000000), ref: 00F54716
                                          • SelectObject.GDI32(00000000,00000000), ref: 00F5472B
                                          • ReleaseDC.USER32(?,00000000), ref: 00F54733
                                          • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00F547C4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                          • String ID: U
                                          • API String ID: 4009187628-3372436214
                                          • Opcode ID: 0c865bc0d30626c0bb98891d74ef05b6497d8fe41ff9051002a36d34635f9d95
                                          • Instruction ID: 0d58f731dd47426bdb570cab8a0eae3313b0473fb61617af4f35eb6e879134e2
                                          • Opcode Fuzzy Hash: 0c865bc0d30626c0bb98891d74ef05b6497d8fe41ff9051002a36d34635f9d95
                                          • Instruction Fuzzy Hash: 8B71F535900209DFCF218F64D984AFA7BB1FF4A32AF144265EE555A266C730A8C5FF90
                                          Function 00F8359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00F835E4
                                            • Part of subcall function 00F19CB3: _wcslen.LIBCMT ref: 00F19CBD
                                          • LoadStringW.USER32(00FE2390,?,00000FFF,?), ref: 00F8360A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: LoadString$_wcslen
                                          • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                          • API String ID: 4099089115-2391861430
                                          • Opcode ID: 58ad523359518914ed3de38eb5e15c737ef7665dfc7c39acbfba28fa29b1c722
                                          • Instruction ID: be97b96756309282af49035d2fd66add8d5db7791ed5c93c3df80b46e70d8bb2
                                          • Opcode Fuzzy Hash: 58ad523359518914ed3de38eb5e15c737ef7665dfc7c39acbfba28fa29b1c722
                                          • Instruction Fuzzy Hash: 89518E72C0421ABADF14EBA0CC42EEDBB39AF04710F044125F505721A1EB746AD8FFA1
                                          Function 00FA8B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F29BB2
                                            • Part of subcall function 00F2912D: GetCursorPos.USER32(?), ref: 00F29141
                                            • Part of subcall function 00F2912D: ScreenToClient.USER32(00000000,?), ref: 00F2915E
                                            • Part of subcall function 00F2912D: GetAsyncKeyState.USER32(00000001), ref: 00F29183
                                            • Part of subcall function 00F2912D: GetAsyncKeyState.USER32(00000002), ref: 00F2919D
                                          • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00FA8B6B
                                          • ImageList_EndDrag.COMCTL32 ref: 00FA8B71
                                          • ReleaseCapture.USER32 ref: 00FA8B77
                                          • SetWindowTextW.USER32(?,00000000), ref: 00FA8C12
                                          • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00FA8C25
                                          • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00FA8CFF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                          • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                          • API String ID: 1924731296-2107944366
                                          • Opcode ID: edf5310162a30e3b8b2d8c93430491cd54c9e6bb3721ce788451eeff0f9d77b1
                                          • Instruction ID: c8ca6a881a8ee91ba4e3e03c0d6ae0073af0ce39564d8f8ea29cac7ef9f474ce
                                          • Opcode Fuzzy Hash: edf5310162a30e3b8b2d8c93430491cd54c9e6bb3721ce788451eeff0f9d77b1
                                          • Instruction Fuzzy Hash: 4851ADB0504304AFD700DF10DC95FAE77E4FB85760F000529F992672A2CBB49944EBA2
                                          Function 00F8C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F8C272
                                          • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F8C29A
                                          • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00F8C2CA
                                          • GetLastError.KERNEL32 ref: 00F8C322
                                          • SetEvent.KERNEL32(?), ref: 00F8C336
                                          • InternetCloseHandle.WININET(00000000), ref: 00F8C341
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                          • String ID:
                                          • API String ID: 3113390036-3916222277
                                          • Opcode ID: 3fe1d2ea89e75d68e78e8246fcdeb07d218786bcfb25379e9ccc04c93035c3df
                                          • Instruction ID: 714dd90837772956a3d3404a23e38a72d9929877cbb48e739d64bb3b9d3d035d
                                          • Opcode Fuzzy Hash: 3fe1d2ea89e75d68e78e8246fcdeb07d218786bcfb25379e9ccc04c93035c3df
                                          • Instruction Fuzzy Hash: D5317FB1600608AFDB21AF649C88AAB7BFCEB49754F10851EF446D2240DB34DD05ABF0
                                          Function 00F7989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00F53AAF,?,?,Bad directive syntax error,00FACC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00F798BC
                                          • LoadStringW.USER32(00000000,?,00F53AAF,?), ref: 00F798C3
                                            • Part of subcall function 00F19CB3: _wcslen.LIBCMT ref: 00F19CBD
                                          • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00F79987
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: HandleLoadMessageModuleString_wcslen
                                          • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                          • API String ID: 858772685-4153970271
                                          • Opcode ID: ec2458159cddf8aa77c11cf0f0ab175afd91d8604393b321d347ca58dd24a6cd
                                          • Instruction ID: db42e77c774a8c1a0842bddf2ed0c853a8395acbe85149a68313d59a22c40664
                                          • Opcode Fuzzy Hash: ec2458159cddf8aa77c11cf0f0ab175afd91d8604393b321d347ca58dd24a6cd
                                          • Instruction Fuzzy Hash: 42217E3280421AABDF15EF90CC06EEE7775BF19310F04442AF619621A2EB75A658FB51
                                          Function 00F7209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetParent.USER32 ref: 00F720AB
                                          • GetClassNameW.USER32(00000000,?,00000100), ref: 00F720C0
                                          • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00F7214D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ClassMessageNameParentSend
                                          • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                          • API String ID: 1290815626-3381328864
                                          • Opcode ID: 90ae2ed4905c94e3ea93488351d874d461c8b52ba792fb6b2aa99da4529a4536
                                          • Instruction ID: c3bbc7e06e42e0d832aee4f0ac25d8ceb86960508054cbef80a915ea4005ba6b
                                          • Opcode Fuzzy Hash: 90ae2ed4905c94e3ea93488351d874d461c8b52ba792fb6b2aa99da4529a4536
                                          • Instruction Fuzzy Hash: 1111E97B688706B9FA016620DC07DA6379CEB05734F604117FB0CA51E1FEA9B8417656
                                          Function 00F48D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 9a709d2a81250b8482f7e75ecb17a8b56ade382bfc4717c926b993515df1ddc6
                                          • Instruction ID: 68ab80fb54706df529f5bc898f1d4be8da2660a6b9ccbd43d57c91af9daf38ca
                                          • Opcode Fuzzy Hash: 9a709d2a81250b8482f7e75ecb17a8b56ade382bfc4717c926b993515df1ddc6
                                          • Instruction Fuzzy Hash: B0C1B375E082499FDB11DFACDC41BAEBFB0AF49320F044155F914A7292CBB49942EB61
                                          Function 00F4CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                          • String ID:
                                          • API String ID: 1282221369-0
                                          • Opcode ID: 0db86231facc50f476173f64371f9a9c267e8873ff98a177ba69e2577eac8294
                                          • Instruction ID: 8be7226bd2e11d309ba56f3686e71ee009a97539dc19054977cb85148f77a549
                                          • Opcode Fuzzy Hash: 0db86231facc50f476173f64371f9a9c267e8873ff98a177ba69e2577eac8294
                                          • Instruction Fuzzy Hash: 83612571E05244ABDB61AFB89C81A6A7FA5EF05330F04416DFD409B282EF399D44B7B0
                                          Function 00F28B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00F66890
                                          • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00F668A9
                                          • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00F668B9
                                          • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00F668D1
                                          • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00F668F2
                                          • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00F28874,00000000,00000000,00000000,000000FF,00000000), ref: 00F66901
                                          • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00F6691E
                                          • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00F28874,00000000,00000000,00000000,000000FF,00000000), ref: 00F6692D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Icon$DestroyExtractImageLoadMessageSend
                                          • String ID:
                                          • API String ID: 1268354404-0
                                          • Opcode ID: bbdc44520502d36258a9be22fa31298813bfa829ff4435fa6795eddeb6358c68
                                          • Instruction ID: 887fb32b590e6a9c1f02fc2d77faa146c2cfe36669c2745731ac09dfaf63f3a1
                                          • Opcode Fuzzy Hash: bbdc44520502d36258a9be22fa31298813bfa829ff4435fa6795eddeb6358c68
                                          • Instruction Fuzzy Hash: BB5179B0A00209AFDB20CF25DC95FAA7BB5FF88760F104519F916D72A0DB70E991EB50
                                          Function 00F8C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F8C182
                                          • GetLastError.KERNEL32 ref: 00F8C195
                                          • SetEvent.KERNEL32(?), ref: 00F8C1A9
                                            • Part of subcall function 00F8C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F8C272
                                            • Part of subcall function 00F8C253: GetLastError.KERNEL32 ref: 00F8C322
                                            • Part of subcall function 00F8C253: SetEvent.KERNEL32(?), ref: 00F8C336
                                            • Part of subcall function 00F8C253: InternetCloseHandle.WININET(00000000), ref: 00F8C341
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                          • String ID:
                                          • API String ID: 337547030-0
                                          • Opcode ID: 453e02b95e3f5ac65dbf01ff9ca1fdb3dbbd64187f02c1b0d3ff6592eb169245
                                          • Instruction ID: f1bee96bd8ed9f698e5b388b8166888d93c12535f186360e8d3b3665c9947b6f
                                          • Opcode Fuzzy Hash: 453e02b95e3f5ac65dbf01ff9ca1fdb3dbbd64187f02c1b0d3ff6592eb169245
                                          • Instruction Fuzzy Hash: 3D3180B1500605AFDB21AFB5DC44AA6BBF8FF19310B00441DF95682660DB35E814BBF0
                                          Function 00F725A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F73A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F73A57
                                            • Part of subcall function 00F73A3D: GetCurrentThreadId.KERNEL32 ref: 00F73A5E
                                            • Part of subcall function 00F73A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00F725B3), ref: 00F73A65
                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00F725BD
                                          • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00F725DB
                                          • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00F725DF
                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00F725E9
                                          • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00F72601
                                          • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00F72605
                                          • MapVirtualKeyW.USER32(00000025,00000000), ref: 00F7260F
                                          • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00F72623
                                          • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00F72627
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                          • String ID:
                                          • API String ID: 2014098862-0
                                          • Opcode ID: fcdfe46a15eace38c18286515297db68d15f4388ad07d566153e180714d16f1f
                                          • Instruction ID: 0103ebe7966df56a01e725198c7ae714967b8a62b7327e0e3c811e88df6041e7
                                          • Opcode Fuzzy Hash: fcdfe46a15eace38c18286515297db68d15f4388ad07d566153e180714d16f1f
                                          • Instruction Fuzzy Hash: C801D471390214BBFB1067699C8AF593F69DB4EB12F104006F318AE1D1C9F22445AAAA
                                          Function 00F71803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00F71449,?,?,00000000), ref: 00F7180C
                                          • HeapAlloc.KERNEL32(00000000,?,00F71449,?,?,00000000), ref: 00F71813
                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00F71449,?,?,00000000), ref: 00F71828
                                          • GetCurrentProcess.KERNEL32(?,00000000,?,00F71449,?,?,00000000), ref: 00F71830
                                          • DuplicateHandle.KERNEL32(00000000,?,00F71449,?,?,00000000), ref: 00F71833
                                          • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00F71449,?,?,00000000), ref: 00F71843
                                          • GetCurrentProcess.KERNEL32(00F71449,00000000,?,00F71449,?,?,00000000), ref: 00F7184B
                                          • DuplicateHandle.KERNEL32(00000000,?,00F71449,?,?,00000000), ref: 00F7184E
                                          • CreateThread.KERNEL32(00000000,00000000,00F71874,00000000,00000000,00000000), ref: 00F71868
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                          • String ID:
                                          • API String ID: 1957940570-0
                                          • Opcode ID: 365aa92c231d043644f68200c0cb88fa6f828803c2c4824537a9a018a3a70120
                                          • Instruction ID: 28a819be54d583c1865336f2e088798c497c78679083e1733c3522d3fbb1aac0
                                          • Opcode Fuzzy Hash: 365aa92c231d043644f68200c0cb88fa6f828803c2c4824537a9a018a3a70120
                                          • Instruction Fuzzy Hash: 9C01BBB5340308BFE710ABA5DC4DF6B3BACEB8AB11F008411FA05DB1A2DA709804DB61
                                          Function 00F9A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F7D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00F7D501
                                            • Part of subcall function 00F7D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00F7D50F
                                            • Part of subcall function 00F7D4DC: CloseHandle.KERNEL32(00000000), ref: 00F7D5DC
                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F9A16D
                                          • GetLastError.KERNEL32 ref: 00F9A180
                                          • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F9A1B3
                                          • TerminateProcess.KERNEL32(00000000,00000000), ref: 00F9A268
                                          • GetLastError.KERNEL32(00000000), ref: 00F9A273
                                          • CloseHandle.KERNEL32(00000000), ref: 00F9A2C4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                          • String ID: SeDebugPrivilege
                                          • API String ID: 2533919879-2896544425
                                          • Opcode ID: 2f03730df517f78303f8000dab91c0bc6dcbc4962bab23cd2e0ee50e26dee448
                                          • Instruction ID: d394f3ca51b79ebf282b3ea1afb8d327e2b7b5f937bb4e2e13b0837f7fce0c27
                                          • Opcode Fuzzy Hash: 2f03730df517f78303f8000dab91c0bc6dcbc4962bab23cd2e0ee50e26dee448
                                          • Instruction Fuzzy Hash: EB6171716082419FEB20DF14C894F55BBE1AF44318F14849CE4668B7A3C776ED85DBD2
                                          Function 00FA3886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00FA3925
                                          • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00FA393A
                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00FA3954
                                          • _wcslen.LIBCMT ref: 00FA3999
                                          • SendMessageW.USER32(?,00001057,00000000,?), ref: 00FA39C6
                                          • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00FA39F4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: MessageSend$Window_wcslen
                                          • String ID: SysListView32
                                          • API String ID: 2147712094-78025650
                                          • Opcode ID: 2f900752e34deb3543bfdb98fd3805bb664c6376a5bae97283b44c008eed014a
                                          • Instruction ID: 02a13d8f1a3baee4a0893cec24ca974856269fc50779bb5df771afa8af384361
                                          • Opcode Fuzzy Hash: 2f900752e34deb3543bfdb98fd3805bb664c6376a5bae97283b44c008eed014a
                                          • Instruction Fuzzy Hash: AA4195B1E00219ABDB219F64CC45FEA77A9FF09360F100526F958E7281D775DE84EB90
                                          Function 00F7BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F7BCFD
                                          • IsMenu.USER32(00000000), ref: 00F7BD1D
                                          • CreatePopupMenu.USER32 ref: 00F7BD53
                                          • GetMenuItemCount.USER32(01105E40), ref: 00F7BDA4
                                          • InsertMenuItemW.USER32(01105E40,?,00000001,00000030), ref: 00F7BDCC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Menu$Item$CountCreateInfoInsertPopup
                                          • String ID: 0$2
                                          • API String ID: 93392585-3793063076
                                          • Opcode ID: c89daaac1725604b53bf131a7d4935f96b2fa3498b5dca40d35f57913b610f29
                                          • Instruction ID: 90fab85b849e4e9077aef07c9d6d601b3e0ba3679aa622237fd1993ae6bf12ba
                                          • Opcode Fuzzy Hash: c89daaac1725604b53bf131a7d4935f96b2fa3498b5dca40d35f57913b610f29
                                          • Instruction Fuzzy Hash: 12519F70A002099FDB21CFA8D888BAEBBF5AF46324F14C15AF419D7291E7749941EB52
                                          Function 00F7C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadIconW.USER32(00000000,00007F03), ref: 00F7C913
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: IconLoad
                                          • String ID: blank$info$question$stop$warning
                                          • API String ID: 2457776203-404129466
                                          • Opcode ID: 6a6f3a82e734490b258386ba058ab87bb73bd80ef07628634d895862cbab60b6
                                          • Instruction ID: 7d8baf4383ca37f71e5a8d7ede96b0d3ced76778abcd7f2b4646177916cb291b
                                          • Opcode Fuzzy Hash: 6a6f3a82e734490b258386ba058ab87bb73bd80ef07628634d895862cbab60b6
                                          • Instruction Fuzzy Hash: 4F11BE32A8930ABAA7055B549C82DDA7BACDF15774B50402FF608E5281DB74BD0072E7
                                          Function 00F7ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: _wcslen$LocalTime
                                          • String ID:
                                          • API String ID: 952045576-0
                                          • Opcode ID: c34c03e1e2d8666025b16b8cadad4da0288f8c25cf24105780407bdebf2a9b24
                                          • Instruction ID: af2a8509fca15b218801a25e245c21f121f70550acd26512e60d40146c012fab
                                          • Opcode Fuzzy Hash: c34c03e1e2d8666025b16b8cadad4da0288f8c25cf24105780407bdebf2a9b24
                                          • Instruction Fuzzy Hash: 70419365C1121875CB11EBF48C8AACFB7A8AF49720F518867F518E3121FB38E255D3A6
                                          Function 00F2F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                          Download Yara Rule
                                          APIs
                                          • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00F6682C,00000004,00000000,00000000), ref: 00F2F953
                                          • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00F6682C,00000004,00000000,00000000), ref: 00F6F3D1
                                          • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00F6682C,00000004,00000000,00000000), ref: 00F6F454
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ShowWindow
                                          • String ID:
                                          • API String ID: 1268545403-0
                                          • Opcode ID: 50239311a1590374d339fed700fd605175725e64b293b0d3e50004e0072e7a53
                                          • Instruction ID: a709f1706c11b60ee6228872204ab408116fd722b6ce1c80ff2f402ff3b58199
                                          • Opcode Fuzzy Hash: 50239311a1590374d339fed700fd605175725e64b293b0d3e50004e0072e7a53
                                          • Instruction Fuzzy Hash: B0412D31A28690BBD7398B2DFC8872A7BB1AB56320F14443DE08756661DA3198C8FB51
                                          Function 00FA2D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DeleteObject.GDI32(00000000), ref: 00FA2D1B
                                          • GetDC.USER32(00000000), ref: 00FA2D23
                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FA2D2E
                                          • ReleaseDC.USER32(00000000,00000000), ref: 00FA2D3A
                                          • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00FA2D76
                                          • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00FA2D87
                                          • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00FA5A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00FA2DC2
                                          • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00FA2DE1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                          • String ID:
                                          • API String ID: 3864802216-0
                                          • Opcode ID: 3e323a01c9275538d0afd69fa2849d30851554c38a0152b65756b31d4ddfb0df
                                          • Instruction ID: a272b739c1985575b21182db25eabca51e600e062d4498398a2c2298618ab8d7
                                          • Opcode Fuzzy Hash: 3e323a01c9275538d0afd69fa2849d30851554c38a0152b65756b31d4ddfb0df
                                          • Instruction Fuzzy Hash: 02317CB2201214BFEB118F54CC8AFEB3BA9EF0A725F044055FE08DA291C6759C51DBA4
                                          Function 00F75622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: _memcmp
                                          • String ID:
                                          • API String ID: 2931989736-0
                                          • Opcode ID: fe9cdfc4743d5fc7fa7f998dcb9949350a6ba73bc782ff870c71f89b457c7b95
                                          • Instruction ID: 12e64ba9b3e39759ad2769ba310c5f98e546475fff062284f842f623e3792701
                                          • Opcode Fuzzy Hash: fe9cdfc4743d5fc7fa7f998dcb9949350a6ba73bc782ff870c71f89b457c7b95
                                          • Instruction Fuzzy Hash: 5E210AA2A40A09B7D21855118D82FBA335CBF11BB4F448022FD0C9E541F7A4EF14B1A7
                                          Function 00F94FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: NULL Pointer assignment$Not an Object type
                                          • API String ID: 0-572801152
                                          • Opcode ID: c66e308e07640143a7152a1980754d537e7aa1d22cb35526f8272d4cb77d5f2e
                                          • Instruction ID: eb38089637452d897781cafe7d19218d18c7c43896bb20331ff47ef55f4ac15d
                                          • Opcode Fuzzy Hash: c66e308e07640143a7152a1980754d537e7aa1d22cb35526f8272d4cb77d5f2e
                                          • Instruction Fuzzy Hash: 58D1C171E0060A9FEF11CFA8C881FAEB7B5BF48754F148069E915AB280E771DD85DB90
                                          Function 00F51522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00F517FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00F515CE
                                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00F517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00F51651
                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00F517FB,?,00F517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00F516E4
                                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00F517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00F516FB
                                            • Part of subcall function 00F43820: RtlAllocateHeap.NTDLL(00000000,?,00FE1444,?,00F2FDF5,?,?,00F1A976,00000010,00FE1440,00F113FC,?,00F113C6,?,00F11129), ref: 00F43852
                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00F517FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00F51777
                                          • __freea.LIBCMT ref: 00F517A2
                                          • __freea.LIBCMT ref: 00F517AE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                          • String ID:
                                          • API String ID: 2829977744-0
                                          • Opcode ID: cbc2ad6c5865128e18deba2fa4a3043bd84a3813d57b3bde1612499dbd7599d6
                                          • Instruction ID: b750fe4ecb9dc3ac57be579e6a73aef0bbe28ce101620b55f9f7015559b9fe32
                                          • Opcode Fuzzy Hash: cbc2ad6c5865128e18deba2fa4a3043bd84a3813d57b3bde1612499dbd7599d6
                                          • Instruction Fuzzy Hash: 6F91C872E002165ADF208E74DC81BEE7BB5BF49321F184659EE01E7141E735EC48E7A0
                                          Function 00F94523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Variant$ClearInit
                                          • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                          • API String ID: 2610073882-625585964
                                          • Opcode ID: c498e7990afb7901f903d905646b0b02f8216538ac65b0ecd1e529e8d963a6bf
                                          • Instruction ID: 94bb87955a0463bfc19786c3533d2a38733ae4ee93ffe0b21530e9217cc1ed46
                                          • Opcode Fuzzy Hash: c498e7990afb7901f903d905646b0b02f8216538ac65b0ecd1e529e8d963a6bf
                                          • Instruction Fuzzy Hash: A291B771E00219ABEF20CFA4CC44FAEBBB8EF56714F108559F505AB280D770A946DFA1
                                          Function 00F81187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                          Download Yara Rule
                                          APIs
                                          • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00F8125C
                                          • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00F81284
                                          • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00F812A8
                                          • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00F812D8
                                          • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00F8135F
                                          • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00F813C4
                                          • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00F81430
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ArraySafe$Data$Access$UnaccessVartype
                                          • String ID:
                                          • API String ID: 2550207440-0
                                          • Opcode ID: 485eafd476fea40522bee4a706f2d45dc2404908f051b38940def609625d6f52
                                          • Instruction ID: 6b38385ff9411a9636103e4a63d7dc3bf40207086bd97d09e8a8345c36526e68
                                          • Opcode Fuzzy Hash: 485eafd476fea40522bee4a706f2d45dc2404908f051b38940def609625d6f52
                                          • Instruction Fuzzy Hash: 7391C272E002199FDB00EF94C885BFE77B9FF45325F104229E941E7291D778A946EB90
                                          Function 00F2948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ObjectSelect$BeginCreatePath
                                          • String ID:
                                          • API String ID: 3225163088-0
                                          • Opcode ID: 549f8a9e9d861e3b2907f01010d564efe30234088d19b88c2a1d2d5402707779
                                          • Instruction ID: 7d4b89ee59907418fb174a032eb3819e842b92990d563aa5aa780fd55af1c653
                                          • Opcode Fuzzy Hash: 549f8a9e9d861e3b2907f01010d564efe30234088d19b88c2a1d2d5402707779
                                          • Instruction Fuzzy Hash: BC914871E04219EFCB10CFA9DC85AEEBBB8FF49320F148059E515B7251D378A941EBA0
                                          Function 00F93947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                          Download Yara Rule
                                          APIs
                                          • VariantInit.OLEAUT32(?), ref: 00F9396B
                                          • CharUpperBuffW.USER32(?,?), ref: 00F93A7A
                                          • _wcslen.LIBCMT ref: 00F93A8A
                                          • VariantClear.OLEAUT32(?), ref: 00F93C1F
                                            • Part of subcall function 00F80CDF: VariantInit.OLEAUT32(00000000), ref: 00F80D1F
                                            • Part of subcall function 00F80CDF: VariantCopy.OLEAUT32(?,?), ref: 00F80D28
                                            • Part of subcall function 00F80CDF: VariantClear.OLEAUT32(?), ref: 00F80D34
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                          • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                          • API String ID: 4137639002-1221869570
                                          • Opcode ID: 999ff6d1c2a13fbb65f396f97929b41fd6c0eb77a9cc133ebf259a54d12c7621
                                          • Instruction ID: ccd4b0fbb3be60eaf5fd622efe662425e5041474c5230bf42fea6241d6c197aa
                                          • Opcode Fuzzy Hash: 999ff6d1c2a13fbb65f396f97929b41fd6c0eb77a9cc133ebf259a54d12c7621
                                          • Instruction Fuzzy Hash: BB917B75A083059FCB10EF64C88096AB7E5FF89314F14892DF8899B351DB34EE45EB92
                                          Function 00F94BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F7000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F6FF41,80070057,?,?,?,00F7035E), ref: 00F7002B
                                            • Part of subcall function 00F7000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F6FF41,80070057,?,?), ref: 00F70046
                                            • Part of subcall function 00F7000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F6FF41,80070057,?,?), ref: 00F70054
                                            • Part of subcall function 00F7000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F6FF41,80070057,?), ref: 00F70064
                                          • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00F94C51
                                          • _wcslen.LIBCMT ref: 00F94D59
                                          • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00F94DCF
                                          • CoTaskMemFree.OLE32(?), ref: 00F94DDA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                          • String ID: NULL Pointer assignment
                                          • API String ID: 614568839-2785691316
                                          • Opcode ID: ef3d8222cdcc792c828dc3151972103bea02674798da7780be643f59ed8420a0
                                          • Instruction ID: 3c27347625ea8f887a0e43f5ddad71b57a4f6df0c18c7719aaffc343edef88e6
                                          • Opcode Fuzzy Hash: ef3d8222cdcc792c828dc3151972103bea02674798da7780be643f59ed8420a0
                                          • Instruction Fuzzy Hash: D7911771D0021DAFEF10DFA4CC90EEDB7B8BF08310F10816AE915A7251DB34AA459FA0
                                          Function 00FA20FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetMenu.USER32(?), ref: 00FA2183
                                          • GetMenuItemCount.USER32(00000000), ref: 00FA21B5
                                          • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00FA21DD
                                          • _wcslen.LIBCMT ref: 00FA2213
                                          • GetMenuItemID.USER32(?,?), ref: 00FA224D
                                          • GetSubMenu.USER32(?,?), ref: 00FA225B
                                            • Part of subcall function 00F73A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F73A57
                                            • Part of subcall function 00F73A3D: GetCurrentThreadId.KERNEL32 ref: 00F73A5E
                                            • Part of subcall function 00F73A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00F725B3), ref: 00F73A65
                                          • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00FA22E3
                                            • Part of subcall function 00F7E97B: Sleep.KERNEL32 ref: 00F7E9F3
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                          • String ID:
                                          • API String ID: 4196846111-0
                                          • Opcode ID: 220ee71eaee1bc662a05f02732dfd6992cbab8fae94dbec957c2731ef572bf7f
                                          • Instruction ID: 42c4c48e36ef900ff69fe801139ea81c558353ac0a36169ebd4a8503e49be281
                                          • Opcode Fuzzy Hash: 220ee71eaee1bc662a05f02732dfd6992cbab8fae94dbec957c2731ef572bf7f
                                          • Instruction Fuzzy Hash: 117181B6E00205AFDB50DF68C845BAEB7F5EF49320F148459E816EB351DB38ED41AB90
                                          Function 00F7AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetParent.USER32(?), ref: 00F7AEF9
                                          • GetKeyboardState.USER32(?), ref: 00F7AF0E
                                          • SetKeyboardState.USER32(?), ref: 00F7AF6F
                                          • PostMessageW.USER32(?,00000101,00000010,?), ref: 00F7AF9D
                                          • PostMessageW.USER32(?,00000101,00000011,?), ref: 00F7AFBC
                                          • PostMessageW.USER32(?,00000101,00000012,?), ref: 00F7AFFD
                                          • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00F7B020
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: MessagePost$KeyboardState$Parent
                                          • String ID:
                                          • API String ID: 87235514-0
                                          • Opcode ID: 8d614128667d6145657b76296bee40a99e63db64495677d143de8ce74373ba0a
                                          • Instruction ID: f68e4597de83d631b92a3134e5c9a9acc6622867a0191cc55a1a844a5ca0a7b5
                                          • Opcode Fuzzy Hash: 8d614128667d6145657b76296bee40a99e63db64495677d143de8ce74373ba0a
                                          • Instruction Fuzzy Hash: 9751D1A1A087D53DFB3682348C45BBEBEA95B46314F09C58AE1DD858C3C3D8A8C4E753
                                          Function 00F7ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetParent.USER32(00000000), ref: 00F7AD19
                                          • GetKeyboardState.USER32(?), ref: 00F7AD2E
                                          • SetKeyboardState.USER32(?), ref: 00F7AD8F
                                          • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00F7ADBB
                                          • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00F7ADD8
                                          • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00F7AE17
                                          • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00F7AE38
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: MessagePost$KeyboardState$Parent
                                          • String ID:
                                          • API String ID: 87235514-0
                                          • Opcode ID: cbb9c5d33dd57aa0da63506d19e6f39cd7120fa6844f75474699684579e32060
                                          • Instruction ID: 062cb2799394942d23e95285c62b11f8a116a75690f2e3a80d08e7004902d345
                                          • Opcode Fuzzy Hash: cbb9c5d33dd57aa0da63506d19e6f39cd7120fa6844f75474699684579e32060
                                          • Instruction Fuzzy Hash: B551E3A19047D53DFB3383248C55BBE7EA95B86310F09C48AE0DD868C2D294EC98F753
                                          Function 00F4542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetConsoleCP.KERNEL32(00F53CD6,?,?,?,?,?,?,?,?,00F45BA3,?,?,00F53CD6,?,?), ref: 00F45470
                                          • __fassign.LIBCMT ref: 00F454EB
                                          • __fassign.LIBCMT ref: 00F45506
                                          • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00F53CD6,00000005,00000000,00000000), ref: 00F4552C
                                          • WriteFile.KERNEL32(?,00F53CD6,00000000,00F45BA3,00000000,?,?,?,?,?,?,?,?,?,00F45BA3,?), ref: 00F4554B
                                          • WriteFile.KERNEL32(?,?,00000001,00F45BA3,00000000,?,?,?,?,?,?,?,?,?,00F45BA3,?), ref: 00F45584
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                          • String ID:
                                          • API String ID: 1324828854-0
                                          • Opcode ID: da97a08db27f1a47e1ffea7cc8ed9962fec65aef781ff15e3c647214d8310fe6
                                          • Instruction ID: 3f944cf1c7cfe3088faf19eb59f4ccb2515b189be32c42b63524c74bcda099c5
                                          • Opcode Fuzzy Hash: da97a08db27f1a47e1ffea7cc8ed9962fec65aef781ff15e3c647214d8310fe6
                                          • Instruction Fuzzy Hash: 1B51E3B1E00649AFDB11DFA8DC85AEEBBF9EF09710F14401AF945E7292D7309A41DB60
                                          Function 00F32D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                          Download Yara Rule
                                          APIs
                                          • _ValidateLocalCookies.LIBCMT ref: 00F32D4B
                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 00F32D53
                                          • _ValidateLocalCookies.LIBCMT ref: 00F32DE1
                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00F32E0C
                                          • _ValidateLocalCookies.LIBCMT ref: 00F32E61
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                          • String ID: csm
                                          • API String ID: 1170836740-1018135373
                                          • Opcode ID: 2840c065c358296ee5cc5161864ed156f1c89cfbc9f7f3b7d14b739acf1cbfe1
                                          • Instruction ID: f20a1dee79f69031411a82083c1d1fdc30fbd461ba543cff112b98f89d1ba714
                                          • Opcode Fuzzy Hash: 2840c065c358296ee5cc5161864ed156f1c89cfbc9f7f3b7d14b739acf1cbfe1
                                          • Instruction Fuzzy Hash: 1341DD35E00209ABCF50DF68CC85A9EBBB5BF44334F148155E814AB392DB35EA05EBD0
                                          Function 00F910B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F9304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00F9307A
                                            • Part of subcall function 00F9304E: _wcslen.LIBCMT ref: 00F9309B
                                          • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00F91112
                                          • WSAGetLastError.WSOCK32 ref: 00F91121
                                          • WSAGetLastError.WSOCK32 ref: 00F911C9
                                          • closesocket.WSOCK32(00000000), ref: 00F911F9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                          • String ID:
                                          • API String ID: 2675159561-0
                                          • Opcode ID: 8d423b4b661e7d0e9d652d424b2d04dd63d1ad2f108c61fd6f67148e9f8f0027
                                          • Instruction ID: d29339dd11579687269cdc9ed391dde60d0d979327cd7c57edd4b91b549cf072
                                          • Opcode Fuzzy Hash: 8d423b4b661e7d0e9d652d424b2d04dd63d1ad2f108c61fd6f67148e9f8f0027
                                          • Instruction Fuzzy Hash: 3E41E371600209AFEB109F14CC84BAABBE9FF45364F148069FD159B291C778ED81DBE1
                                          Function 00F7CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F7DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F7CF22,?), ref: 00F7DDFD
                                            • Part of subcall function 00F7DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F7CF22,?), ref: 00F7DE16
                                          • lstrcmpiW.KERNEL32(?,?), ref: 00F7CF45
                                          • MoveFileW.KERNEL32(?,?), ref: 00F7CF7F
                                          • _wcslen.LIBCMT ref: 00F7D005
                                          • _wcslen.LIBCMT ref: 00F7D01B
                                          • SHFileOperationW.SHELL32(?), ref: 00F7D061
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                          • String ID: \*.*
                                          • API String ID: 3164238972-1173974218
                                          • Opcode ID: d41e49fa43acbeb1b089659126dcf809c777fab19683d63bb93791e2840a3580
                                          • Instruction ID: ecca875b5d9374a53472589962c8f2c2ac22915e5615cf89ad06bfd6cfd912e2
                                          • Opcode Fuzzy Hash: d41e49fa43acbeb1b089659126dcf809c777fab19683d63bb93791e2840a3580
                                          • Instruction Fuzzy Hash: F1415571D052185EDF12EFA4CD81FDEB7B9AF09390F4040EBE509EB141EA74A688EB51
                                          Function 00FA2DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00FA2E1C
                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00FA2E4F
                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00FA2E84
                                          • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00FA2EB6
                                          • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00FA2EE0
                                          • GetWindowLongW.USER32(00000000,000000F0), ref: 00FA2EF1
                                          • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00FA2F0B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: LongWindow$MessageSend
                                          • String ID:
                                          • API String ID: 2178440468-0
                                          • Opcode ID: 8bd3823af5439c99c06071ab9a1dfb5f6271a0e002f9fcff4960471e104200e1
                                          • Instruction ID: 7e0b6c2f6692b279e9cc74119785142983a2bf1d2a9a5a9af8a0ce219297f890
                                          • Opcode Fuzzy Hash: 8bd3823af5439c99c06071ab9a1dfb5f6271a0e002f9fcff4960471e104200e1
                                          • Instruction Fuzzy Hash: 2231D175B04158AFEB61CF59DCC4F6937E1BB8A720F150164F9048F2A2CB71A880EB41
                                          Function 00F77726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F77769
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F7778F
                                          • SysAllocString.OLEAUT32(00000000), ref: 00F77792
                                          • SysAllocString.OLEAUT32(?), ref: 00F777B0
                                          • SysFreeString.OLEAUT32(?), ref: 00F777B9
                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 00F777DE
                                          • SysAllocString.OLEAUT32(?), ref: 00F777EC
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                          • String ID:
                                          • API String ID: 3761583154-0
                                          • Opcode ID: 056e09599e3041b1f8a67543ce88a80e56f0ed9e73b7b900d6a7b21dfa5d0d58
                                          • Instruction ID: 7afff4a598b5199eba3558a0400cfc0066cfaa34c6967e7f49c236ef73a73843
                                          • Opcode Fuzzy Hash: 056e09599e3041b1f8a67543ce88a80e56f0ed9e73b7b900d6a7b21dfa5d0d58
                                          • Instruction Fuzzy Hash: 9D21B076A14219AFDB14EFA8DC88DBB77ECEB093647008026FA08DB150D674DC42A7A5
                                          Function 00F777FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F77842
                                          • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F77868
                                          • SysAllocString.OLEAUT32(00000000), ref: 00F7786B
                                          • SysAllocString.OLEAUT32 ref: 00F7788C
                                          • SysFreeString.OLEAUT32 ref: 00F77895
                                          • StringFromGUID2.OLE32(?,?,00000028), ref: 00F778AF
                                          • SysAllocString.OLEAUT32(?), ref: 00F778BD
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                          • String ID:
                                          • API String ID: 3761583154-0
                                          • Opcode ID: c2f027ebaa571ee2df2d69d81738692a620633a62f029f7f00cc7579bfa0accc
                                          • Instruction ID: 624469a24040a81367888298fa2095131dcc2e7f48c8c22f5c502e7cfd543376
                                          • Opcode Fuzzy Hash: c2f027ebaa571ee2df2d69d81738692a620633a62f029f7f00cc7579bfa0accc
                                          • Instruction Fuzzy Hash: C5217771A14218AFDB10AFB8DC8CDBA77ECEB09760710C126F915CB1A1D674DC41DB65
                                          Function 00F804D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetStdHandle.KERNEL32(0000000C), ref: 00F804F2
                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F8052E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: CreateHandlePipe
                                          • String ID: nul
                                          • API String ID: 1424370930-2873401336
                                          • Opcode ID: 696a830d2c6b767608820ec3414883e522636c89434a9fb445ce9d9f07e72901
                                          • Instruction ID: 94dfa19811cf578a5009b56589934bde18dd9cfeb9d8f148d7a8a22fd25ba0a7
                                          • Opcode Fuzzy Hash: 696a830d2c6b767608820ec3414883e522636c89434a9fb445ce9d9f07e72901
                                          • Instruction Fuzzy Hash: 5D217175900305AFDB20AF29DC08A9A77E4AF45724F644A19E8A1DA2E0DB709944EF60
                                          Function 00F805A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetStdHandle.KERNEL32(000000F6), ref: 00F805C6
                                          • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F80601
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: CreateHandlePipe
                                          • String ID: nul
                                          • API String ID: 1424370930-2873401336
                                          • Opcode ID: 3cf45a334ca8f205360a59680dd6c95ddac7bf851a8b673e048c3b69a2575d30
                                          • Instruction ID: e56dd2c6f0f082b91f89abd86399e81780040ad50f64788e63ee863631ea6a49
                                          • Opcode Fuzzy Hash: 3cf45a334ca8f205360a59680dd6c95ddac7bf851a8b673e048c3b69a2575d30
                                          • Instruction Fuzzy Hash: 9C2181759003059FDB60AF698C04ADA77E4BF95730F600B19F8A1E72E0EB709864EB60
                                          Function 00FA40AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F1600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F1604C
                                            • Part of subcall function 00F1600E: GetStockObject.GDI32(00000011), ref: 00F16060
                                            • Part of subcall function 00F1600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F1606A
                                          • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00FA4112
                                          • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00FA411F
                                          • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00FA412A
                                          • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00FA4139
                                          • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00FA4145
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: MessageSend$CreateObjectStockWindow
                                          • String ID: Msctls_Progress32
                                          • API String ID: 1025951953-3636473452
                                          • Opcode ID: 9e5b0a1fdf180173e39a896d508c0969572f959d7499a6e09146013cf46cfaee
                                          • Instruction ID: 895205d9e7fbbd2e92883f2f41fd7d01433aa1b67796aa33a778855bfcc28f1d
                                          • Opcode Fuzzy Hash: 9e5b0a1fdf180173e39a896d508c0969572f959d7499a6e09146013cf46cfaee
                                          • Instruction Fuzzy Hash: 6D11B6B214021D7EEF119F64CC85EE77F5DEF09798F004111B618A6150C6B6DC61EBA4
                                          Function 00F4D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F4D7A3: _free.LIBCMT ref: 00F4D7CC
                                          • _free.LIBCMT ref: 00F4D82D
                                            • Part of subcall function 00F429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F4D7D1,00000000,00000000,00000000,00000000,?,00F4D7F8,00000000,00000007,00000000,?,00F4DBF5,00000000), ref: 00F429DE
                                            • Part of subcall function 00F429C8: GetLastError.KERNEL32(00000000,?,00F4D7D1,00000000,00000000,00000000,00000000,?,00F4D7F8,00000000,00000007,00000000,?,00F4DBF5,00000000,00000000), ref: 00F429F0
                                          • _free.LIBCMT ref: 00F4D838
                                          • _free.LIBCMT ref: 00F4D843
                                          • _free.LIBCMT ref: 00F4D897
                                          • _free.LIBCMT ref: 00F4D8A2
                                          • _free.LIBCMT ref: 00F4D8AD
                                          • _free.LIBCMT ref: 00F4D8B8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                          • Instruction ID: c2909a71ada78281a0f80f7854627c584d8423ab15ff8480bd076dd8cf1df4d0
                                          • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                          • Instruction Fuzzy Hash: 5A115171540B04ABE921BFB1CC47FCB7FEC6F00700F800825BA99A6192DA79B5057650
                                          Function 00F7DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00F7DA74
                                          • LoadStringW.USER32(00000000), ref: 00F7DA7B
                                          • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00F7DA91
                                          • LoadStringW.USER32(00000000), ref: 00F7DA98
                                          • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00F7DADC
                                          Strings
                                          • %s (%d) : ==> %s: %s %s, xrefs: 00F7DAB9
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: HandleLoadModuleString$Message
                                          • String ID: %s (%d) : ==> %s: %s %s
                                          • API String ID: 4072794657-3128320259
                                          • Opcode ID: b3e7832dd6012b44e59a0f887ed4857bcbdbdaeca60a0c4f66373831c98ccf91
                                          • Instruction ID: 3d0201e3f8efb4fad33883ca83e66263911079b8bfc4b112fb7f5c668a343bf7
                                          • Opcode Fuzzy Hash: b3e7832dd6012b44e59a0f887ed4857bcbdbdaeca60a0c4f66373831c98ccf91
                                          • Instruction Fuzzy Hash: 230162F290020C7FE710EBA4DD89EE7336CEB09701F404496B70AE2142EA749E845FB5
                                          Function 00F8096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InterlockedExchange.KERNEL32(010FF318,010FF318), ref: 00F8097B
                                          • EnterCriticalSection.KERNEL32(010FF2F8,00000000), ref: 00F8098D
                                          • TerminateThread.KERNEL32(00540050,000001F6), ref: 00F8099B
                                          • WaitForSingleObject.KERNEL32(00540050,000003E8), ref: 00F809A9
                                          • CloseHandle.KERNEL32(00540050), ref: 00F809B8
                                          • InterlockedExchange.KERNEL32(010FF318,000001F6), ref: 00F809C8
                                          • LeaveCriticalSection.KERNEL32(010FF2F8), ref: 00F809CF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                          • String ID:
                                          • API String ID: 3495660284-0
                                          • Opcode ID: 227ac0994cfa4a1c7c8ac02b06f85888e619415d6c1b7f0fa541a1152cce9c0c
                                          • Instruction ID: 7b0815a28f4c13e611be39d9c96f15d9414254b8f85e2663fdd0b1633ad73702
                                          • Opcode Fuzzy Hash: 227ac0994cfa4a1c7c8ac02b06f85888e619415d6c1b7f0fa541a1152cce9c0c
                                          • Instruction Fuzzy Hash: 29F03C72542A06BBD7415FA4EE8CBD6BB79FF02712F802025F202908A0CB749465EFD0
                                          Function 00F91C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00F91DC0
                                          • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00F91DE1
                                          • WSAGetLastError.WSOCK32 ref: 00F91DF2
                                          • htons.WSOCK32(?,?,?,?,?), ref: 00F91EDB
                                          • inet_ntoa.WSOCK32(?), ref: 00F91E8C
                                            • Part of subcall function 00F739E8: _strlen.LIBCMT ref: 00F739F2
                                            • Part of subcall function 00F93224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00F8EC0C), ref: 00F93240
                                          • _strlen.LIBCMT ref: 00F91F35
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                                          • String ID:
                                          • API String ID: 3203458085-0
                                          • Opcode ID: f32ba4bbe3cc2a6cac38fdc9f6ac4b3027c206cf56559fb9a9807b3b1e541335
                                          • Instruction ID: edd360433d6e3698726dd99f5049019d4c7aaa5a2608ee6e3f196843ff7ee40f
                                          • Opcode Fuzzy Hash: f32ba4bbe3cc2a6cac38fdc9f6ac4b3027c206cf56559fb9a9807b3b1e541335
                                          • Instruction Fuzzy Hash: A0B11031604301AFEB24DF24C885E6A7BE5BF84328F54895CF4564B2E2CB35ED82DB91
                                          Function 00F401B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                          Download Yara Rule
                                          APIs
                                          • __allrem.LIBCMT ref: 00F400BA
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F400D6
                                          • __allrem.LIBCMT ref: 00F400ED
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F4010B
                                          • __allrem.LIBCMT ref: 00F40122
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F40140
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                          • String ID:
                                          • API String ID: 1992179935-0
                                          • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                          • Instruction ID: 7e2bd05ecb64913b55a35ad82b24cf386577fb6227f30b852f0efdba654bc3bc
                                          • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                          • Instruction Fuzzy Hash: 9D81E872E007069BE720AE79CC41B6B77E9AF91334F24463AFE51D7281EB74D904AB50
                                          Function 00F461FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00F382D9,00F382D9,?,?,?,00F4644F,00000001,00000001,8BE85006), ref: 00F46258
                                          • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00F4644F,00000001,00000001,8BE85006,?,?,?), ref: 00F462DE
                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00F463D8
                                          • __freea.LIBCMT ref: 00F463E5
                                            • Part of subcall function 00F43820: RtlAllocateHeap.NTDLL(00000000,?,00FE1444,?,00F2FDF5,?,?,00F1A976,00000010,00FE1440,00F113FC,?,00F113C6,?,00F11129), ref: 00F43852
                                          • __freea.LIBCMT ref: 00F463EE
                                          • __freea.LIBCMT ref: 00F46413
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide__freea$AllocateHeap
                                          • String ID:
                                          • API String ID: 1414292761-0
                                          • Opcode ID: f261f0dee18d8f6fb2ee07e254037117e7dafa467a943a2452ecfa3d9f033635
                                          • Instruction ID: 62e4c7fd58796b37f728f7d9eb3edff43e03ac7fcb61a0101cdb1f341b888e1e
                                          • Opcode Fuzzy Hash: f261f0dee18d8f6fb2ee07e254037117e7dafa467a943a2452ecfa3d9f033635
                                          • Instruction Fuzzy Hash: E151F372A00256ABDF258F64CC81FBF7FA9EB46720F144269FC05D6280DB38DC40E6A1
                                          Function 00F9BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F19CB3: _wcslen.LIBCMT ref: 00F19CBD
                                            • Part of subcall function 00F9C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F9B6AE,?,?), ref: 00F9C9B5
                                            • Part of subcall function 00F9C998: _wcslen.LIBCMT ref: 00F9C9F1
                                            • Part of subcall function 00F9C998: _wcslen.LIBCMT ref: 00F9CA68
                                            • Part of subcall function 00F9C998: _wcslen.LIBCMT ref: 00F9CA9E
                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F9BCCA
                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F9BD25
                                          • RegCloseKey.ADVAPI32(00000000), ref: 00F9BD6A
                                          • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00F9BD99
                                          • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00F9BDF3
                                          • RegCloseKey.ADVAPI32(?), ref: 00F9BDFF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                          • String ID:
                                          • API String ID: 1120388591-0
                                          • Opcode ID: 743d72877c07c81766ec63d8e92cc243506f79bda1bc3e65698dd72718452429
                                          • Instruction ID: 4b0597721bc01af564a6bd63b21a7e90d7222365bb2ae337d1107c1ea0903e13
                                          • Opcode Fuzzy Hash: 743d72877c07c81766ec63d8e92cc243506f79bda1bc3e65698dd72718452429
                                          • Instruction Fuzzy Hash: 8781DF70208241EFDB14DF24C985E6ABBE5FF85318F14885DF4598B2A2CB31ED45EB92
                                          Function 00F6F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • VariantInit.OLEAUT32(00000035), ref: 00F6F7B9
                                          • SysAllocString.OLEAUT32(00000001), ref: 00F6F860
                                          • VariantCopy.OLEAUT32(00F6FA64,00000000), ref: 00F6F889
                                          • VariantClear.OLEAUT32(00F6FA64), ref: 00F6F8AD
                                          • VariantCopy.OLEAUT32(00F6FA64,00000000), ref: 00F6F8B1
                                          • VariantClear.OLEAUT32(?), ref: 00F6F8BB
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Variant$ClearCopy$AllocInitString
                                          • String ID:
                                          • API String ID: 3859894641-0
                                          • Opcode ID: 3c9a85d9a84a0bf2e144f3e3744421acc20824e800c8ef7f2dd7014ebbff2d7a
                                          • Instruction ID: a8827071533c18a76eb5b6b7ac1efa0ca2a5493433d42f6742205a681652f9c0
                                          • Opcode Fuzzy Hash: 3c9a85d9a84a0bf2e144f3e3744421acc20824e800c8ef7f2dd7014ebbff2d7a
                                          • Instruction Fuzzy Hash: 2551F932A10310FADF10AB76EC95B69B3A8EF45310F244467E906DF291DB748C48F796
                                          Function 00F8910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F17620: _wcslen.LIBCMT ref: 00F17625
                                            • Part of subcall function 00F16B57: _wcslen.LIBCMT ref: 00F16B6A
                                          • GetOpenFileNameW.COMDLG32(00000058), ref: 00F894E5
                                          • _wcslen.LIBCMT ref: 00F89506
                                          • _wcslen.LIBCMT ref: 00F8952D
                                          • GetSaveFileNameW.COMDLG32(00000058), ref: 00F89585
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: _wcslen$FileName$OpenSave
                                          • String ID: X
                                          • API String ID: 83654149-3081909835
                                          • Opcode ID: 407c4d2577b2739f09a8258d115ef71c3155c3c83120245f223dbca2800f288d
                                          • Instruction ID: 338c89efd7c887a110641956dff9d7a0fd343bf3416f470c41d00cc837ddd367
                                          • Opcode Fuzzy Hash: 407c4d2577b2739f09a8258d115ef71c3155c3c83120245f223dbca2800f288d
                                          • Instruction Fuzzy Hash: 51E1B631908340CFC714EF24C881AAEB7E5BF85324F08856DF8999B2A2DB75ED45DB91
                                          Function 00F2920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F29BB2
                                          • BeginPaint.USER32(?,?,?), ref: 00F29241
                                          • GetWindowRect.USER32(?,?), ref: 00F292A5
                                          • ScreenToClient.USER32(?,?), ref: 00F292C2
                                          • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00F292D3
                                          • EndPaint.USER32(?,?,?,?,?), ref: 00F29321
                                          • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00F671EA
                                            • Part of subcall function 00F29339: BeginPath.GDI32(00000000), ref: 00F29357
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                          • String ID:
                                          • API String ID: 3050599898-0
                                          • Opcode ID: f8ac977f2f78d8005f6a66379ac76cf268455b289c5db4e08a0faa3e8edc7d2e
                                          • Instruction ID: 62df9061860c9e73b1bcf6af418b11133908726784f5e4edab262e92933681bc
                                          • Opcode Fuzzy Hash: f8ac977f2f78d8005f6a66379ac76cf268455b289c5db4e08a0faa3e8edc7d2e
                                          • Instruction Fuzzy Hash: F041AD71509314AFD720DF25DC84FBA7BB8FB46724F14022AF9948B2E2C7749845EB61
                                          Function 00F807EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InterlockedExchange.KERNEL32(?,000001F5), ref: 00F8080C
                                          • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00F80847
                                          • EnterCriticalSection.KERNEL32(?), ref: 00F80863
                                          • LeaveCriticalSection.KERNEL32(?), ref: 00F808DC
                                          • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00F808F3
                                          • InterlockedExchange.KERNEL32(?,000001F6), ref: 00F80921
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                          • String ID:
                                          • API String ID: 3368777196-0
                                          • Opcode ID: 4d46ecfddcf44771615c9f774fe13a1eaa3bcd5bdff02274f49a8c09cebbf515
                                          • Instruction ID: 028192c24b9c0a8f42d67cffd11237b18896fab106929797e5a12f505b48c2cb
                                          • Opcode Fuzzy Hash: 4d46ecfddcf44771615c9f774fe13a1eaa3bcd5bdff02274f49a8c09cebbf515
                                          • Instruction Fuzzy Hash: 7D41AF71A00209EFDF05AF54DC85AAA77B8FF04310F1040B9ED00AA297DB34DE58EBA0
                                          Function 00FA81DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00F6F3AB,00000000,?,?,00000000,?,00F6682C,00000004,00000000,00000000), ref: 00FA824C
                                          • EnableWindow.USER32(00000000,00000000), ref: 00FA8272
                                          • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00FA82D1
                                          • ShowWindow.USER32(00000000,00000004), ref: 00FA82E5
                                          • EnableWindow.USER32(00000000,00000001), ref: 00FA830B
                                          • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00FA832F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Window$Show$Enable$MessageSend
                                          • String ID:
                                          • API String ID: 642888154-0
                                          • Opcode ID: 3f87041d0598065e1a79c840ee179488b21213a49f9c38148a0e25fc8edf21cd
                                          • Instruction ID: 744738290aa35f13e6cccd094690882335fb81971c78ebe49d61c0faacf05067
                                          • Opcode Fuzzy Hash: 3f87041d0598065e1a79c840ee179488b21213a49f9c38148a0e25fc8edf21cd
                                          • Instruction Fuzzy Hash: 4241C3B4A01648EFDF11CF15D899BE87BF0BB4B764F180168E6484F262CB71A842EB40
                                          Function 00F74C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • IsWindowVisible.USER32(?), ref: 00F74C95
                                          • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00F74CB2
                                          • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00F74CEA
                                          • _wcslen.LIBCMT ref: 00F74D08
                                          • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00F74D10
                                          • _wcsstr.LIBVCRUNTIME ref: 00F74D1A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                          • String ID:
                                          • API String ID: 72514467-0
                                          • Opcode ID: 510c15c6124d709499dbfbc3455ca4aa889bb2a8aef50543cb933c191c80bb27
                                          • Instruction ID: 75256d49171b57bc942f7609308e20f0b59d6e8ce39c65898f1749753bf723e0
                                          • Opcode Fuzzy Hash: 510c15c6124d709499dbfbc3455ca4aa889bb2a8aef50543cb933c191c80bb27
                                          • Instruction Fuzzy Hash: 3321DA72604114BBEB269B39EC45E7B7BACDF46760F10807AF80DCA151EB65EC00A6A1
                                          Function 00F8581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F13AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F13A97,?,?,00F12E7F,?,?,?,00000000), ref: 00F13AC2
                                          • _wcslen.LIBCMT ref: 00F8587B
                                          • CoInitialize.OLE32(00000000), ref: 00F85995
                                          • CoCreateInstance.OLE32(00FAFCF8,00000000,00000001,00FAFB68,?), ref: 00F859AE
                                          • CoUninitialize.OLE32 ref: 00F859CC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                          • String ID: .lnk
                                          • API String ID: 3172280962-24824748
                                          • Opcode ID: 87e77d89a167187f1b3daba4564701e041067e6a8cf492b64a49f0f664f903d2
                                          • Instruction ID: 87d38c6042043026f9a3693fa56da98230ae2a24634fd892b4c12cac01c4e837
                                          • Opcode Fuzzy Hash: 87e77d89a167187f1b3daba4564701e041067e6a8cf492b64a49f0f664f903d2
                                          • Instruction Fuzzy Hash: BDD15571A087019FC714EF14C880AAABBF2FF89B24F144859F8899B361D735EC45DB92
                                          Function 00F7175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F70FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F70FCA
                                            • Part of subcall function 00F70FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F70FD6
                                            • Part of subcall function 00F70FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F70FE5
                                            • Part of subcall function 00F70FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F70FEC
                                            • Part of subcall function 00F70FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F71002
                                          • GetLengthSid.ADVAPI32(?,00000000,00F71335), ref: 00F717AE
                                          • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00F717BA
                                          • HeapAlloc.KERNEL32(00000000), ref: 00F717C1
                                          • CopySid.ADVAPI32(00000000,00000000,?), ref: 00F717DA
                                          • GetProcessHeap.KERNEL32(00000000,00000000,00F71335), ref: 00F717EE
                                          • HeapFree.KERNEL32(00000000), ref: 00F717F5
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                          • String ID:
                                          • API String ID: 3008561057-0
                                          • Opcode ID: bb6bf71d435d93a6c50c7011e2665952af69a55db8e56f40b58d01c8aa5d50a6
                                          • Instruction ID: 17e6242355e02ca238a357edf6eefa99166ca81001cd5b0b120e2757051bd19e
                                          • Opcode Fuzzy Hash: bb6bf71d435d93a6c50c7011e2665952af69a55db8e56f40b58d01c8aa5d50a6
                                          • Instruction Fuzzy Hash: EE11AF71A00209EFDB149FA8CC49BAF7BB9FB42365F10C019F44597111C7359949EBA1
                                          Function 00F714CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00F714FF
                                          • OpenProcessToken.ADVAPI32(00000000), ref: 00F71506
                                          • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00F71515
                                          • CloseHandle.KERNEL32(00000004), ref: 00F71520
                                          • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F7154F
                                          • DestroyEnvironmentBlock.USERENV(00000000), ref: 00F71563
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                          • String ID:
                                          • API String ID: 1413079979-0
                                          • Opcode ID: 78dbb6fa9227e0a7719d66fe9df7467da3a7a3c9e5d1b40b4bb786dedc39640c
                                          • Instruction ID: 11c68374826a4d71b9919fdd03daec37b14dc3f2337e750a8e6d2b48f0e0b746
                                          • Opcode Fuzzy Hash: 78dbb6fa9227e0a7719d66fe9df7467da3a7a3c9e5d1b40b4bb786dedc39640c
                                          • Instruction Fuzzy Hash: 431129B250020DABDF11CF98DD49BDE7BA9FF49754F048015FA09A2160C3758E68EBA1
                                          Function 00F33382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(?,?,00F33379,00F32FE5), ref: 00F33390
                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00F3339E
                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F333B7
                                          • SetLastError.KERNEL32(00000000,?,00F33379,00F32FE5), ref: 00F33409
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ErrorLastValue___vcrt_
                                          • String ID:
                                          • API String ID: 3852720340-0
                                          • Opcode ID: 194954f7d6f9b73a2a7b219c25ccf0b650dfd372236241dd5dc8e2ca9f0c522b
                                          • Instruction ID: 75ce550e7161bb778d3ef67040b60fdbaeb5f3a4cbcddb10d37b19fac3007d72
                                          • Opcode Fuzzy Hash: 194954f7d6f9b73a2a7b219c25ccf0b650dfd372236241dd5dc8e2ca9f0c522b
                                          • Instruction Fuzzy Hash: 2F01FC33A0E316BEAA15A775BC8AB577F55DB05379F20822AF410C52F0EF154D01B584
                                          Function 00F42D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(?,?,00F45686,00F53CD6,?,00000000,?,00F45B6A,?,?,?,?,?,00F3E6D1,?,00FD8A48), ref: 00F42D78
                                          • _free.LIBCMT ref: 00F42DAB
                                          • _free.LIBCMT ref: 00F42DD3
                                          • SetLastError.KERNEL32(00000000,?,?,?,?,00F3E6D1,?,00FD8A48,00000010,00F14F4A,?,?,00000000,00F53CD6), ref: 00F42DE0
                                          • SetLastError.KERNEL32(00000000,?,?,?,?,00F3E6D1,?,00FD8A48,00000010,00F14F4A,?,?,00000000,00F53CD6), ref: 00F42DEC
                                          • _abort.LIBCMT ref: 00F42DF2
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ErrorLast$_free$_abort
                                          • String ID:
                                          • API String ID: 3160817290-0
                                          • Opcode ID: 7a6711af2872b26de9ac855fc7c98ffd377125ea5675c428ef88d89e8c6d2b1a
                                          • Instruction ID: 00721abf39e7937190bdb50ca5760a2558a3340b421b09b37f5e5ab9594c3c72
                                          • Opcode Fuzzy Hash: 7a6711af2872b26de9ac855fc7c98ffd377125ea5675c428ef88d89e8c6d2b1a
                                          • Instruction Fuzzy Hash: DFF0CD32D05A1127C69267397C06F1E3E76AFC2771F640435FC24921D1DE7889017161
                                          Function 00FA8A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F29639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F29693
                                            • Part of subcall function 00F29639: SelectObject.GDI32(?,00000000), ref: 00F296A2
                                            • Part of subcall function 00F29639: BeginPath.GDI32(?), ref: 00F296B9
                                            • Part of subcall function 00F29639: SelectObject.GDI32(?,00000000), ref: 00F296E2
                                          • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00FA8A4E
                                          • LineTo.GDI32(?,00000003,00000000), ref: 00FA8A62
                                          • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00FA8A70
                                          • LineTo.GDI32(?,00000000,00000003), ref: 00FA8A80
                                          • EndPath.GDI32(?), ref: 00FA8A90
                                          • StrokePath.GDI32(?), ref: 00FA8AA0
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                          • String ID:
                                          • API String ID: 43455801-0
                                          • Opcode ID: 24e3866ef86b9043852d065f3c438acfbca939cea90027427d517fdb6fe5ac13
                                          • Instruction ID: f78b2743d40e46e9becf7c4d30874d864764bc40fb969fb04e6b779c158b417b
                                          • Opcode Fuzzy Hash: 24e3866ef86b9043852d065f3c438acfbca939cea90027427d517fdb6fe5ac13
                                          • Instruction Fuzzy Hash: 581109B600014CFFDB129F90DC88EAA7F6CEB09390F00C012BA199A1A1C7719D55EBA0
                                          Function 00F751FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDC.USER32(00000000), ref: 00F75218
                                          • GetDeviceCaps.GDI32(00000000,00000058), ref: 00F75229
                                          • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F75230
                                          • ReleaseDC.USER32(00000000,00000000), ref: 00F75238
                                          • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00F7524F
                                          • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00F75261
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: CapsDevice$Release
                                          • String ID:
                                          • API String ID: 1035833867-0
                                          • Opcode ID: a939b436f423ea00950aec3ef500fafdc5009f4e88f81f3e981bfc1290a1ee2b
                                          • Instruction ID: bbe6a3b66bdf07132bf109ef758622026c322fddb57bb7c2069dede6ca41b54e
                                          • Opcode Fuzzy Hash: a939b436f423ea00950aec3ef500fafdc5009f4e88f81f3e981bfc1290a1ee2b
                                          • Instruction Fuzzy Hash: 460162B5E00718BBEB109BA59C49E5EBFB9EF49751F048066FA09E7381D6709C00DFA1
                                          Function 00F11BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F11BF4
                                          • MapVirtualKeyW.USER32(00000010,00000000), ref: 00F11BFC
                                          • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F11C07
                                          • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F11C12
                                          • MapVirtualKeyW.USER32(00000011,00000000), ref: 00F11C1A
                                          • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F11C22
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Virtual
                                          • String ID:
                                          • API String ID: 4278518827-0
                                          • Opcode ID: 3d5b174fe918ff348317e8ecdc868a218bf2df2fe7d9a0b2079dabf98ffe4199
                                          • Instruction ID: 31497f4e0c4ffc492fd8372c0a950a29e754092bc7f107b1e8c7cd8689944b28
                                          • Opcode Fuzzy Hash: 3d5b174fe918ff348317e8ecdc868a218bf2df2fe7d9a0b2079dabf98ffe4199
                                          • Instruction Fuzzy Hash: 7C0167B0902B5ABDE3008F6A8C85B52FFE8FF19354F04411BA15C4BA42C7F5A864CBE5
                                          Function 00F7EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00F7EB30
                                          • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00F7EB46
                                          • GetWindowThreadProcessId.USER32(?,?), ref: 00F7EB55
                                          • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F7EB64
                                          • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F7EB6E
                                          • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F7EB75
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                          • String ID:
                                          • API String ID: 839392675-0
                                          • Opcode ID: f2f2654b7097863975bbd87992764e22e3d871f43ba95d9c5c7838df31cff53a
                                          • Instruction ID: f56d177187f96585a86dfc456ab9cedbbcfefda7819577b6c89bf40817e4c7be
                                          • Opcode Fuzzy Hash: f2f2654b7097863975bbd87992764e22e3d871f43ba95d9c5c7838df31cff53a
                                          • Instruction Fuzzy Hash: 72F017B2640158BBE6219B629C0EEAB3A7CEBCBB11F004159F605D1191EBA05A01AAF5
                                          Function 00F67439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetClientRect.USER32(?), ref: 00F67452
                                          • SendMessageW.USER32(?,00001328,00000000,?), ref: 00F67469
                                          • GetWindowDC.USER32(?), ref: 00F67475
                                          • GetPixel.GDI32(00000000,?,?), ref: 00F67484
                                          • ReleaseDC.USER32(?,00000000), ref: 00F67496
                                          • GetSysColor.USER32(00000005), ref: 00F674B0
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                          • String ID:
                                          • API String ID: 272304278-0
                                          • Opcode ID: 676edd7aa39d931bbaa2689965166f5b670b7ef64642a6aadb5755f25f224760
                                          • Instruction ID: 173d368597f43e42da51c5a98ad631c2a6d905e7a23a9d9446a62dcb010ce42d
                                          • Opcode Fuzzy Hash: 676edd7aa39d931bbaa2689965166f5b670b7ef64642a6aadb5755f25f224760
                                          • Instruction Fuzzy Hash: F7018B72800219EFDB10AF64DD08BAA7BB5FF06321F640060F919A21A0CF311E41BB90
                                          Function 00F71874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00F7187F
                                          • UnloadUserProfile.USERENV(?,?), ref: 00F7188B
                                          • CloseHandle.KERNEL32(?), ref: 00F71894
                                          • CloseHandle.KERNEL32(?), ref: 00F7189C
                                          • GetProcessHeap.KERNEL32(00000000,?), ref: 00F718A5
                                          • HeapFree.KERNEL32(00000000), ref: 00F718AC
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                          • String ID:
                                          • API String ID: 146765662-0
                                          • Opcode ID: 164c144de27216150ff323a5f10ad996f720d5b21834b5e987e9fabcacc640b7
                                          • Instruction ID: c0bbc7e9369c8153c54fc01143a302e2db3a28abef6c169bd1f706689546e46c
                                          • Opcode Fuzzy Hash: 164c144de27216150ff323a5f10ad996f720d5b21834b5e987e9fabcacc640b7
                                          • Instruction Fuzzy Hash: FFE0EDB6104209BBDB015FA2ED0C906BF79FF4A7217108220F22581071CB325421EF90
                                          Function 00F7C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F17620: _wcslen.LIBCMT ref: 00F17625
                                          • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F7C6EE
                                          • _wcslen.LIBCMT ref: 00F7C735
                                          • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F7C79C
                                          • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00F7C7CA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ItemMenu$Info_wcslen$Default
                                          • String ID: 0
                                          • API String ID: 1227352736-4108050209
                                          • Opcode ID: 97294c498e88f22cf1a803a51acc5b4225d16bd5659fe35b0aa1105f6d0442b4
                                          • Instruction ID: 9729bad80adfc058a2d29e022f5fe72a1d868410104051cbed0e8082296cc052
                                          • Opcode Fuzzy Hash: 97294c498e88f22cf1a803a51acc5b4225d16bd5659fe35b0aa1105f6d0442b4
                                          • Instruction Fuzzy Hash: D251D071A043009BD7189F29CC85B6B77E4AF89320F048A2EF999D31D1DB74D945BB93
                                          Function 00F9AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                          Download Yara Rule
                                          APIs
                                          • ShellExecuteExW.SHELL32(0000003C), ref: 00F9AEA3
                                            • Part of subcall function 00F17620: _wcslen.LIBCMT ref: 00F17625
                                          • GetProcessId.KERNEL32(00000000), ref: 00F9AF38
                                          • CloseHandle.KERNEL32(00000000), ref: 00F9AF67
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: CloseExecuteHandleProcessShell_wcslen
                                          • String ID: <$@
                                          • API String ID: 146682121-1426351568
                                          • Opcode ID: c5e4d27c891c63c59d09587ca5749ee864526086d0adfc5b881d3d6418461849
                                          • Instruction ID: 87b7dc1f3b8bd114cb59d56391e8779455cbddbdd49abe02ce616fe04fc1bc5f
                                          • Opcode Fuzzy Hash: c5e4d27c891c63c59d09587ca5749ee864526086d0adfc5b881d3d6418461849
                                          • Instruction Fuzzy Hash: FD716770A00619DFDF14EF55C884A9EBBF1BF08314F048499E81AAB252CB74ED85DB91
                                          Function 00F7719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00F77206
                                          • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00F7723C
                                          • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00F7724D
                                          • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00F772CF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ErrorMode$AddressCreateInstanceProc
                                          • String ID: DllGetClassObject
                                          • API String ID: 753597075-1075368562
                                          • Opcode ID: a4e69430818d43f2565ad5e80989329f1fc584b93943570785ad4258c1a57950
                                          • Instruction ID: 8ac9c41487fe1f3e9594cb37481311530ad8ab4e8400be4fabe12c7e8357ff46
                                          • Opcode Fuzzy Hash: a4e69430818d43f2565ad5e80989329f1fc584b93943570785ad4258c1a57950
                                          • Instruction Fuzzy Hash: 49419EB1A14304EFDB15DF54C884A9A7BA9EF44310F1480AABD09DF20AD7B0D944EFA1
                                          Function 00FA3D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FA3E35
                                          • IsMenu.USER32(?), ref: 00FA3E4A
                                          • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FA3E92
                                          • DrawMenuBar.USER32 ref: 00FA3EA5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Menu$Item$DrawInfoInsert
                                          • String ID: 0
                                          • API String ID: 3076010158-4108050209
                                          • Opcode ID: 610fdf4e9fed0cba79bfff97a16c72be18bae6ca0b3589517003477be9a01598
                                          • Instruction ID: e72a7cb20db103fcbd2a33ce7990e3b23a550df5ce61309277fb65ae49a6e96a
                                          • Opcode Fuzzy Hash: 610fdf4e9fed0cba79bfff97a16c72be18bae6ca0b3589517003477be9a01598
                                          • Instruction Fuzzy Hash: C3412BB5E11209EFDB10DF50D8C4A9AB7B5FF46365F04411AF90597250D730AE49EF50
                                          Function 00F71DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F19CB3: _wcslen.LIBCMT ref: 00F19CBD
                                            • Part of subcall function 00F73CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F73CCA
                                          • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00F71E66
                                          • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00F71E79
                                          • SendMessageW.USER32(?,00000189,?,00000000), ref: 00F71EA9
                                            • Part of subcall function 00F16B57: _wcslen.LIBCMT ref: 00F16B6A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: MessageSend$_wcslen$ClassName
                                          • String ID: ComboBox$ListBox
                                          • API String ID: 2081771294-1403004172
                                          • Opcode ID: 55ee32eba52d927d9d1a35a987de298a24ca1b1b37291d209811ba4e75ea7d72
                                          • Instruction ID: 1f48990b72069d93d8725b61c966d4c0d5b8ecd89e72d829cb939067f22f278c
                                          • Opcode Fuzzy Hash: 55ee32eba52d927d9d1a35a987de298a24ca1b1b37291d209811ba4e75ea7d72
                                          • Instruction Fuzzy Hash: 9D216B71A00108BEDB149B68DC56CFFB7B8EF42360B14812AF859A32E1DB785D4DB661
                                          Function 00FA2F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00FA2F8D
                                          • LoadLibraryW.KERNEL32(?), ref: 00FA2F94
                                          • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00FA2FA9
                                          • DestroyWindow.USER32(?), ref: 00FA2FB1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: MessageSend$DestroyLibraryLoadWindow
                                          • String ID: SysAnimate32
                                          • API String ID: 3529120543-1011021900
                                          • Opcode ID: 8dfcd14c0e82500a461cdbd15f22e4becafbfc75aa01950f8e40930650297ffc
                                          • Instruction ID: 4767183dfa5f5a8164e5938456a33798bfa76095b4d82a396b083fdd6405765d
                                          • Opcode Fuzzy Hash: 8dfcd14c0e82500a461cdbd15f22e4becafbfc75aa01950f8e40930650297ffc
                                          • Instruction Fuzzy Hash: 5E216AB2B04209AFEB508F68DC80EBB77B9EB5A374F104619F950D6190D771DC91B7A0
                                          Function 00F34D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00F34D1E,00F428E9,?,00F34CBE,00F428E9,00FD88B8,0000000C,00F34E15,00F428E9,00000002), ref: 00F34D8D
                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00F34DA0
                                          • FreeLibrary.KERNEL32(00000000,?,?,?,00F34D1E,00F428E9,?,00F34CBE,00F428E9,00FD88B8,0000000C,00F34E15,00F428E9,00000002,00000000), ref: 00F34DC3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: AddressFreeHandleLibraryModuleProc
                                          • String ID: CorExitProcess$mscoree.dll
                                          • API String ID: 4061214504-1276376045
                                          • Opcode ID: 78fe8e7ad4dd93f3d578e658e93e577b1904589132361c189db5bf719f8356c6
                                          • Instruction ID: 2dfb18ea890b0fbb2c81408059c818c2c8a485eee5c4d105832e89438ef42780
                                          • Opcode Fuzzy Hash: 78fe8e7ad4dd93f3d578e658e93e577b1904589132361c189db5bf719f8356c6
                                          • Instruction Fuzzy Hash: 5CF03C75A4020CABDB119B95DC49BAEBFE5EB44762F0001A5E806A2260CF74A940EED1
                                          Function 00F14E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F14EDD,?,00FE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F14E9C
                                          • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F14EAE
                                          • FreeLibrary.KERNEL32(00000000,?,?,00F14EDD,?,00FE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F14EC0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Library$AddressFreeLoadProc
                                          • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                          • API String ID: 145871493-3689287502
                                          • Opcode ID: 503ac4e7634ac07ba73e7ab7c45ad3eec3e5b7c851749e88852371392af3066e
                                          • Instruction ID: 0506fde285864f7fb4cba61181df19c5d78cb9f51bcc97be8837e1f09535ce66
                                          • Opcode Fuzzy Hash: 503ac4e7634ac07ba73e7ab7c45ad3eec3e5b7c851749e88852371392af3066e
                                          • Instruction Fuzzy Hash: 98E08675F015225B923117256C18B9B7554AFC2B727090115FD04D2200DB60DD4165E2
                                          Function 00F14E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F53CDE,?,00FE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F14E62
                                          • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F14E74
                                          • FreeLibrary.KERNEL32(00000000,?,?,00F53CDE,?,00FE1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00F14E87
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Library$AddressFreeLoadProc
                                          • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                          • API String ID: 145871493-1355242751
                                          • Opcode ID: 4aa6d9d66b69ea18c3c3ce7ba67ea0a3e8efe08c371db0e24ee8c553524dd1c3
                                          • Instruction ID: 28b16099b53a66c154b746c685d0e8fd8c944c7e8b5392c813d84a56019507a4
                                          • Opcode Fuzzy Hash: 4aa6d9d66b69ea18c3c3ce7ba67ea0a3e8efe08c371db0e24ee8c553524dd1c3
                                          • Instruction Fuzzy Hash: E0D01279A026235756221B267C18ECB7A18AFC6B653090615F905A2114CF61DD42B6E1
                                          Function 00F82947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F82C05
                                          • DeleteFileW.KERNEL32(?), ref: 00F82C87
                                          • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00F82C9D
                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F82CAE
                                          • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F82CC0
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: File$Delete$Copy
                                          • String ID:
                                          • API String ID: 3226157194-0
                                          • Opcode ID: 393d4112110b3703688c38ccd43d65a2235128938f82fd2a1986bb224349c87b
                                          • Instruction ID: e90103c412925bfef744f6c4de3341d119cb5d3aae3714f678c99f051e73fda1
                                          • Opcode Fuzzy Hash: 393d4112110b3703688c38ccd43d65a2235128938f82fd2a1986bb224349c87b
                                          • Instruction Fuzzy Hash: 09B18072D01119ABDF55EFA4CC85EEEB7BDEF49310F0040A6F509E6141EB34AA449F61
                                          Function 00F9A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentProcessId.KERNEL32 ref: 00F9A427
                                          • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00F9A435
                                          • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00F9A468
                                          • CloseHandle.KERNEL32(?), ref: 00F9A63D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Process$CloseCountersCurrentHandleOpen
                                          • String ID:
                                          • API String ID: 3488606520-0
                                          • Opcode ID: 9b79e8b51b9c00b50b18a91512802c4056cf1686dc5868f174189837e5a33d11
                                          • Instruction ID: 40697c057a4b3fc26e82ab73f7d6f9bbcb9af6ae3ce385cd087b338d217eefa4
                                          • Opcode Fuzzy Hash: 9b79e8b51b9c00b50b18a91512802c4056cf1686dc5868f174189837e5a33d11
                                          • Instruction Fuzzy Hash: B7A1A071604300AFEB20DF24D886F2AB7E5AF84714F14881DF95A9B292DB74EC41DB92
                                          Function 00F4BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00FB3700), ref: 00F4BB91
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00FE121C,000000FF,00000000,0000003F,00000000,?,?), ref: 00F4BC09
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00FE1270,000000FF,?,0000003F,00000000,?), ref: 00F4BC36
                                          • _free.LIBCMT ref: 00F4BB7F
                                            • Part of subcall function 00F429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F4D7D1,00000000,00000000,00000000,00000000,?,00F4D7F8,00000000,00000007,00000000,?,00F4DBF5,00000000), ref: 00F429DE
                                            • Part of subcall function 00F429C8: GetLastError.KERNEL32(00000000,?,00F4D7D1,00000000,00000000,00000000,00000000,?,00F4D7F8,00000000,00000007,00000000,?,00F4DBF5,00000000,00000000), ref: 00F429F0
                                          • _free.LIBCMT ref: 00F4BD4B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                          • String ID:
                                          • API String ID: 1286116820-0
                                          • Opcode ID: 93ee9bc46de14d1e246d79f715937e054129db4bd33b8ee58b176cc485b541b0
                                          • Instruction ID: ee7a89c0fabfa5be03b214e1be265d3d690f513edcb723dbcdb2fa4a350639dc
                                          • Opcode Fuzzy Hash: 93ee9bc46de14d1e246d79f715937e054129db4bd33b8ee58b176cc485b541b0
                                          • Instruction Fuzzy Hash: B851B771D04209AFDB14DF669CC19AEBFB8FF41320B10426AEA54D7192EB34DE41BB90
                                          Function 00F7E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F7DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F7CF22,?), ref: 00F7DDFD
                                            • Part of subcall function 00F7DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F7CF22,?), ref: 00F7DE16
                                            • Part of subcall function 00F7E199: GetFileAttributesW.KERNEL32(?,00F7CF95), ref: 00F7E19A
                                          • lstrcmpiW.KERNEL32(?,?), ref: 00F7E473
                                          • MoveFileW.KERNEL32(?,?), ref: 00F7E4AC
                                          • _wcslen.LIBCMT ref: 00F7E5EB
                                          • _wcslen.LIBCMT ref: 00F7E603
                                          • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00F7E650
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                          • String ID:
                                          • API String ID: 3183298772-0
                                          • Opcode ID: c247f67206c1c9bf041d30746d1caa81e4811fef2ccebcb11a3686a4f025ecab
                                          • Instruction ID: f0228a570fbe5e6917cea122c957e7ebed187c7daac9480866e804a4f2f6833e
                                          • Opcode Fuzzy Hash: c247f67206c1c9bf041d30746d1caa81e4811fef2ccebcb11a3686a4f025ecab
                                          • Instruction Fuzzy Hash: A45182B24083455BC724DBA0DC819DB73ECAF89350F40495FF689D3151EF78A68897A7
                                          Function 00F9B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F19CB3: _wcslen.LIBCMT ref: 00F19CBD
                                            • Part of subcall function 00F9C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F9B6AE,?,?), ref: 00F9C9B5
                                            • Part of subcall function 00F9C998: _wcslen.LIBCMT ref: 00F9C9F1
                                            • Part of subcall function 00F9C998: _wcslen.LIBCMT ref: 00F9CA68
                                            • Part of subcall function 00F9C998: _wcslen.LIBCMT ref: 00F9CA9E
                                          • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F9BAA5
                                          • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F9BB00
                                          • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00F9BB63
                                          • RegCloseKey.ADVAPI32(?,?), ref: 00F9BBA6
                                          • RegCloseKey.ADVAPI32(00000000), ref: 00F9BBB3
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                          • String ID:
                                          • API String ID: 826366716-0
                                          • Opcode ID: 667b21b63dbe9f4ea444b7b118d62f1da1c31fbb2c342286598ce1cb0317b978
                                          • Instruction ID: 3ba1510d97d4a93acb2b7bd66584dab5661794d397a29b5c8db884535c0632e0
                                          • Opcode Fuzzy Hash: 667b21b63dbe9f4ea444b7b118d62f1da1c31fbb2c342286598ce1cb0317b978
                                          • Instruction Fuzzy Hash: 93610331208201EFD714DF14C990E6ABBE5FF84318F54855CF4998B2A2CB35ED45EB92
                                          Function 00F78BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                          Download Yara Rule
                                          APIs
                                          • VariantInit.OLEAUT32(?), ref: 00F78BCD
                                          • VariantClear.OLEAUT32 ref: 00F78C3E
                                          • VariantClear.OLEAUT32 ref: 00F78C9D
                                          • VariantClear.OLEAUT32(?), ref: 00F78D10
                                          • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00F78D3B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Variant$Clear$ChangeInitType
                                          • String ID:
                                          • API String ID: 4136290138-0
                                          • Opcode ID: 7258c0001794f6ef9a1bce8014884e5fb29675c947862ca625af0e134cb53dfa
                                          • Instruction ID: b80a6096ec71ec63efff95841d39dc9a57775f1b230c49e18cf4b2a489bc8854
                                          • Opcode Fuzzy Hash: 7258c0001794f6ef9a1bce8014884e5fb29675c947862ca625af0e134cb53dfa
                                          • Instruction Fuzzy Hash: 13515CB5A00219EFCB14CF58C894AAAB7F8FF8D350B15855AE909DB350E730E912CF90
                                          Function 00F88AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00F88BAE
                                          • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00F88BDA
                                          • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00F88C32
                                          • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00F88C57
                                          • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00F88C5F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: PrivateProfile$SectionWrite$String
                                          • String ID:
                                          • API String ID: 2832842796-0
                                          • Opcode ID: 5f9d805c0d8af2b8e3765ce0ab7571baf335a58df92f2dab9612f7742bbc0daf
                                          • Instruction ID: 0b4515366b7a140421ee5182fd63271009eeda2b0e3512ceda61e30a5101ce95
                                          • Opcode Fuzzy Hash: 5f9d805c0d8af2b8e3765ce0ab7571baf335a58df92f2dab9612f7742bbc0daf
                                          • Instruction Fuzzy Hash: E1514C35A002199FCB05EF64C881AADBBF5FF49314F088458E849AB362DB35ED51EB90
                                          Function 00F98EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00F98F40
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00F98FD0
                                          • GetProcAddress.KERNEL32(00000000,00000000), ref: 00F98FEC
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00F99032
                                          • FreeLibrary.KERNEL32(00000000), ref: 00F99052
                                            • Part of subcall function 00F2F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00F81043,?,7529E610), ref: 00F2F6E6
                                            • Part of subcall function 00F2F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00F6FA64,00000000,00000000,?,?,00F81043,?,7529E610,?,00F6FA64), ref: 00F2F70D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                          • String ID:
                                          • API String ID: 666041331-0
                                          • Opcode ID: 686d0966f9acac9c72bdd1aaaa2182bc5502bc02588e27fafb8586f31f4974a4
                                          • Instruction ID: 3313db446366584ca3b47eeffaad73f60e866fbd4676b1fbb5bfbee6241dec4a
                                          • Opcode Fuzzy Hash: 686d0966f9acac9c72bdd1aaaa2182bc5502bc02588e27fafb8586f31f4974a4
                                          • Instruction Fuzzy Hash: E4517E35A04205DFDB04DF68C4949ADBBF1FF49324F098098E8169B362DB35ED86EB90
                                          Function 00FA6B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00FA6C33
                                          • SetWindowLongW.USER32(?,000000EC,?), ref: 00FA6C4A
                                          • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00FA6C73
                                          • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00F8AB79,00000000,00000000), ref: 00FA6C98
                                          • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00FA6CC7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Window$Long$MessageSendShow
                                          • String ID:
                                          • API String ID: 3688381893-0
                                          • Opcode ID: 7b0fde73949a813cc12e9048f274a942489635dcf65d2c8532b34c4317e13134
                                          • Instruction ID: 4a98de6547877b313be1c0d044f8e8edab37c3a6fda8f13159b9b8e42679355c
                                          • Opcode Fuzzy Hash: 7b0fde73949a813cc12e9048f274a942489635dcf65d2c8532b34c4317e13134
                                          • Instruction Fuzzy Hash: 1541B3B5A04104AFD724DF28CC54FA97BA5EB4B371F190228F899E73E1C771AD41EA90
                                          Function 00F42051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: _free
                                          • String ID:
                                          • API String ID: 269201875-0
                                          • Opcode ID: e90b4c5450ba9fca056c180131fb1adb18f949755dcc60ceab6c5c4b678f5322
                                          • Instruction ID: 949b84ccbfb469b3f0ed13d846292349a6fa70420d07fdab38fa0299f1efc3f0
                                          • Opcode Fuzzy Hash: e90b4c5450ba9fca056c180131fb1adb18f949755dcc60ceab6c5c4b678f5322
                                          • Instruction Fuzzy Hash: 7C41CF32E002049BCB20DF78C880A5EBBF5EF88720F5545B9F915EB356DA31AD01EB80
                                          Function 00F2912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCursorPos.USER32(?), ref: 00F29141
                                          • ScreenToClient.USER32(00000000,?), ref: 00F2915E
                                          • GetAsyncKeyState.USER32(00000001), ref: 00F29183
                                          • GetAsyncKeyState.USER32(00000002), ref: 00F2919D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: AsyncState$ClientCursorScreen
                                          • String ID:
                                          • API String ID: 4210589936-0
                                          • Opcode ID: c54ae6fedf47dd71d28d97f74801bd10680afdbcce07c4ca5f7455a62442829b
                                          • Instruction ID: d1f832c04f5ea1d067020f69b7517d3ac56fa7464b02ac55716350fc2c3d8cdb
                                          • Opcode Fuzzy Hash: c54ae6fedf47dd71d28d97f74801bd10680afdbcce07c4ca5f7455a62442829b
                                          • Instruction Fuzzy Hash: 22416071A0861ABBDF15AF69D844BEEB774FB06334F204216E429A32D0C7746950EF91
                                          Function 00F83874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetInputState.USER32 ref: 00F838CB
                                          • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00F83922
                                          • TranslateMessage.USER32(?), ref: 00F8394B
                                          • DispatchMessageW.USER32(?), ref: 00F83955
                                          • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F83966
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                          • String ID:
                                          • API String ID: 2256411358-0
                                          • Opcode ID: 81b44b6f4f1d8f5e430c0c0a0cc7de65d74bcef42fe7e199b870119217987b39
                                          • Instruction ID: d622f3cc50b63c73b271d05c017ae446d4f7333896912d891ac6d8afd310c50c
                                          • Opcode Fuzzy Hash: 81b44b6f4f1d8f5e430c0c0a0cc7de65d74bcef42fe7e199b870119217987b39
                                          • Instruction Fuzzy Hash: E631E571D043899EEB35EB35DC88BF637A9EB05B10F04056DE466860B0E7F4AA85FB11
                                          Function 00F8CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00F8C21E,00000000), ref: 00F8CF38
                                          • InternetReadFile.WININET(?,00000000,?,?), ref: 00F8CF6F
                                          • GetLastError.KERNEL32(?,00000000,?,?,?,00F8C21E,00000000), ref: 00F8CFB4
                                          • SetEvent.KERNEL32(?,?,00000000,?,?,?,00F8C21E,00000000), ref: 00F8CFC8
                                          • SetEvent.KERNEL32(?,?,00000000,?,?,?,00F8C21E,00000000), ref: 00F8CFF2
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                          • String ID:
                                          • API String ID: 3191363074-0
                                          • Opcode ID: 39fd04e73c5ba3cc13062348df38ba248550f906e783bb9f706395ff136bd881
                                          • Instruction ID: 548d1dbe377123704a8411f47e8144a08ac2a23d3c1c6ad482403b65f1ef4619
                                          • Opcode Fuzzy Hash: 39fd04e73c5ba3cc13062348df38ba248550f906e783bb9f706395ff136bd881
                                          • Instruction Fuzzy Hash: 703150B1904205EFEB20EFA5D884AABBBF9EF15354B10442EF616D2140DB34AD45EBB0
                                          Function 00F71901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowRect.USER32(?,?), ref: 00F71915
                                          • PostMessageW.USER32(00000001,00000201,00000001), ref: 00F719C1
                                          • Sleep.KERNEL32(00000000,?,?,?), ref: 00F719C9
                                          • PostMessageW.USER32(00000001,00000202,00000000), ref: 00F719DA
                                          • Sleep.KERNEL32(00000000,?,?,?,?), ref: 00F719E2
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: MessagePostSleep$RectWindow
                                          • String ID:
                                          • API String ID: 3382505437-0
                                          • Opcode ID: 80c336edc8980b731f77da87044fa76230072befd0fb8b78124e8113e84965ab
                                          • Instruction ID: bcfb8134c6e06e463f76445e7a0f9dee151ca9cc69270981d7245a49ca3e27e6
                                          • Opcode Fuzzy Hash: 80c336edc8980b731f77da87044fa76230072befd0fb8b78124e8113e84965ab
                                          • Instruction Fuzzy Hash: A231C171A00219EFCB10CFACCD58ADE3BB5FB05324F008226FA25A72D1C3709959EB91
                                          Function 00FA5706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00FA5745
                                          • SendMessageW.USER32(?,00001074,?,00000001), ref: 00FA579D
                                          • _wcslen.LIBCMT ref: 00FA57AF
                                          • _wcslen.LIBCMT ref: 00FA57BA
                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00FA5816
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: MessageSend$_wcslen
                                          • String ID:
                                          • API String ID: 763830540-0
                                          • Opcode ID: 3f157750d41b12af5d864cfe9a07a849c1ba192d6529c9016715ba975d796eab
                                          • Instruction ID: 137cdc5c9156619572a6f8f258312bc2f6cb843d5848bf5b7c96d8c832c72de8
                                          • Opcode Fuzzy Hash: 3f157750d41b12af5d864cfe9a07a849c1ba192d6529c9016715ba975d796eab
                                          • Instruction Fuzzy Hash: AC2185B5D04618DADB20DFA0CC85AEE77B8FF06B34F108216F919EA180D7749985EF91
                                          Function 00F90930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                          Download Yara Rule
                                          APIs
                                          • IsWindow.USER32(00000000), ref: 00F90951
                                          • GetForegroundWindow.USER32 ref: 00F90968
                                          • GetDC.USER32(00000000), ref: 00F909A4
                                          • GetPixel.GDI32(00000000,?,00000003), ref: 00F909B0
                                          • ReleaseDC.USER32(00000000,00000003), ref: 00F909E8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Window$ForegroundPixelRelease
                                          • String ID:
                                          • API String ID: 4156661090-0
                                          • Opcode ID: b66e8f5ba544e34b1cf784b174406b627802648fc147fb2ad11c51d62642cb6e
                                          • Instruction ID: 26b83ae87862b5fb90742f45bf63d1f40caa79a1eda658204330e16c3e6bb1b7
                                          • Opcode Fuzzy Hash: b66e8f5ba544e34b1cf784b174406b627802648fc147fb2ad11c51d62642cb6e
                                          • Instruction Fuzzy Hash: B3218176A00204AFD714EF65CD84AAEBBE9EF45700F048468F84AA7352DB34AC44EB90
                                          Function 00F4CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetEnvironmentStringsW.KERNEL32 ref: 00F4CDC6
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F4CDE9
                                            • Part of subcall function 00F43820: RtlAllocateHeap.NTDLL(00000000,?,00FE1444,?,00F2FDF5,?,?,00F1A976,00000010,00FE1440,00F113FC,?,00F113C6,?,00F11129), ref: 00F43852
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00F4CE0F
                                          • _free.LIBCMT ref: 00F4CE22
                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00F4CE31
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                          • String ID:
                                          • API String ID: 336800556-0
                                          • Opcode ID: 85648a8806a2743cc8dc5c537153505337f9f3f185867c8ecfcc9f03578612a0
                                          • Instruction ID: 41074dd1cd0757a4f790f1cc15a6f444036199b4fdc9b0b00c856fbe0c46217c
                                          • Opcode Fuzzy Hash: 85648a8806a2743cc8dc5c537153505337f9f3f185867c8ecfcc9f03578612a0
                                          • Instruction Fuzzy Hash: 1F0184B2A032157F276116BA6C88D7B7D6DDEC7BA13151129FD05C7201EF658D02B1F0
                                          Function 00F29639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                          Download Yara Rule
                                          APIs
                                          • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F29693
                                          • SelectObject.GDI32(?,00000000), ref: 00F296A2
                                          • BeginPath.GDI32(?), ref: 00F296B9
                                          • SelectObject.GDI32(?,00000000), ref: 00F296E2
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ObjectSelect$BeginCreatePath
                                          • String ID:
                                          • API String ID: 3225163088-0
                                          • Opcode ID: 86700862888fca113c41d52e5d746c544debb63ab0d19de01798345e74af7ae7
                                          • Instruction ID: 411f6a8312757a394197a6f9af92c88b46740d7aa8e383558d9af57e4044ac8d
                                          • Opcode Fuzzy Hash: 86700862888fca113c41d52e5d746c544debb63ab0d19de01798345e74af7ae7
                                          • Instruction Fuzzy Hash: D1219F71806359EFDB119F26EC88BAD3FA8BB01365F104216F410AB1B2D3B49895FF90
                                          Function 00F2990F Relevance: 7.6, APIs: 5, Instructions: 64COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetTextColor.GDI32(?,?), ref: 00F298D6
                                          • SetBkMode.GDI32(?,00000001), ref: 00F298E9
                                          • GetStockObject.GDI32(00000005), ref: 00F298F1
                                          • GetWindowLongW.USER32(?,000000EB), ref: 00F29952
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ColorLongModeObjectStockTextWindow
                                          • String ID:
                                          • API String ID: 2960364272-0
                                          • Opcode ID: 2c186ea271cc2be81221c996690c41a3743c403770fb3fcbd4d96e4f86db0c3d
                                          • Instruction ID: 408cd86b72a05038e461d57a92fb65aa51a2d4f4b46049afc125b540a44da212
                                          • Opcode Fuzzy Hash: 2c186ea271cc2be81221c996690c41a3743c403770fb3fcbd4d96e4f86db0c3d
                                          • Instruction Fuzzy Hash: 3C1127B29492649FC7218B75FC59BFA3B60AB53331F08015DE5924B1E2C7B14980FB51
                                          Function 00F75711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: _memcmp
                                          • String ID:
                                          • API String ID: 2931989736-0
                                          • Opcode ID: 87f8128c48d2025ab1485b1a7721110376880ad48551ea9c12f9cc0cc5bee0f0
                                          • Instruction ID: 5aed0b1e3391286456e0d0b589c728bc4d72cc8b5c57d1d38200ae0b7fc92490
                                          • Opcode Fuzzy Hash: 87f8128c48d2025ab1485b1a7721110376880ad48551ea9c12f9cc0cc5bee0f0
                                          • Instruction Fuzzy Hash: 94019BA6A4160DFA920C55119D82FBA735D9B617B4F008026FD085E141F7A5EE15B2A2
                                          Function 00F42DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(?,?,?,00F3F2DE,00F43863,00FE1444,?,00F2FDF5,?,?,00F1A976,00000010,00FE1440,00F113FC,?,00F113C6), ref: 00F42DFD
                                          • _free.LIBCMT ref: 00F42E32
                                          • _free.LIBCMT ref: 00F42E59
                                          • SetLastError.KERNEL32(00000000,00F11129), ref: 00F42E66
                                          • SetLastError.KERNEL32(00000000,00F11129), ref: 00F42E6F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ErrorLast$_free
                                          • String ID:
                                          • API String ID: 3170660625-0
                                          • Opcode ID: 8f9b10e10a50b80693da3a925e3f2a1a9219512759c22633736df5d7ef15236d
                                          • Instruction ID: 7ba15035ea4806dd112f55e5248e1474d5c6bd0ee2c1443230da4b0be6eea1b9
                                          • Opcode Fuzzy Hash: 8f9b10e10a50b80693da3a925e3f2a1a9219512759c22633736df5d7ef15236d
                                          • Instruction Fuzzy Hash: DB01F47360560577CA5267356C85E2B3E6AABD27B1BE40039FC25E2292EE78CC01B160
                                          Function 00F7000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F6FF41,80070057,?,?,?,00F7035E), ref: 00F7002B
                                          • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F6FF41,80070057,?,?), ref: 00F70046
                                          • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F6FF41,80070057,?,?), ref: 00F70054
                                          • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F6FF41,80070057,?), ref: 00F70064
                                          • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00F6FF41,80070057,?,?), ref: 00F70070
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: From$Prog$FreeStringTasklstrcmpi
                                          • String ID:
                                          • API String ID: 3897988419-0
                                          • Opcode ID: 85d3f2b8bec18a42c550c8d08ee60faca53b7ac2ea329748e3ff2ae6ff992c55
                                          • Instruction ID: 1eb50bf0f5d4d73285e88ad96496c7834600d3996495e4ceb542f2330adf5cb1
                                          • Opcode Fuzzy Hash: 85d3f2b8bec18a42c550c8d08ee60faca53b7ac2ea329748e3ff2ae6ff992c55
                                          • Instruction Fuzzy Hash: 680162B6600218FFDB114F69DC44BAA7BEDEF48761F148125F909D6210DB75DD40ABA0
                                          Function 00F7E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • QueryPerformanceCounter.KERNEL32(?), ref: 00F7E997
                                          • QueryPerformanceFrequency.KERNEL32(?), ref: 00F7E9A5
                                          • Sleep.KERNEL32(00000000), ref: 00F7E9AD
                                          • QueryPerformanceCounter.KERNEL32(?), ref: 00F7E9B7
                                          • Sleep.KERNEL32 ref: 00F7E9F3
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: PerformanceQuery$CounterSleep$Frequency
                                          • String ID:
                                          • API String ID: 2833360925-0
                                          • Opcode ID: 4e1446b989289b147cc530fe67f2d67243ec06d62574a44aad26b8968f3e41cd
                                          • Instruction ID: 69cc7b2f040950127488b629c47487795b5a85a47c5ac893335cb760cc756d90
                                          • Opcode Fuzzy Hash: 4e1446b989289b147cc530fe67f2d67243ec06d62574a44aad26b8968f3e41cd
                                          • Instruction Fuzzy Hash: 83015B72D0152DDBCF009BE5DC49ADDBB78BF0E311F004587E606B2241CB349555EBA2
                                          Function 00F710F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F71114
                                          • GetLastError.KERNEL32(?,00000000,00000000,?,?,00F70B9B,?,?,?), ref: 00F71120
                                          • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00F70B9B,?,?,?), ref: 00F7112F
                                          • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00F70B9B,?,?,?), ref: 00F71136
                                          • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F7114D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                          • String ID:
                                          • API String ID: 842720411-0
                                          • Opcode ID: 42a40c6086b1d7df6323914cc7d8a116a281fae3dbe77d5130e378dd8b944160
                                          • Instruction ID: cc4c14f8e76c3580c2846b5220419e4f45812e9d3d1d180a4dd7f0e002b344f2
                                          • Opcode Fuzzy Hash: 42a40c6086b1d7df6323914cc7d8a116a281fae3dbe77d5130e378dd8b944160
                                          • Instruction Fuzzy Hash: C9011DB5600209BFDB114F69DC49A6A3B7EFF86360B514415FA45D7360DA71DD00AAA0
                                          Function 00F70FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F70FCA
                                          • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F70FD6
                                          • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F70FE5
                                          • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00F70FEC
                                          • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F71002
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                          • String ID:
                                          • API String ID: 44706859-0
                                          • Opcode ID: f6c3189d5c388aef546c6b85cdbb31916e3f24bff07c008cbd039e73502fae85
                                          • Instruction ID: b54090c9b3b2404fbe9083f903c4f8bc3ee802731c4e1c94d6b32b2319304def
                                          • Opcode Fuzzy Hash: f6c3189d5c388aef546c6b85cdbb31916e3f24bff07c008cbd039e73502fae85
                                          • Instruction Fuzzy Hash: 1CF049B5600309ABDB214FA99C49F563BADFF8A762F108415FA49C6251DE70DC50AAA0
                                          Function 00F71014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F7102A
                                          • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F71036
                                          • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F71045
                                          • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F7104C
                                          • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F71062
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: HeapInformationToken$AllocErrorLastProcess
                                          • String ID:
                                          • API String ID: 44706859-0
                                          • Opcode ID: 5398ae3fd9ff69d3dc32c5f153b3a51f63a2c0b5a970c417986b46fe5d0f9e69
                                          • Instruction ID: b3d88f11d848e15bfabe97d25e6d087f77d428f8ce63bf1498bc72fc45595187
                                          • Opcode Fuzzy Hash: 5398ae3fd9ff69d3dc32c5f153b3a51f63a2c0b5a970c417986b46fe5d0f9e69
                                          • Instruction Fuzzy Hash: 60F06DB5200309FBDB215FA9EC49F563BAEFF8A761F104415FA49C7251DE70D850AAA0
                                          Function 00F8030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                          Download Yara Rule
                                          APIs
                                          • CloseHandle.KERNEL32(?,?,?,?,00F8017D,?,00F832FC,?,00000001,00F52592,?), ref: 00F80324
                                          • CloseHandle.KERNEL32(?,?,?,?,00F8017D,?,00F832FC,?,00000001,00F52592,?), ref: 00F80331
                                          • CloseHandle.KERNEL32(?,?,?,?,00F8017D,?,00F832FC,?,00000001,00F52592,?), ref: 00F8033E
                                          • CloseHandle.KERNEL32(?,?,?,?,00F8017D,?,00F832FC,?,00000001,00F52592,?), ref: 00F8034B
                                          • CloseHandle.KERNEL32(?,?,?,?,00F8017D,?,00F832FC,?,00000001,00F52592,?), ref: 00F80358
                                          • CloseHandle.KERNEL32(?,?,?,?,00F8017D,?,00F832FC,?,00000001,00F52592,?), ref: 00F80365
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: CloseHandle
                                          • String ID:
                                          • API String ID: 2962429428-0
                                          • Opcode ID: 778dc5edcca292fe31013cd125f31b345bd00eb54986f735c76098a1f0881679
                                          • Instruction ID: 41e66d9c761bb7403246ecb94612fbac51a28a2e9c6afd31078bac300a380d33
                                          • Opcode Fuzzy Hash: 778dc5edcca292fe31013cd125f31b345bd00eb54986f735c76098a1f0881679
                                          • Instruction Fuzzy Hash: 6401AE72801B15DFCB30AF66D880852FBF9BF603253558A3FD19652931CBB1A958EF80
                                          Function 00F4D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 00F4D752
                                            • Part of subcall function 00F429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F4D7D1,00000000,00000000,00000000,00000000,?,00F4D7F8,00000000,00000007,00000000,?,00F4DBF5,00000000), ref: 00F429DE
                                            • Part of subcall function 00F429C8: GetLastError.KERNEL32(00000000,?,00F4D7D1,00000000,00000000,00000000,00000000,?,00F4D7F8,00000000,00000007,00000000,?,00F4DBF5,00000000,00000000), ref: 00F429F0
                                          • _free.LIBCMT ref: 00F4D764
                                          • _free.LIBCMT ref: 00F4D776
                                          • _free.LIBCMT ref: 00F4D788
                                          • _free.LIBCMT ref: 00F4D79A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: 99b6dc2da6d8c8b103387ca1bd3ce904ad30d6db63cdd09287d5ee191e88867e
                                          • Instruction ID: 6bdfd334b1148a894749ceb9afe35ba0d1628fe32c70232285b7df720c2c6c9e
                                          • Opcode Fuzzy Hash: 99b6dc2da6d8c8b103387ca1bd3ce904ad30d6db63cdd09287d5ee191e88867e
                                          • Instruction Fuzzy Hash: D4F01232945209AB9665EB69FDC5C167FEEBB447207D40C16F848D7501C734FC80B6A4
                                          Function 00F75C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDlgItem.USER32(?,000003E9), ref: 00F75C58
                                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 00F75C6F
                                          • MessageBeep.USER32(00000000), ref: 00F75C87
                                          • KillTimer.USER32(?,0000040A), ref: 00F75CA3
                                          • EndDialog.USER32(?,00000001), ref: 00F75CBD
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: BeepDialogItemKillMessageTextTimerWindow
                                          • String ID:
                                          • API String ID: 3741023627-0
                                          • Opcode ID: d9531f6a0ef2554f504a5a180bb44618de314dc33dd3e95b9c6eee6d67b49cbb
                                          • Instruction ID: 6f1d2a870e4f9506a7a706ac398825199432af573d7e86e520111465300e9db1
                                          • Opcode Fuzzy Hash: d9531f6a0ef2554f504a5a180bb44618de314dc33dd3e95b9c6eee6d67b49cbb
                                          • Instruction Fuzzy Hash: 4801A970500B08ABEB219B20DD4EFA677B8BF01F05F04455AB587A11E1DBF4A994EFD1
                                          Function 00F422A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 00F422BE
                                            • Part of subcall function 00F429C8: RtlFreeHeap.NTDLL(00000000,00000000,?,00F4D7D1,00000000,00000000,00000000,00000000,?,00F4D7F8,00000000,00000007,00000000,?,00F4DBF5,00000000), ref: 00F429DE
                                            • Part of subcall function 00F429C8: GetLastError.KERNEL32(00000000,?,00F4D7D1,00000000,00000000,00000000,00000000,?,00F4D7F8,00000000,00000007,00000000,?,00F4DBF5,00000000,00000000), ref: 00F429F0
                                          • _free.LIBCMT ref: 00F422D0
                                          • _free.LIBCMT ref: 00F422E3
                                          • _free.LIBCMT ref: 00F422F4
                                          • _free.LIBCMT ref: 00F42305
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: bee3a393de9961fc1f7995477c0bd5a6870adb9d79605d313cb3508eb05eed34
                                          • Instruction ID: c8e76a838b4bc0aa0b08bf3240b5546a28a9261e68bc3f193f9962ec1af7b58d
                                          • Opcode Fuzzy Hash: bee3a393de9961fc1f7995477c0bd5a6870adb9d79605d313cb3508eb05eed34
                                          • Instruction Fuzzy Hash: 72F05E708011A99B9A52AF6ABC8180D3F79F718770784052BF810DA2B1CB761962FFE4
                                          Function 00F295C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                          Download Yara Rule
                                          APIs
                                          • EndPath.GDI32(?), ref: 00F295D4
                                          • StrokeAndFillPath.GDI32(?,?,00F671F7,00000000,?,?,?), ref: 00F295F0
                                          • SelectObject.GDI32(?,00000000), ref: 00F29603
                                          • DeleteObject.GDI32 ref: 00F29616
                                          • StrokePath.GDI32(?), ref: 00F29631
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Path$ObjectStroke$DeleteFillSelect
                                          • String ID:
                                          • API String ID: 2625713937-0
                                          • Opcode ID: 89856cd60a6d6429b4651ce4d008c3cefcbbcb4992c2a3192ebecdd7ab0949dd
                                          • Instruction ID: 92ea5225117b8b87342b3b51788b9cdb6800cdc140cebc8c6e589a3258cbcb5a
                                          • Opcode Fuzzy Hash: 89856cd60a6d6429b4651ce4d008c3cefcbbcb4992c2a3192ebecdd7ab0949dd
                                          • Instruction Fuzzy Hash: 20F0197140A24CEBDB125F66ED587683FA1BB02332F048214F5259A0F2CB748995FF60
                                          Function 00F40F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: __freea$_free
                                          • String ID: a/p$am/pm
                                          • API String ID: 3432400110-3206640213
                                          • Opcode ID: 448769b0a3d1e037c46d72151f2955b90d552e41c9e76eace3be73363ef2bd81
                                          • Instruction ID: 321fb26060d3c1cd9bdd5d2c4d6e8a6de0bc2b22d2d49acfecf4a19528e3fa62
                                          • Opcode Fuzzy Hash: 448769b0a3d1e037c46d72151f2955b90d552e41c9e76eace3be73363ef2bd81
                                          • Instruction Fuzzy Hash: D1D10132E10206CADB288F68C845BFABFB5FF05720F284119ED11AB650D3759EC0EB91
                                          Function 00F97B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F30242: EnterCriticalSection.KERNEL32(00FE070C,00FE1884,?,?,00F2198B,00FE2518,?,?,?,00F112F9,00000000), ref: 00F3024D
                                            • Part of subcall function 00F30242: LeaveCriticalSection.KERNEL32(00FE070C,?,00F2198B,00FE2518,?,?,?,00F112F9,00000000), ref: 00F3028A
                                            • Part of subcall function 00F19CB3: _wcslen.LIBCMT ref: 00F19CBD
                                            • Part of subcall function 00F300A3: __onexit.LIBCMT ref: 00F300A9
                                          • __Init_thread_footer.LIBCMT ref: 00F97BFB
                                            • Part of subcall function 00F301F8: EnterCriticalSection.KERNEL32(00FE070C,?,?,00F28747,00FE2514), ref: 00F30202
                                            • Part of subcall function 00F301F8: LeaveCriticalSection.KERNEL32(00FE070C,?,00F28747,00FE2514), ref: 00F30235
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                          • String ID: 5$G$Variable must be of type 'Object'.
                                          • API String ID: 535116098-3733170431
                                          • Opcode ID: 742dffb9583e2fc4c828ca43e5f92369bf44714ff9f88e62b6e0c2f794d62b3e
                                          • Instruction ID: a5b1406ab118fa26158eac45566c1a89195efbbdd6c4b6a2b634f68e1f3d0859
                                          • Opcode Fuzzy Hash: 742dffb9583e2fc4c828ca43e5f92369bf44714ff9f88e62b6e0c2f794d62b3e
                                          • Instruction Fuzzy Hash: 03919A70A14309EFEF04EF54D891DADB7B1BF49310F14805AF806AB292DB71AE81EB51
                                          Function 00F72716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F7B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F721D0,?,?,00000034,00000800,?,00000034), ref: 00F7B42D
                                          • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00F72760
                                            • Part of subcall function 00F7B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F721FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00F7B3F8
                                            • Part of subcall function 00F7B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00F7B355
                                            • Part of subcall function 00F7B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00F72194,00000034,?,?,00001004,00000000,00000000), ref: 00F7B365
                                            • Part of subcall function 00F7B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00F72194,00000034,?,?,00001004,00000000,00000000), ref: 00F7B37B
                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F727CD
                                          • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F7281A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                          • String ID: @
                                          • API String ID: 4150878124-2766056989
                                          • Opcode ID: 68e0777a4737f76f9f31b9c35afe97247c75f016e7202fc14ac1f4462c5eecb7
                                          • Instruction ID: 3fc7dcb9e90761a4a2a282c20088a0c255172ff833027c230992a008e3f1487c
                                          • Opcode Fuzzy Hash: 68e0777a4737f76f9f31b9c35afe97247c75f016e7202fc14ac1f4462c5eecb7
                                          • Instruction Fuzzy Hash: E9413D76900218AFDB10DFA4CD45BDEBBB8AF05310F008096FA59B7181DB716E85DBA2
                                          Function 00F4172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\New PO.exe,00000104), ref: 00F41769
                                          • _free.LIBCMT ref: 00F41834
                                          • _free.LIBCMT ref: 00F4183E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: _free$FileModuleName
                                          • String ID: C:\Users\user\Desktop\New PO.exe
                                          • API String ID: 2506810119-645455076
                                          • Opcode ID: e6a2f8e39671edb357c365e1c1b8d5be3aa9975813e7ea65905bef7aa92f1412
                                          • Instruction ID: 564c31fd9a81c2d03f14bd7d36cc01f086cec90a373b8722f7d0b25e067190af
                                          • Opcode Fuzzy Hash: e6a2f8e39671edb357c365e1c1b8d5be3aa9975813e7ea65905bef7aa92f1412
                                          • Instruction Fuzzy Hash: 86316D71E40258ABDB21DB9A9C85D9EBFFCFB85320B144166F904DB211D6748A80EBA0
                                          Function 00F7C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00F7C306
                                          • DeleteMenu.USER32(?,00000007,00000000), ref: 00F7C34C
                                          • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00FE1990,01105E40), ref: 00F7C395
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Menu$Delete$InfoItem
                                          • String ID: 0
                                          • API String ID: 135850232-4108050209
                                          • Opcode ID: 9418425d86968558b27d0b7d043510afd7e69be9ab469c359bd346532e6b0b43
                                          • Instruction ID: a011dc5559757037ffb25608d12157f18f2ac47a076446645fa79e7724a8b870
                                          • Opcode Fuzzy Hash: 9418425d86968558b27d0b7d043510afd7e69be9ab469c359bd346532e6b0b43
                                          • Instruction Fuzzy Hash: AE4180716043019FD720DF25DC84B5ABBE8AF85320F14C61EF9A9972D1D774A904EBA3
                                          Function 00FA4416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00FACC08,00000000,?,?,?,?), ref: 00FA44AA
                                          • GetWindowLongW.USER32 ref: 00FA44C7
                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FA44D7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Window$Long
                                          • String ID: SysTreeView32
                                          • API String ID: 847901565-1698111956
                                          • Opcode ID: 5197c472d3aa40dc6c8d7fbb1a604fbca9ffc96f4610eb4eff143061b163f1b2
                                          • Instruction ID: 79ba0c3d7692b236b78e4f96d71fba55838f8d9b2d7a7a01d8226453060c7424
                                          • Opcode Fuzzy Hash: 5197c472d3aa40dc6c8d7fbb1a604fbca9ffc96f4610eb4eff143061b163f1b2
                                          • Instruction Fuzzy Hash: 4B31ADB1610209AFDB20CE78DC45BEA77A9EB8A334F244725FD79921D0D7B4EC50AB50
                                          Function 00F9304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F9335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00F93077,?,?), ref: 00F93378
                                          • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00F9307A
                                          • _wcslen.LIBCMT ref: 00F9309B
                                          • htons.WSOCK32(00000000,?,?,00000000), ref: 00F93106
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                          • String ID: 255.255.255.255
                                          • API String ID: 946324512-2422070025
                                          • Opcode ID: 15eb7203cbaa98695e5d9ebf7c3f79970c5011c1a0eb77742c85ad5ecdf06c9a
                                          • Instruction ID: 6d8570df5e31715828995ec7eed822218ac04e502d04ae9da477e3a1d31f1f09
                                          • Opcode Fuzzy Hash: 15eb7203cbaa98695e5d9ebf7c3f79970c5011c1a0eb77742c85ad5ecdf06c9a
                                          • Instruction Fuzzy Hash: DF310935A042059FEF20CF68C885FAA77F0EF15328F148055E4158B3A2D775EE85E760
                                          Function 00FA4653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00FA4705
                                          • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00FA4713
                                          • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00FA471A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: MessageSend$DestroyWindow
                                          • String ID: msctls_updown32
                                          • API String ID: 4014797782-2298589950
                                          • Opcode ID: 29517373ca6321a0d199773c575b38d5b16382868d351a093d136aed793d3267
                                          • Instruction ID: 044b72db6f69d005986c4175334305d8b7af9e246da320bb9c454e55af9c49bc
                                          • Opcode Fuzzy Hash: 29517373ca6321a0d199773c575b38d5b16382868d351a093d136aed793d3267
                                          • Instruction Fuzzy Hash: AD2130B5600248AFDB10DF64DCC1DAA37ADEB8A3A4B040059F5009B351D771FC51EA60
                                          Function 00F795AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: _wcslen
                                          • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                          • API String ID: 176396367-2734436370
                                          • Opcode ID: 8acc17eae47e0f5ebdf67ecc6aac99208465e04e2c50ee7164be3af34a9c02dc
                                          • Instruction ID: a5a843402d75626db021509b7fc077f354af0a4a214af554e5df91bd208b860a
                                          • Opcode Fuzzy Hash: 8acc17eae47e0f5ebdf67ecc6aac99208465e04e2c50ee7164be3af34a9c02dc
                                          • Instruction Fuzzy Hash: 5221387250862166C331BA25DC02FB773E89F91320F148027F94D9B181EBD9AD85F297
                                          Function 00FA37B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00FA3840
                                          • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00FA3850
                                          • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00FA3876
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: MessageSend$MoveWindow
                                          • String ID: Listbox
                                          • API String ID: 3315199576-2633736733
                                          • Opcode ID: db3ace4d6114574bbd7cec214baf3d45f644c71f95aa5ce7b76947328029e7ec
                                          • Instruction ID: f7c6622f908ab5c5ff2167794ccabe89aa5b0eb168e6cae8157ab74f1fb002ed
                                          • Opcode Fuzzy Hash: db3ace4d6114574bbd7cec214baf3d45f644c71f95aa5ce7b76947328029e7ec
                                          • Instruction Fuzzy Hash: 9521A7B2A141187BEF119F54CC45FBB376EEF8A760F118115F9049B190C675DC51A7E0
                                          Function 00F849F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetErrorMode.KERNEL32(00000001), ref: 00F84A08
                                          • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00F84A5C
                                          • SetErrorMode.KERNEL32(00000000,?,?,00FACC08), ref: 00F84AD0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ErrorMode$InformationVolume
                                          • String ID: %lu
                                          • API String ID: 2507767853-685833217
                                          • Opcode ID: 12d91e75015759d190d3fc8018f1c919a0668bdf082dbc3f5c80a20e800c5ed5
                                          • Instruction ID: 4cf6df17c15a829fc2989b7d6ab4e9cf426c204fdb69a56b08cddab02fdbc456
                                          • Opcode Fuzzy Hash: 12d91e75015759d190d3fc8018f1c919a0668bdf082dbc3f5c80a20e800c5ed5
                                          • Instruction Fuzzy Hash: CB318E71A00109AFDB10DF54C881EAA7BF8EF09318F1480A5E909DB252DB75EE45DBA1
                                          Function 00FA41EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00FA424F
                                          • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00FA4264
                                          • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00FA4271
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID: msctls_trackbar32
                                          • API String ID: 3850602802-1010561917
                                          • Opcode ID: 6e4df4fc63963c08f26761ac4b340a8dda4f52e83f9dcadb290dc64679912300
                                          • Instruction ID: 1862c373ea17d106e7b34e2e1b860b49dfa293fb79a540c7eed39d410b25b825
                                          • Opcode Fuzzy Hash: 6e4df4fc63963c08f26761ac4b340a8dda4f52e83f9dcadb290dc64679912300
                                          • Instruction Fuzzy Hash: 99110671640248BEEF205F29CC46FAB3BACEFC6B64F010124FA55E6090D6B1EC51AB60
                                          Function 00F72F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F16B57: _wcslen.LIBCMT ref: 00F16B6A
                                            • Part of subcall function 00F72DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00F72DC5
                                            • Part of subcall function 00F72DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F72DD6
                                            • Part of subcall function 00F72DA7: GetCurrentThreadId.KERNEL32 ref: 00F72DDD
                                            • Part of subcall function 00F72DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00F72DE4
                                          • GetFocus.USER32 ref: 00F72F78
                                            • Part of subcall function 00F72DEE: GetParent.USER32(00000000), ref: 00F72DF9
                                          • GetClassNameW.USER32(?,?,00000100), ref: 00F72FC3
                                          • EnumChildWindows.USER32(?,00F7303B), ref: 00F72FEB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                          • String ID: %s%d
                                          • API String ID: 1272988791-1110647743
                                          • Opcode ID: ae9f1fc4c92e1e1be7eacec836bdb37dabaa2424e892523f297d54eb1849d502
                                          • Instruction ID: e8b34b84397137b558f2d3acd8e920307c7d0d86fe31364845833c7d28c83d07
                                          • Opcode Fuzzy Hash: ae9f1fc4c92e1e1be7eacec836bdb37dabaa2424e892523f297d54eb1849d502
                                          • Instruction Fuzzy Hash: E211B4B16002096BCF54BF708C85EED377AAF84314F04807AF90DDB252DE349949BB62
                                          Function 00FA5882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00FA58C1
                                          • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00FA58EE
                                          • DrawMenuBar.USER32(?), ref: 00FA58FD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Menu$InfoItem$Draw
                                          • String ID: 0
                                          • API String ID: 3227129158-4108050209
                                          • Opcode ID: f2eec5b6f8c408be500c282a2c42edb946bc7ac5abde811c1c19ba594caecae4
                                          • Instruction ID: 7c11b642e7c9d416d80d66f5bd5b4c35c8424efda94fb6d05a593778b742dc6d
                                          • Opcode Fuzzy Hash: f2eec5b6f8c408be500c282a2c42edb946bc7ac5abde811c1c19ba594caecae4
                                          • Instruction Fuzzy Hash: 7B015E71910218EEDB119F11EC44BAFBBB4FF4A760F1480A9F849DA151DB308A84FF61
                                          Function 00F6D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00F6D3BF
                                          • FreeLibrary.KERNEL32 ref: 00F6D3E5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: AddressFreeLibraryProc
                                          • String ID: GetSystemWow64DirectoryW$X64
                                          • API String ID: 3013587201-2590602151
                                          • Opcode ID: c235d79917900833c9c5c57694fe2f3666bbf2eb5898320e22569994ca622c21
                                          • Instruction ID: 29e27f1dedb1f421527d40b921ba2cc42e0b7b60eb6cf37d800331344cae631d
                                          • Opcode Fuzzy Hash: c235d79917900833c9c5c57694fe2f3666bbf2eb5898320e22569994ca622c21
                                          • Instruction Fuzzy Hash: D1F02BF6F05731DBD77156124C75B693324AF11705B598155F402EA207E760CD44B6D2
                                          Function 00F7007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: bcd9a16cd8fa615747dc87a71586e042815d23f9daf3db393c5765680f2590ba
                                          • Instruction ID: 0fe0c1130e8e8671ef8f7200c6533c0d32c5fa90470e64159ae6dafb66628c24
                                          • Opcode Fuzzy Hash: bcd9a16cd8fa615747dc87a71586e042815d23f9daf3db393c5765680f2590ba
                                          • Instruction Fuzzy Hash: EBC15B75A0020AEFDB14CFA4C894BAEB7B5FF48314F108599E409EB291DB71ED41EB91
                                          Function 00F9342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Variant$ClearInitInitializeUninitialize
                                          • String ID:
                                          • API String ID: 1998397398-0
                                          • Opcode ID: 96409ab37742e99ac279337fb5396957a69451fddc107862745c0876cb071900
                                          • Instruction ID: aea2c54fb277f7f0016487be6217c23efa0ef518c2ce4cb4acfb8b3f3703ebe3
                                          • Opcode Fuzzy Hash: 96409ab37742e99ac279337fb5396957a69451fddc107862745c0876cb071900
                                          • Instruction Fuzzy Hash: C3A15E756043109FDB10EF24C885E5AB7E5FF88714F088859F9899B362DB34ED41EB92
                                          Function 00F70436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                          Download Yara Rule
                                          APIs
                                          • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00FAFC08,?), ref: 00F705F0
                                          • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00FAFC08,?), ref: 00F70608
                                          • CLSIDFromProgID.OLE32(?,?,00000000,00FACC40,000000FF,?,00000000,00000800,00000000,?,00FAFC08,?), ref: 00F7062D
                                          • _memcmp.LIBVCRUNTIME ref: 00F7064E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: FromProg$FreeTask_memcmp
                                          • String ID:
                                          • API String ID: 314563124-0
                                          • Opcode ID: 4f1daf6233c99fc59f33408604378d21623167f43de1ff66c553222181510839
                                          • Instruction ID: 4811171f598963beaafc30d02568a451fe36e42905dee5b2dd43ce5cf6821b7a
                                          • Opcode Fuzzy Hash: 4f1daf6233c99fc59f33408604378d21623167f43de1ff66c553222181510839
                                          • Instruction Fuzzy Hash: D5813971A00109EFCB04DF94C984EEEB7B9FF89315F248159F506AB250DB71AE06DBA1
                                          Function 00F51391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: _free
                                          • String ID:
                                          • API String ID: 269201875-0
                                          • Opcode ID: 7643e40ea097f9bb8179302aba4f0b5d3ad73ca3ca4790860d751fddc92981c9
                                          • Instruction ID: a56895ace15bb654cec0d6436b5752dde0056be817029fff05bc20c792b51b2c
                                          • Opcode Fuzzy Hash: 7643e40ea097f9bb8179302aba4f0b5d3ad73ca3ca4790860d751fddc92981c9
                                          • Instruction Fuzzy Hash: E9411932E00500ABDB21EBB99C45BBE3AA5FF43371F144225FE19D6192E67CA8497271
                                          Function 00FA6278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowRect.USER32(01110CC8,?), ref: 00FA62E2
                                          • ScreenToClient.USER32(?,?), ref: 00FA6315
                                          • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00FA6382
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Window$ClientMoveRectScreen
                                          • String ID:
                                          • API String ID: 3880355969-0
                                          • Opcode ID: 25a64c973ca105fb6fe8f531c8d3525a225eacd89eeb9e6fb90a970aa9033347
                                          • Instruction ID: e3b0b8b5183b518d65c0fe589a2704aad9ec0f2a53ce6e2a8478b1706d041c84
                                          • Opcode Fuzzy Hash: 25a64c973ca105fb6fe8f531c8d3525a225eacd89eeb9e6fb90a970aa9033347
                                          • Instruction Fuzzy Hash: BF511AB4A00249EFDF10DF68D880AAE7BB5FB56360F148169F915DB290D730AD81EB90
                                          Function 00F91AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • socket.WSOCK32(00000002,00000002,00000011), ref: 00F91AFD
                                          • WSAGetLastError.WSOCK32 ref: 00F91B0B
                                          • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00F91B8A
                                          • WSAGetLastError.WSOCK32 ref: 00F91B94
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ErrorLast$socket
                                          • String ID:
                                          • API String ID: 1881357543-0
                                          • Opcode ID: f8f9f1db94745257497cd644aeef6f4a1fda7c7d5c99ac7cb3dec4c4663fd341
                                          • Instruction ID: 1bea4f391ba08e1b8368bb7639dfb6bdf0a072e24688e290253c6f75731725e2
                                          • Opcode Fuzzy Hash: f8f9f1db94745257497cd644aeef6f4a1fda7c7d5c99ac7cb3dec4c4663fd341
                                          • Instruction Fuzzy Hash: AA41D135640200AFEB20AF24C886F6577E5AB84718F54C458F91A9F3D3D776ED829B90
                                          Function 00F4B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 11cbb64a1d831ecfde1d808fd0416dcab25cbe96b4fcd5aa5479f23a78481d0c
                                          • Instruction ID: 100caf6a737b3aae161264040b0281cf1c2bea63ca8e6f90c669e6b5090d887e
                                          • Opcode Fuzzy Hash: 11cbb64a1d831ecfde1d808fd0416dcab25cbe96b4fcd5aa5479f23a78481d0c
                                          • Instruction Fuzzy Hash: BF410872A00304AFD724DF38CC41BAABFA9EB88720F10462AF955DB693D775E9059790
                                          Function 00F856D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00F85783
                                          • GetLastError.KERNEL32(?,00000000), ref: 00F857A9
                                          • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00F857CE
                                          • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00F857FA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: CreateHardLink$DeleteErrorFileLast
                                          • String ID:
                                          • API String ID: 3321077145-0
                                          • Opcode ID: f88083662d76be95b40e44970e6a864c6c22dc840b38629e8fdf5bf98bf6bcf9
                                          • Instruction ID: ade60578695804578c1549735d209cae9d7877dbeb197ea31b66f0fbbf71cf7b
                                          • Opcode Fuzzy Hash: f88083662d76be95b40e44970e6a864c6c22dc840b38629e8fdf5bf98bf6bcf9
                                          • Instruction Fuzzy Hash: 49414F35600610DFCB11EF15C844A9DBBF2EF49720B18C488E84A9B366CB34FD41EB91
                                          Function 00F4D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,00F36D71,00000000,00000000,00F382D9,?,00F382D9,?,00000001,00F36D71,8BE85006,00000001,00F382D9,00F382D9), ref: 00F4D910
                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F4D999
                                          • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 00F4D9AB
                                          • __freea.LIBCMT ref: 00F4D9B4
                                            • Part of subcall function 00F43820: RtlAllocateHeap.NTDLL(00000000,?,00FE1444,?,00F2FDF5,?,?,00F1A976,00000010,00FE1440,00F113FC,?,00F113C6,?,00F11129), ref: 00F43852
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                          • String ID:
                                          • API String ID: 2652629310-0
                                          • Opcode ID: bd121706348d5b01cfd93d6bc7b38f5b17b479a93cf532e7c30073d863c11745
                                          • Instruction ID: 689c210517e6966fc01e91c255d5c5e42c5103e98bd386e15c1d3ae1402356da
                                          • Opcode Fuzzy Hash: bd121706348d5b01cfd93d6bc7b38f5b17b479a93cf532e7c30073d863c11745
                                          • Instruction Fuzzy Hash: 7631BC72A0120AABDF249F64DC45EAE7FA5EB41720F054268FC04D7290EB39DD50EBA0
                                          Function 00FA52C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,00001024,00000000,?), ref: 00FA5352
                                          • GetWindowLongW.USER32(?,000000F0), ref: 00FA5375
                                          • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FA5382
                                          • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00FA53A8
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: LongWindow$InvalidateMessageRectSend
                                          • String ID:
                                          • API String ID: 3340791633-0
                                          • Opcode ID: 448a347dc560f57efd0400d0ad08ed3c6c1c4d9bdd59c8996ae691bd45d1e870
                                          • Instruction ID: 551ff8df6748515bd3c26d48bc272a170553737bb13c0616b08b3ec75afef667
                                          • Opcode Fuzzy Hash: 448a347dc560f57efd0400d0ad08ed3c6c1c4d9bdd59c8996ae691bd45d1e870
                                          • Instruction Fuzzy Hash: EE31D2B5E55B0CFFEF349A54CC45BE83767AB86BA0F584001FA11962E1C7B1A940BB81
                                          Function 00F7AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00F7ABF1
                                          • SetKeyboardState.USER32(00000080,?,00008000), ref: 00F7AC0D
                                          • PostMessageW.USER32(00000000,00000101,00000000), ref: 00F7AC74
                                          • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00F7ACC6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: KeyboardState$InputMessagePostSend
                                          • String ID:
                                          • API String ID: 432972143-0
                                          • Opcode ID: 36395ffc4e9a3f2fc72dceef0b048b8e1110543bb94e898b95dac989e2499511
                                          • Instruction ID: 10346a1dbd912118b0f3bfd98b75045b9a29531852c3790458175cf1b0f85a14
                                          • Opcode Fuzzy Hash: 36395ffc4e9a3f2fc72dceef0b048b8e1110543bb94e898b95dac989e2499511
                                          • Instruction Fuzzy Hash: 9B31F670E046187FEF26CB658C05BFE7AA5ABC9320F05D21BE489921D1C375C985A793
                                          Function 00FA7674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ClientToScreen.USER32(?,?), ref: 00FA769A
                                          • GetWindowRect.USER32(?,?), ref: 00FA7710
                                          • PtInRect.USER32(?,?,00FA8B89), ref: 00FA7720
                                          • MessageBeep.USER32(00000000), ref: 00FA778C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Rect$BeepClientMessageScreenWindow
                                          • String ID:
                                          • API String ID: 1352109105-0
                                          • Opcode ID: fd087d08f412436d9e7ed27e006324afccdd230bf336ae3e2919b501f431f2bb
                                          • Instruction ID: 9a6d9514c7e2cac856ac328c15b0f5e08bbfbd6efc641747d53820d6135094e7
                                          • Opcode Fuzzy Hash: fd087d08f412436d9e7ed27e006324afccdd230bf336ae3e2919b501f431f2bb
                                          • Instruction Fuzzy Hash: F5419CB4A09358DFDB01EF59CC94EA9BBF4BB4A310F1940A9E4149B261C730A941EB90
                                          Function 00FA16DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetForegroundWindow.USER32 ref: 00FA16EB
                                            • Part of subcall function 00F73A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F73A57
                                            • Part of subcall function 00F73A3D: GetCurrentThreadId.KERNEL32 ref: 00F73A5E
                                            • Part of subcall function 00F73A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00F725B3), ref: 00F73A65
                                          • GetCaretPos.USER32(?), ref: 00FA16FF
                                          • ClientToScreen.USER32(00000000,?), ref: 00FA174C
                                          • GetForegroundWindow.USER32 ref: 00FA1752
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                          • String ID:
                                          • API String ID: 2759813231-0
                                          • Opcode ID: bf7781c6fdd6a958485c30b1010759a6fbcd2202ee2d6a65294288e417d39ee8
                                          • Instruction ID: 66444bf3494643a99b92aa962146c2fefb0c655e35bcef93fd8aa528103b35cd
                                          • Opcode Fuzzy Hash: bf7781c6fdd6a958485c30b1010759a6fbcd2202ee2d6a65294288e417d39ee8
                                          • Instruction Fuzzy Hash: D0314FB5D00249AFD700EFA9C881CEEBBF9EF49304B5480AAE415E7211D735DE45DBA0
                                          Function 00F7D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateToolhelp32Snapshot.KERNEL32 ref: 00F7D501
                                          • Process32FirstW.KERNEL32(00000000,?), ref: 00F7D50F
                                          • Process32NextW.KERNEL32(00000000,?), ref: 00F7D52F
                                          • CloseHandle.KERNEL32(00000000), ref: 00F7D5DC
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                          • String ID:
                                          • API String ID: 420147892-0
                                          • Opcode ID: c4d14b0d659a5deebcd7978076ce80b8f7db73a464f8f0dad9ea4fa17923b731
                                          • Instruction ID: e7d2c26d28d53cc935951a5421380c99d66a9fb2c2c2330c12620a0ab7703bda
                                          • Opcode Fuzzy Hash: c4d14b0d659a5deebcd7978076ce80b8f7db73a464f8f0dad9ea4fa17923b731
                                          • Instruction Fuzzy Hash: E6319E721083009FD300EF54CC81AAFBBF8EF99354F54492EF585821A1EB719984EBA3
                                          Function 00FA8FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F29BB2
                                          • GetCursorPos.USER32(?), ref: 00FA9001
                                          • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00F67711,?,?,?,?,?), ref: 00FA9016
                                          • GetCursorPos.USER32(?), ref: 00FA905E
                                          • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00F67711,?,?,?), ref: 00FA9094
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Cursor$LongMenuPopupProcTrackWindow
                                          • String ID:
                                          • API String ID: 2864067406-0
                                          • Opcode ID: a1380b067ed8ba4de1dce9cf738fa50b75772b4b3888f27fbf730c8b53afbd20
                                          • Instruction ID: a8b79b33be88973f906bb5cc5a556f0761821df2b814f2dd605404785ac6ca4a
                                          • Opcode Fuzzy Hash: a1380b067ed8ba4de1dce9cf738fa50b75772b4b3888f27fbf730c8b53afbd20
                                          • Instruction Fuzzy Hash: 95219175A04018EFDB258FA5DC58EEA7BB9FF8A3A0F148065F5054B261C371A950FB60
                                          Function 00F7D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetFileAttributesW.KERNEL32(?,00FACB68), ref: 00F7D2FB
                                          • GetLastError.KERNEL32 ref: 00F7D30A
                                          • CreateDirectoryW.KERNEL32(?,00000000), ref: 00F7D319
                                          • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00FACB68), ref: 00F7D376
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: CreateDirectory$AttributesErrorFileLast
                                          • String ID:
                                          • API String ID: 2267087916-0
                                          • Opcode ID: 254589bb211a7f9b1fca9e0e22340404247f4100c53c66df89c4fa0373ee2b89
                                          • Instruction ID: 0a9a066c29a04bf902dd0fc4b263ba2177dc8817bf182691894c985ca8c88657
                                          • Opcode Fuzzy Hash: 254589bb211a7f9b1fca9e0e22340404247f4100c53c66df89c4fa0373ee2b89
                                          • Instruction Fuzzy Hash: 4621A3709083019F8700DF24C8819AA77F4EE56368F908A1EF49DC32A1DB31D945EB93
                                          Function 00F71571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F71014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F7102A
                                            • Part of subcall function 00F71014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F71036
                                            • Part of subcall function 00F71014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F71045
                                            • Part of subcall function 00F71014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00F7104C
                                            • Part of subcall function 00F71014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F71062
                                          • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00F715BE
                                          • _memcmp.LIBVCRUNTIME ref: 00F715E1
                                          • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F71617
                                          • HeapFree.KERNEL32(00000000), ref: 00F7161E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                          • String ID:
                                          • API String ID: 1592001646-0
                                          • Opcode ID: 171606e18652020d8cc5b30401fbfc06e304ae1e0bdb9e1889dda1ad50ce4dde
                                          • Instruction ID: 66570cda82a23f0c892d4ccd74e44c48da2aa8decad7f3929cd7cedacad21305
                                          • Opcode Fuzzy Hash: 171606e18652020d8cc5b30401fbfc06e304ae1e0bdb9e1889dda1ad50ce4dde
                                          • Instruction Fuzzy Hash: 2B217C71E00108EFDB14DFA8D945BEEB7B8FF44354F18845AE445AB241E730AA09EB91
                                          Function 00FA2782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowLongW.USER32(?,000000EC), ref: 00FA280A
                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00FA2824
                                          • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00FA2832
                                          • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00FA2840
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Window$Long$AttributesLayered
                                          • String ID:
                                          • API String ID: 2169480361-0
                                          • Opcode ID: b2d9c0d2deb558b8df32775522770d1d83e1bce85501721d6ea79eb65c49c2a0
                                          • Instruction ID: a4645fdbf8ad14d83503c0e3c7e1d02254b307507c562c741527bd0aa42d0c71
                                          • Opcode Fuzzy Hash: b2d9c0d2deb558b8df32775522770d1d83e1bce85501721d6ea79eb65c49c2a0
                                          • Instruction Fuzzy Hash: 2321F171704110AFD7549B28CC44FAA7B95AF46324F188158F4268B6E2CB79FD82DBD0
                                          Function 00F778F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F78D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00F7790A,?,000000FF,?,00F78754,00000000,?,0000001C,?,?), ref: 00F78D8C
                                            • Part of subcall function 00F78D7D: lstrcpyW.KERNEL32(00000000,?,?,00F7790A,?,000000FF,?,00F78754,00000000,?,0000001C,?,?,00000000), ref: 00F78DB2
                                            • Part of subcall function 00F78D7D: lstrcmpiW.KERNEL32(00000000,?,00F7790A,?,000000FF,?,00F78754,00000000,?,0000001C,?,?), ref: 00F78DE3
                                          • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00F78754,00000000,?,0000001C,?,?,00000000), ref: 00F77923
                                          • lstrcpyW.KERNEL32(00000000,?,?,00F78754,00000000,?,0000001C,?,?,00000000), ref: 00F77949
                                          • lstrcmpiW.KERNEL32(00000002,cdecl,?,00F78754,00000000,?,0000001C,?,?,00000000), ref: 00F77984
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: lstrcmpilstrcpylstrlen
                                          • String ID: cdecl
                                          • API String ID: 4031866154-3896280584
                                          • Opcode ID: 48ca1e489f552684ca88319403cab84353e1f3a69e79f37ceff055a84b729f7a
                                          • Instruction ID: 4cab584048732b93306f46b58276fc5a5f29cfdf2a0606242bb039088e6c5dd4
                                          • Opcode Fuzzy Hash: 48ca1e489f552684ca88319403cab84353e1f3a69e79f37ceff055a84b729f7a
                                          • Instruction Fuzzy Hash: 5F11D63A211305ABCB156F34DC49E7B77B5FF99390B50802BF94AC7264EB319811E792
                                          Function 00FA7CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowLongW.USER32(?,000000F0), ref: 00FA7D0B
                                          • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00FA7D2A
                                          • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00FA7D42
                                          • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00F8B7AD,00000000), ref: 00FA7D6B
                                            • Part of subcall function 00F29BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F29BB2
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Window$Long
                                          • String ID:
                                          • API String ID: 847901565-0
                                          • Opcode ID: 65cbb7c61b6dab39de2221e41095859365b1cc973eeea394ccea4289ae564756
                                          • Instruction ID: d903f649810646308e77af2a8d961de15221e55cdb3aa07766eb7ace73b6bd95
                                          • Opcode Fuzzy Hash: 65cbb7c61b6dab39de2221e41095859365b1cc973eeea394ccea4289ae564756
                                          • Instruction Fuzzy Hash: 2F11A5B2A047599FCB10AF29CC04E6A3BA5BF46370B154724F839DB2F0D7309950EB90
                                          Function 00FA5660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,00001060,?,00000004), ref: 00FA56BB
                                          • _wcslen.LIBCMT ref: 00FA56CD
                                          • _wcslen.LIBCMT ref: 00FA56D8
                                          • SendMessageW.USER32(?,00001002,00000000,?), ref: 00FA5816
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: MessageSend_wcslen
                                          • String ID:
                                          • API String ID: 455545452-0
                                          • Opcode ID: 9686825bc784dfd9819d8511c3139dcd3a8c683190679c1045f33eabb6953e1a
                                          • Instruction ID: ca6fb28de6901172dc3c5ef4da150dc126ec30294f0cf6e9614192545280875c
                                          • Opcode Fuzzy Hash: 9686825bc784dfd9819d8511c3139dcd3a8c683190679c1045f33eabb6953e1a
                                          • Instruction Fuzzy Hash: 5611B1F6A0060896DF20DF618C85AEE77BCBF16B70F104026F915D6181EB74DA84EBA1
                                          Function 00F71A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,000000B0,?,?), ref: 00F71A47
                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F71A59
                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F71A6F
                                          • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F71A8A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID:
                                          • API String ID: 3850602802-0
                                          • Opcode ID: 34d62d75c09fea3622209528c037ead3031bee3914008355c44dac1cf209f942
                                          • Instruction ID: 0802b0c18bd8d2fc9ccf32cda9a7c5438bd58c724df06b29770b737d985a619e
                                          • Opcode Fuzzy Hash: 34d62d75c09fea3622209528c037ead3031bee3914008355c44dac1cf209f942
                                          • Instruction Fuzzy Hash: 58110C7AD01219FFEB11DBA9CD85FADBB78FB08750F204092E604B7290D6716E50EB94
                                          Function 00F7E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentThreadId.KERNEL32 ref: 00F7E1FD
                                          • MessageBoxW.USER32(?,?,?,?), ref: 00F7E230
                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00F7E246
                                          • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00F7E24D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                          • String ID:
                                          • API String ID: 2880819207-0
                                          • Opcode ID: a962e213e901ebbf5ec39e2881d9b25d92fdd27b7bacd51f740b6ff82d54e51d
                                          • Instruction ID: b9da5eff80b57ad3ca0720c5ab6602c484c44ac80b9ab13f4495c2e589b4c1ab
                                          • Opcode Fuzzy Hash: a962e213e901ebbf5ec39e2881d9b25d92fdd27b7bacd51f740b6ff82d54e51d
                                          • Instruction Fuzzy Hash: 47112BB2E0425CBFC7019FA89C45A9F7FADAB45320F008257F818D7291D670CD00A7A1
                                          Function 00F3D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateThread.KERNEL32(00000000,?,00F3CFF9,00000000,00000004,00000000), ref: 00F3D218
                                          • GetLastError.KERNEL32 ref: 00F3D224
                                          • __dosmaperr.LIBCMT ref: 00F3D22B
                                          • ResumeThread.KERNEL32(00000000), ref: 00F3D249
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Thread$CreateErrorLastResume__dosmaperr
                                          • String ID:
                                          • API String ID: 173952441-0
                                          • Opcode ID: 5d83678ee5d747c94c4e95bf80c74f6d593348290aad5f3215c3d014faa1a02c
                                          • Instruction ID: 90173a997b3dc12643d340cb41cba3c9d366a9023650074a13042030c5efecc3
                                          • Opcode Fuzzy Hash: 5d83678ee5d747c94c4e95bf80c74f6d593348290aad5f3215c3d014faa1a02c
                                          • Instruction Fuzzy Hash: B101D276805208BBDB216BA5EC09BAB7A69DF82731F100229F925921D0CF71C905E6A0
                                          Function 00F1600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F1604C
                                          • GetStockObject.GDI32(00000011), ref: 00F16060
                                          • SendMessageW.USER32(00000000,00000030,00000000), ref: 00F1606A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: CreateMessageObjectSendStockWindow
                                          • String ID:
                                          • API String ID: 3970641297-0
                                          • Opcode ID: db5b076c67e4dd3546d76e3999a0af83f14fa5dc7965dd30b792aaac2de22b3a
                                          • Instruction ID: 5f0be766a10e3a9cdd354beab04df7f7d50b96ab4a0470fa082fec099b65aa96
                                          • Opcode Fuzzy Hash: db5b076c67e4dd3546d76e3999a0af83f14fa5dc7965dd30b792aaac2de22b3a
                                          • Instruction Fuzzy Hash: EC115BB2501548BFEF128FA49C44AEABBA9EF0D3A4F040215FA1492110D7329CA0FBA0
                                          Function 00F33B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • ___BuildCatchObject.LIBVCRUNTIME ref: 00F33B56
                                            • Part of subcall function 00F33AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00F33AD2
                                            • Part of subcall function 00F33AA3: ___AdjustPointer.LIBCMT ref: 00F33AED
                                          • _UnwindNestedFrames.LIBCMT ref: 00F33B6B
                                          • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00F33B7C
                                          • CallCatchBlock.LIBVCRUNTIME ref: 00F33BA4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                          • String ID:
                                          • API String ID: 737400349-0
                                          • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                          • Instruction ID: 9e5e932ea68d3dbcd64d8f127b9e5014d5130a7a4f7b72e24fa702bf94ee80dc
                                          • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                          • Instruction Fuzzy Hash: 1F01E972500149BBDF129E95CC46EEB7B69EF98764F044014FE48A6121C73AE961EBA0
                                          Function 00F43073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00F113C6,00000000,00000000,?,00F4301A,00F113C6,00000000,00000000,00000000,?,00F4328B,00000006,FlsSetValue), ref: 00F430A5
                                          • GetLastError.KERNEL32(?,00F4301A,00F113C6,00000000,00000000,00000000,?,00F4328B,00000006,FlsSetValue,00FB2290,FlsSetValue,00000000,00000364,?,00F42E46), ref: 00F430B1
                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00F4301A,00F113C6,00000000,00000000,00000000,?,00F4328B,00000006,FlsSetValue,00FB2290,FlsSetValue,00000000), ref: 00F430BF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: LibraryLoad$ErrorLast
                                          • String ID:
                                          • API String ID: 3177248105-0
                                          • Opcode ID: 5b75f349f812fcc0904b785cbd0d81854fecb4e1de48b6b80c0ac97069c64e91
                                          • Instruction ID: 369c8e6412267f548f5d6a6854e56ac9b8c6386594470e2b02795e41b1c40a0a
                                          • Opcode Fuzzy Hash: 5b75f349f812fcc0904b785cbd0d81854fecb4e1de48b6b80c0ac97069c64e91
                                          • Instruction Fuzzy Hash: 5301DB76701226ABCB314B7D9C85A577FD8EF46B75B210720FD05E7140DB21D901E6E0
                                          Function 00F77464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00F7747F
                                          • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00F77497
                                          • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00F774AC
                                          • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00F774CA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Type$Register$FileLoadModuleNameUser
                                          • String ID:
                                          • API String ID: 1352324309-0
                                          • Opcode ID: 069b0e8b26421019b28113de3067771ad46e836e65227fc0c6ef9039c66e0ad6
                                          • Instruction ID: c301dac4a56817474eb8258527eca452a53c9c112facde7c14326a08ff237ddf
                                          • Opcode Fuzzy Hash: 069b0e8b26421019b28113de3067771ad46e836e65227fc0c6ef9039c66e0ad6
                                          • Instruction Fuzzy Hash: 111161B5219315DBE720DF24DC09F927FFCEB04B04F10C56AAA5AD6191D7B0E904EB92
                                          Function 00F7B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00F7ACD3,?,00008000), ref: 00F7B0C4
                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00F7ACD3,?,00008000), ref: 00F7B0E9
                                          • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00F7ACD3,?,00008000), ref: 00F7B0F3
                                          • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00F7ACD3,?,00008000), ref: 00F7B126
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: CounterPerformanceQuerySleep
                                          • String ID:
                                          • API String ID: 2875609808-0
                                          • Opcode ID: 876203871653c9f4c0fc3f4192745603528432d502f9cfb29aca35d1992ac5f6
                                          • Instruction ID: 0a37c44b0ff2f815a3f5a830a66137c83d34d3b9480c924cf21c9cd377656e5c
                                          • Opcode Fuzzy Hash: 876203871653c9f4c0fc3f4192745603528432d502f9cfb29aca35d1992ac5f6
                                          • Instruction Fuzzy Hash: B6118B71E0152CE7CF00AFE4E9687EEBB78FF0A311F108086D945B2181CB704651EB92
                                          Function 00F72DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00F72DC5
                                          • GetWindowThreadProcessId.USER32(?,00000000), ref: 00F72DD6
                                          • GetCurrentThreadId.KERNEL32 ref: 00F72DDD
                                          • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00F72DE4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                          • String ID:
                                          • API String ID: 2710830443-0
                                          • Opcode ID: ef3f3c3d47b10b5ae82e8a1df5f961be80adcbc7d30f7c05385c1fd7dfc30202
                                          • Instruction ID: 4918c081794212979daeb782d06a014d2ea8e42df73ae2429b7ab961a53484ec
                                          • Opcode Fuzzy Hash: ef3f3c3d47b10b5ae82e8a1df5f961be80adcbc7d30f7c05385c1fd7dfc30202
                                          • Instruction Fuzzy Hash: 04E06DB26012287AD7205B639C0DFEB3E6CEB43BA1F004016B109D11809AA08840E6F1
                                          Function 00FA8863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F29639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F29693
                                            • Part of subcall function 00F29639: SelectObject.GDI32(?,00000000), ref: 00F296A2
                                            • Part of subcall function 00F29639: BeginPath.GDI32(?), ref: 00F296B9
                                            • Part of subcall function 00F29639: SelectObject.GDI32(?,00000000), ref: 00F296E2
                                          • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00FA8887
                                          • LineTo.GDI32(?,?,?), ref: 00FA8894
                                          • EndPath.GDI32(?), ref: 00FA88A4
                                          • StrokePath.GDI32(?), ref: 00FA88B2
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                          • String ID:
                                          • API String ID: 1539411459-0
                                          • Opcode ID: 15f98967df03a51305d91d880b10f9e5f0dedce26448059f81b39f6e857d7e65
                                          • Instruction ID: 7ddecf090f3625819705af2b246590aea2b0224a3f149cd1206c815c4b4664e0
                                          • Opcode Fuzzy Hash: 15f98967df03a51305d91d880b10f9e5f0dedce26448059f81b39f6e857d7e65
                                          • Instruction Fuzzy Hash: B4F03A76045258BADB125F94AC0DFCE3F59AF06310F448000FA11A50E2CBB95511EBE9
                                          Function 00F298B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSysColor.USER32(00000008), ref: 00F298CC
                                          • SetTextColor.GDI32(?,?), ref: 00F298D6
                                          • SetBkMode.GDI32(?,00000001), ref: 00F298E9
                                          • GetStockObject.GDI32(00000005), ref: 00F298F1
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Color$ModeObjectStockText
                                          • String ID:
                                          • API String ID: 4037423528-0
                                          • Opcode ID: 6c16219b8a4ee1b8254383ae528bdda508788c70e94f635608260d02592ef8e5
                                          • Instruction ID: d4494bb5f9f90e8f0d67471d86bfcad8bfb2490d497f8809a7b80651a3a0387f
                                          • Opcode Fuzzy Hash: 6c16219b8a4ee1b8254383ae528bdda508788c70e94f635608260d02592ef8e5
                                          • Instruction Fuzzy Hash: 6CE06D71644288AEDB216B74BC09BE83F60EB13736F088219F6FA580E1C7724680AB10
                                          Function 00F7162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentThread.KERNEL32 ref: 00F71634
                                          • OpenThreadToken.ADVAPI32(00000000,?,?,?,00F711D9), ref: 00F7163B
                                          • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00F711D9), ref: 00F71648
                                          • OpenProcessToken.ADVAPI32(00000000,?,?,?,00F711D9), ref: 00F7164F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: CurrentOpenProcessThreadToken
                                          • String ID:
                                          • API String ID: 3974789173-0
                                          • Opcode ID: e4278f2f94680fbf701a073f8e9698c04f8170203ab649d23502518159a9e5e7
                                          • Instruction ID: 5caadc0f98027b22dac22709af86485a52ec30aea1e58916edb6d9adcd838015
                                          • Opcode Fuzzy Hash: e4278f2f94680fbf701a073f8e9698c04f8170203ab649d23502518159a9e5e7
                                          • Instruction Fuzzy Hash: AEE086B1A01215DBD7201FA49D0DB473BBCBF467A1F14C809F245C9080D6344544E791
                                          Function 00F6D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDesktopWindow.USER32 ref: 00F6D858
                                          • GetDC.USER32(00000000), ref: 00F6D862
                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F6D882
                                          • ReleaseDC.USER32(?), ref: 00F6D8A3
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: CapsDesktopDeviceReleaseWindow
                                          • String ID:
                                          • API String ID: 2889604237-0
                                          • Opcode ID: a38fb8ca51e75167f1ae84f1cd9d3622af0a10b78000eef3e029cc24e3899f15
                                          • Instruction ID: de097d6f6a473eeb2f4ef351a53ad16ff9da480fb6dcf43b3cc8c5748a70ce3b
                                          • Opcode Fuzzy Hash: a38fb8ca51e75167f1ae84f1cd9d3622af0a10b78000eef3e029cc24e3899f15
                                          • Instruction Fuzzy Hash: 4BE09AB5940209DFCB41DFA0D90C66DBBB5FB09311F148459E84AE7350CB389941BF90
                                          Function 00F6D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetDesktopWindow.USER32 ref: 00F6D86C
                                          • GetDC.USER32(00000000), ref: 00F6D876
                                          • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F6D882
                                          • ReleaseDC.USER32(?), ref: 00F6D8A3
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: CapsDesktopDeviceReleaseWindow
                                          • String ID:
                                          • API String ID: 2889604237-0
                                          • Opcode ID: 94ffb31e5f21f7b09dc2ea295972a20b68590d7dee9d9cbf4cf14313b6c25e32
                                          • Instruction ID: d2ccbaca1cf1d56ae8c0eddaf3b6aba213625b809ca9ba951a5bdeb6b6ab1e6c
                                          • Opcode Fuzzy Hash: 94ffb31e5f21f7b09dc2ea295972a20b68590d7dee9d9cbf4cf14313b6c25e32
                                          • Instruction Fuzzy Hash: A2E092B5800208EFCB51EFA0D80866EBBB5BB09311B148449E94AE7360CB389942BF90
                                          Function 00F84D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F17620: _wcslen.LIBCMT ref: 00F17625
                                          • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00F84ED4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Connection_wcslen
                                          • String ID: *$LPT
                                          • API String ID: 1725874428-3443410124
                                          • Opcode ID: 7f07519fc601a9a08d09834be6ee22fc073fb72d568af33b150972220f9c930a
                                          • Instruction ID: f47f3a68d9d9d989052617d25fc56ecc0d6dcf3c39b4bf5a978353654de2c641
                                          • Opcode Fuzzy Hash: 7f07519fc601a9a08d09834be6ee22fc073fb72d568af33b150972220f9c930a
                                          • Instruction Fuzzy Hash: 48913C75A002059FCB14EF58C884EEABBF1AF44314F19809DE90A9F3A2D735ED85DB91
                                          Function 00F3E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                          Download Yara Rule
                                          APIs
                                          • __startOneArgErrorHandling.LIBCMT ref: 00F3E30D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ErrorHandling__start
                                          • String ID: pow
                                          • API String ID: 3213639722-2276729525
                                          • Opcode ID: 30aad09ac9ec555d3b904b5bb49d5bf2579d60cfde808957fef80490eee62894
                                          • Instruction ID: d204426f008871a343637c4f1cf81205bd5401bfd04b9d2d9cf75c30eb5e1faf
                                          • Opcode Fuzzy Hash: 30aad09ac9ec555d3b904b5bb49d5bf2579d60cfde808957fef80490eee62894
                                          • Instruction Fuzzy Hash: 33516B61E1C30696CB157724CD413BA3FA4EF40770F348E68E8D5823E9EB348C95BA86
                                          Function 00F2E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID:
                                          • String ID: #
                                          • API String ID: 0-1885708031
                                          • Opcode ID: 29ab4170986eef7dc230b4d855552ef02adae3a631658b1ccca33df3441786ff
                                          • Instruction ID: 0dddadd7a2dcfc6b4acc5074d3fb30c7a09783cf88203b707b243d474ae2aa19
                                          • Opcode Fuzzy Hash: 29ab4170986eef7dc230b4d855552ef02adae3a631658b1ccca33df3441786ff
                                          • Instruction Fuzzy Hash: 6F51367AD04256DFDF15DF28D4416FA7BA8EF55320F344055ECA29B2C0D6349D42EBA0
                                          Function 00F2F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Sleep.KERNEL32(00000000), ref: 00F2F2A2
                                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 00F2F2BB
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: GlobalMemorySleepStatus
                                          • String ID: @
                                          • API String ID: 2783356886-2766056989
                                          • Opcode ID: 5bff894f9d9264a75b7a5797fd2bbb54449dc2f046434c77990bbd41b1c45e15
                                          • Instruction ID: ea68aaff0db99a935bf3974eda544f1240d8066d19a5b7f901e44f4d86b321ac
                                          • Opcode Fuzzy Hash: 5bff894f9d9264a75b7a5797fd2bbb54449dc2f046434c77990bbd41b1c45e15
                                          • Instruction Fuzzy Hash: 825136714087489BD320AF10DC86BAFBBF8FF85300F81885DF1D9421A5EB749569DBA6
                                          Function 00F95745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                          Download Yara Rule
                                          APIs
                                          • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00F957E0
                                          • _wcslen.LIBCMT ref: 00F957EC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: BuffCharUpper_wcslen
                                          • String ID: CALLARGARRAY
                                          • API String ID: 157775604-1150593374
                                          • Opcode ID: 22696fd1d344cbf9e5522c0671eebcb707b0b3c1d83da9865edd697a90d734d8
                                          • Instruction ID: d90f5c211101becc13aaaed3e03eb7eac513cd203642ff0f26c9e915d93d1214
                                          • Opcode Fuzzy Hash: 22696fd1d344cbf9e5522c0671eebcb707b0b3c1d83da9865edd697a90d734d8
                                          • Instruction Fuzzy Hash: E241BE71E002099FDF14EFA9C8859EEBBB5EF59720F108029E505A7252EB349D81EB90
                                          Function 00F8D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _wcslen.LIBCMT ref: 00F8D130
                                          • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00F8D13A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: CrackInternet_wcslen
                                          • String ID: |
                                          • API String ID: 596671847-2343686810
                                          • Opcode ID: 272aafe7dcd88f224397746fbd9dea9c059b53046331ddcad1d58af4b5225737
                                          • Instruction ID: f22ad338668a4be6e47b5eb5ac532db52cb451f8835c22bb0da49d82d96289de
                                          • Opcode Fuzzy Hash: 272aafe7dcd88f224397746fbd9dea9c059b53046331ddcad1d58af4b5225737
                                          • Instruction Fuzzy Hash: 40317E71D00209ABDF11EFA5CC85EEEBFB9FF04310F000019F815A6162EB35AA46EB64
                                          Function 00FA356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                          Download Yara Rule
                                          APIs
                                          • DestroyWindow.USER32(?,?,?,?), ref: 00FA3621
                                          • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00FA365C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Window$DestroyMove
                                          • String ID: static
                                          • API String ID: 2139405536-2160076837
                                          • Opcode ID: 06ea941c66746dd0ceff467c36898513c0e47c5fcfa98496b01d57c906c61772
                                          • Instruction ID: df153e2bde81b209198f522c969d53ac2ebb6ab88e8b75bd09350e638251d86d
                                          • Opcode Fuzzy Hash: 06ea941c66746dd0ceff467c36898513c0e47c5fcfa98496b01d57c906c61772
                                          • Instruction Fuzzy Hash: 4D3190B1510204AEDB10DF68DC80EFB73A9FF89760F008619F8A5D7280DA35ED81E760
                                          Function 00FA4537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(?,00001132,00000000,?), ref: 00FA461F
                                          • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FA4634
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID: '
                                          • API String ID: 3850602802-1997036262
                                          • Opcode ID: 0983fdb7967083f95a51f34822a9ee118a85566ee831861dcea77658c5f9c5e9
                                          • Instruction ID: b2b096533fdea223bae625790c98ad79232e3a8d7d78fdc1cd4b2bb3a12c52c8
                                          • Opcode Fuzzy Hash: 0983fdb7967083f95a51f34822a9ee118a85566ee831861dcea77658c5f9c5e9
                                          • Instruction Fuzzy Hash: FC3119B5E012099FDB14CF69C990BDABBB5FF8A310F14406AE905AB391D7B0A941DF90
                                          Function 00FA31EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00FA327C
                                          • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FA3287
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: MessageSend
                                          • String ID: Combobox
                                          • API String ID: 3850602802-2096851135
                                          • Opcode ID: 58c366c2eed0ede17797aad954d806d15a502b76dcc77fddd6591e8ec87c8877
                                          • Instruction ID: 0cc821732c9b568eacb099c817c537ade49bc9312f2241a71d9eb91187963068
                                          • Opcode Fuzzy Hash: 58c366c2eed0ede17797aad954d806d15a502b76dcc77fddd6591e8ec87c8877
                                          • Instruction Fuzzy Hash: D311B6B17002087FEF219E54DC81FBB379AEB563A4F104125F91897290D6719D51A7A0
                                          Function 00FA3710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F1600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F1604C
                                            • Part of subcall function 00F1600E: GetStockObject.GDI32(00000011), ref: 00F16060
                                            • Part of subcall function 00F1600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F1606A
                                          • GetWindowRect.USER32(00000000,?), ref: 00FA377A
                                          • GetSysColor.USER32(00000012), ref: 00FA3794
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Window$ColorCreateMessageObjectRectSendStock
                                          • String ID: static
                                          • API String ID: 1983116058-2160076837
                                          • Opcode ID: 63ea269c6c9ba3cae0011cca47d1018268a4832255a5ff59913456a8c74920ac
                                          • Instruction ID: 602068964395133cc99019e27ef04f8c88b53952905b971907f8da78db813575
                                          • Opcode Fuzzy Hash: 63ea269c6c9ba3cae0011cca47d1018268a4832255a5ff59913456a8c74920ac
                                          • Instruction Fuzzy Hash: D91129B2610209AFDB00DFA8CC45EFA7BB8FB09354F004514F955E2250E775E951ABA0
                                          Function 00F8CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00F8CD7D
                                          • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00F8CDA6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Internet$OpenOption
                                          • String ID: <local>
                                          • API String ID: 942729171-4266983199
                                          • Opcode ID: aebd8f46414c1061f6efba7602c175b2bcec1628cceff57983f305b662d17b68
                                          • Instruction ID: 105612300cbf0ca2a0aae5619b7168edab3da0ac048be1963868f4a27234a02b
                                          • Opcode Fuzzy Hash: aebd8f46414c1061f6efba7602c175b2bcec1628cceff57983f305b662d17b68
                                          • Instruction Fuzzy Hash: EB11A3776056367AD7246B668C45FE7BEA9EB127B4F004226B52983180D6709841E7F0
                                          Function 00FA3429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowTextLengthW.USER32(00000000), ref: 00FA34AB
                                          • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00FA34BA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: LengthMessageSendTextWindow
                                          • String ID: edit
                                          • API String ID: 2978978980-2167791130
                                          • Opcode ID: 2ce3126190d2573f042bb3b0a04a0706a4c8fb129e476eb893f04c6a6b1b9022
                                          • Instruction ID: 52d891637dda853817384584829ddc2f05e6ebb1cafcad89b9c54cf3fb58fa8a
                                          • Opcode Fuzzy Hash: 2ce3126190d2573f042bb3b0a04a0706a4c8fb129e476eb893f04c6a6b1b9022
                                          • Instruction Fuzzy Hash: 2B118FB1900208AFEB118E64DC44AEB3B6AEB0A374F504324FD65971D4C775DD91BB90
                                          Function 00F76C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F19CB3: _wcslen.LIBCMT ref: 00F19CBD
                                          • CharUpperBuffW.USER32(?,?,?), ref: 00F76CB6
                                          • _wcslen.LIBCMT ref: 00F76CC2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: _wcslen$BuffCharUpper
                                          • String ID: STOP
                                          • API String ID: 1256254125-2411985666
                                          • Opcode ID: cea267a4f46c6a1d9b715cba5ef1e614deed79e030c2d19e075665fcd59abc4c
                                          • Instruction ID: 6d5f7290b4885c76b96661a4161649816107b9c2149a7ae8bd8199765830b77c
                                          • Opcode Fuzzy Hash: cea267a4f46c6a1d9b715cba5ef1e614deed79e030c2d19e075665fcd59abc4c
                                          • Instruction Fuzzy Hash: 29010433A109278ACB219FBDDC809BF33A5EA61720B104526E856D6190EB35D940E691
                                          Function 00F71CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F19CB3: _wcslen.LIBCMT ref: 00F19CBD
                                            • Part of subcall function 00F73CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F73CCA
                                          • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00F71D4C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ClassMessageNameSend_wcslen
                                          • String ID: ComboBox$ListBox
                                          • API String ID: 624084870-1403004172
                                          • Opcode ID: 249aef2dbbd98d51ab24928ec47bb01e62fd69eec4c01b897d0747d9fb499afb
                                          • Instruction ID: 3a49bf12888d66779b5eea29638381fdc1d82f31523bbb67467690329962be33
                                          • Opcode Fuzzy Hash: 249aef2dbbd98d51ab24928ec47bb01e62fd69eec4c01b897d0747d9fb499afb
                                          • Instruction Fuzzy Hash: 8C012D71A001146BCB14EBA4CC11DFE73A5FB423A0B04450BF866573C1EA74590CBAA2
                                          Function 00F71BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F19CB3: _wcslen.LIBCMT ref: 00F19CBD
                                            • Part of subcall function 00F73CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F73CCA
                                          • SendMessageW.USER32(?,00000180,00000000,?), ref: 00F71C46
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ClassMessageNameSend_wcslen
                                          • String ID: ComboBox$ListBox
                                          • API String ID: 624084870-1403004172
                                          • Opcode ID: 7a2cb259baacc2574b5a15c49fc6174885c9f46d7b9d60d182c741e9416f0685
                                          • Instruction ID: 03f8563a0870cf88ae57b8a8f11302abc1cdc49dcf398963f01373d3d0332d68
                                          • Opcode Fuzzy Hash: 7a2cb259baacc2574b5a15c49fc6174885c9f46d7b9d60d182c741e9416f0685
                                          • Instruction Fuzzy Hash: 9801FC75A4010466CB05E7D4CD52EFF73A8AB11340F24001BA80A672C1EA649E0CB6F3
                                          Function 00F71C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F19CB3: _wcslen.LIBCMT ref: 00F19CBD
                                            • Part of subcall function 00F73CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F73CCA
                                          • SendMessageW.USER32(?,00000182,?,00000000), ref: 00F71CC8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ClassMessageNameSend_wcslen
                                          • String ID: ComboBox$ListBox
                                          • API String ID: 624084870-1403004172
                                          • Opcode ID: 948722388a183a6a366fea80026493ad28377b11428b17474a4eb164ab3070c0
                                          • Instruction ID: ba807a6582c900a999ab07db0dffc6a2a8f119898b019e53cefbd522e83a2225
                                          • Opcode Fuzzy Hash: 948722388a183a6a366fea80026493ad28377b11428b17474a4eb164ab3070c0
                                          • Instruction Fuzzy Hash: 9101A775B4011866CB05EBD4CE12EFE73A8AB11350B544017B84A73281EA649F0CB6B3
                                          Function 00F71D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F19CB3: _wcslen.LIBCMT ref: 00F19CBD
                                            • Part of subcall function 00F73CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00F73CCA
                                          • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00F71DD3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ClassMessageNameSend_wcslen
                                          • String ID: ComboBox$ListBox
                                          • API String ID: 624084870-1403004172
                                          • Opcode ID: b103c4feb50a459cde5284e348f6fa0d6219f64872a3968d8c6457ef19f6311b
                                          • Instruction ID: 8ac308212577df7be3162891a2ef0a23450e5903d03fcd29a52827bba4abb938
                                          • Opcode Fuzzy Hash: b103c4feb50a459cde5284e348f6fa0d6219f64872a3968d8c6457ef19f6311b
                                          • Instruction Fuzzy Hash: D7F02D71B4021876C714F7A8CC52FFF73B8BB02350F040917B866632C1DA64590CB6E2
                                          Function 00F9747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: _wcslen
                                          • String ID: 3, 3, 16, 1
                                          • API String ID: 176396367-3042988571
                                          • Opcode ID: 7cb2bafdfae7d777239f28c19e66b1162d12c8219690308e77fbf771b53bce80
                                          • Instruction ID: 84034bbc79905ab07daac19ba767ab3b58f2abcaa95f508c4324fb8c91d635d9
                                          • Opcode Fuzzy Hash: 7cb2bafdfae7d777239f28c19e66b1162d12c8219690308e77fbf771b53bce80
                                          • Instruction Fuzzy Hash: 4BE02B0262532050A731327D9CC1B7F6789CFC9770B14182BF985C2267EA9CED91B3A1
                                          Function 00F70B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00F70B23
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Message
                                          • String ID: AutoIt$Error allocating memory.
                                          • API String ID: 2030045667-4017498283
                                          • Opcode ID: e012800975f318804465ed8cb470a1cbc47c89a504d80fcf629a2a6f01352ee4
                                          • Instruction ID: 3465a23f82c9a2b3eaa0965c6e3cdd4e524cfba640cdd634c08aef8dca986bf1
                                          • Opcode Fuzzy Hash: e012800975f318804465ed8cb470a1cbc47c89a504d80fcf629a2a6f01352ee4
                                          • Instruction Fuzzy Hash: CCE0D83124431826D21037547C03F897A848F06F20F100427F758955C38EE5649076EA
                                          Function 00F30D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00F2F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00F30D71,?,?,?,00F1100A), ref: 00F2F7CE
                                          • IsDebuggerPresent.KERNEL32(?,?,?,00F1100A), ref: 00F30D75
                                          • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00F1100A), ref: 00F30D84
                                          Strings
                                          • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00F30D7F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                          • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                          • API String ID: 55579361-631824599
                                          • Opcode ID: 52186c3a1272bc97f7b195b2a903f275698b33f2241dc623c4e316f78dfe33c9
                                          • Instruction ID: 1e7a23955001cf4ce6c3ac68cb2959a45474d62915aeb52e6480bf066ffbea14
                                          • Opcode Fuzzy Hash: 52186c3a1272bc97f7b195b2a903f275698b33f2241dc623c4e316f78dfe33c9
                                          • Instruction Fuzzy Hash: C6E06DB02003518BD3209FB8E8547467BE4AF05750F00492EE482CA656DFB5E488AB91
                                          Function 00F83017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00F8302F
                                          • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00F83044
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: Temp$FileNamePath
                                          • String ID: aut
                                          • API String ID: 3285503233-3010740371
                                          • Opcode ID: d283c7a5e5473a4eefaef22b36c8691941134ce43fcff9a44c572d0d8ec7e9de
                                          • Instruction ID: 15575f8535f3fb6bf7f1fefc575241d68fe69f1f0d568e20ac70ee5afb05144c
                                          • Opcode Fuzzy Hash: d283c7a5e5473a4eefaef22b36c8691941134ce43fcff9a44c572d0d8ec7e9de
                                          • Instruction Fuzzy Hash: 32D05EB250032867DA20A7A4AD0EFCB3BACDB05750F0002A2B696E2091DAB4D984CAD0
                                          Function 00F6D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: LocalTime
                                          • String ID: %.3d$X64
                                          • API String ID: 481472006-1077770165
                                          • Opcode ID: 8e31a2b4f7c6d5615df23662b68cb07d16acd5a3dd57d6f51989aafa10508534
                                          • Instruction ID: 163196761844471aee7d558133fe1261b4a649f67a012a7f7967a3e1c83d8587
                                          • Opcode Fuzzy Hash: 8e31a2b4f7c6d5615df23662b68cb07d16acd5a3dd57d6f51989aafa10508534
                                          • Instruction Fuzzy Hash: D4D012A2D08119E9CB9096D0DC55AB9B3BCAB09301F548462F806D1040E728C5087761
                                          Function 00FA2356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FA236C
                                          • PostMessageW.USER32(00000000), ref: 00FA2373
                                            • Part of subcall function 00F7E97B: Sleep.KERNEL32 ref: 00F7E9F3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: FindMessagePostSleepWindow
                                          • String ID: Shell_TrayWnd
                                          • API String ID: 529655941-2988720461
                                          • Opcode ID: 3e798419214da97b236ef4462a3f5bb7f8d9377113f9743293c8c6bba7e87d59
                                          • Instruction ID: 5f6a7668ee46da97eccc00aea8a237611efc7ce661aa252ec1d2b949674f5b0f
                                          • Opcode Fuzzy Hash: 3e798419214da97b236ef4462a3f5bb7f8d9377113f9743293c8c6bba7e87d59
                                          • Instruction Fuzzy Hash: 7FD022723C03047BE264B730DC0FFC676149B0AB00F0049037309EA2D0C8F0B800DA84
                                          Function 00FA2322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FA232C
                                          • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00FA233F
                                            • Part of subcall function 00F7E97B: Sleep.KERNEL32 ref: 00F7E9F3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: FindMessagePostSleepWindow
                                          • String ID: Shell_TrayWnd
                                          • API String ID: 529655941-2988720461
                                          • Opcode ID: b525ae0211ec6a2a59f223cd712a17e155b08119adbdc0b362bd0e8b27159f08
                                          • Instruction ID: 5e0ec2c475176ec5da46ede4df462dd256d111a83897e463d50a1de4d4911db6
                                          • Opcode Fuzzy Hash: b525ae0211ec6a2a59f223cd712a17e155b08119adbdc0b362bd0e8b27159f08
                                          • Instruction Fuzzy Hash: DFD02276380304BBE264B730DC0FFC67A149B05B00F0049037309EA2D0C8F0A800DA80
                                          Function 00F4BDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00F4BE93
                                          • GetLastError.KERNEL32 ref: 00F4BEA1
                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F4BEFC
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.2050546473.0000000000F11000.00000020.00000001.01000000.00000003.sdmp, Offset: 00F10000, based on PE: true
                                          • Associated: 00000000.00000002.2050466718.0000000000F10000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FAC000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050625499.0000000000FD2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050706914.0000000000FDC000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.2050732254.0000000000FE4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_f10000_New PO.jbxd
                                          Similarity
                                          • API ID: ByteCharMultiWide$ErrorLast
                                          • String ID:
                                          • API String ID: 1717984340-0
                                          • Opcode ID: 440e1e87d09d63afc5889210e97f08a9bc82c56d00c5f8f5ad3f7ab2b1e7adbe
                                          • Instruction ID: 45e6fe30a0f7bf5abe0cebc5cab4277e0314427fba86feda2a559b953256f567
                                          • Opcode Fuzzy Hash: 440e1e87d09d63afc5889210e97f08a9bc82c56d00c5f8f5ad3f7ab2b1e7adbe
                                          • Instruction Fuzzy Hash: 6041A035A04206ABDB218FA5CC44AAA7FA5AF42330F144169FD5D9B2A3DB30DD05FB60